Your container's CPU usage is more than 100%, "kdevtmpfsi" the cryptomining malware is running | So how to resolve

How to resolve when "kdevtmpfsi" the crypto-mining malware is running and taking all CPU load of your server (container).

One day your server (container) running with CPU load so high, more than 100% then you check the processes with "top" command and short by CPU load with shortcut keys "Shift + p", it looks like below:

So, I'm sorry your server is infected the crypto-mining malware that named "kdevtmpfsi", similar "kdevtmpfs" a system Linux process.

I will list some links about the malware, the cause, and it's propagating mechanism end of this post.

Now I go to the detail steps to resolve this issue in my server,  I'm using Amazon Linux 2 AMI.

Step 1: As you can see in the image above, the process is running by the root user, so I need to check the root's cronjob.

As you can see, this cronjob will download script unk.sh from the hacker's server 195.3.146.118 and execute it in your server. So you need to remove the cronjob by the following command.

sudo crontab -u root -r

You should re-check to make sure the cronjob is already removed.

Step 2: Find path to 2 scripts "kdevtmpfsi" and "kinsing" with commands:

sudo find / -name kdevtmpfsi

sudo find / -name kinsing

You will get the results like the paths: "/tmp/kdevtmpfsi" and "/var/tmp/kinsing", so please remove all access permissions to the files.

sudo chmod 000 /tmp/kdevtmpfsi

sudo chmod 000 /var/tmp/kinsing

Note: remove access permissions to the files, not remove the files because they can self-propagate again via "kinsing" daemon.

Step 3: Kill process "kdevtmpfsi" first, you can check the process id from the "top" command above.

sudo kill -9 14867

Step 4: Now check with "top" command you can see process "kinsing" is running, its trying to re-initialize "kdevtmpfsi" process, check it's process id or with command "sudo netstat -lnp | grep kinsing" then kill it.

sudo kill -9 32222

Note: if you not yet kill process "kdevtmpfsi" you can not see process "kinsing".

Step 5: Come back with "top" command and make sure the both processes are not running anymore. If they still running, so kill again with order: "kdevtmpfsi" first, then "kinsing" second, and wait for moments about 5 - 10 minutes to make sure they have not come back. Ok, now you can delete for both scripts "/tmp/kdevtmpfsi" and "/var/tmp/kinsing".

sudo rm -rf  /tmp/kdevtmpfsi

sudo rm -rf /var/tmp/kinsing

Ok, with these steps I already resolve the issue with "kdevtmpfsi" the cryptomining malware running in my server, Amazon Linux 2 AMI. Hope that these steps helpful for you.

Here are links about malware "kdevtmpfsi": the cause, and it's propagating mechanism:

https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

https://cnasolution.com/questions/96651/perfect-solution-for-kdevtmpfsi-mining-virus-and-his-daemon-kinsing-100-cpu-tmp-kdevtmpfsi-var-tmp-kinsing

QuickStart: The fastest and easiest way to run an Local SMTP Server for testing or development.

Run Local SMTP Server on your development environment.

Your code needs to run the test cases with send email from SMTP server but you have no SMTP Mail Server on your local and you get the error below:

> :bootRun

org.springframework.mail.MailSendException: Mail server connection failed; nested exception is com.sun.mail.util.MailConnectException: Couldn't connect to host, port: localhost, 25; timeout -1;

  nested exception is:

        java.net.ConnectException: Connection refused (Connection refused). Failed messages: com.sun.mail.util.MailConnectException: Couldn't connect to host, port: localhost, 25; timeout -1;

  nested exception is:

        java.net.ConnectException: Connection refused (Connection refused)

        at org.springframework.mail.javamail.JavaMailSenderImpl.doSend(JavaMailSenderImpl.java:448)

        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:361)

        at org.springframework.mail.javamail.JavaMailSenderImpl.send(JavaMailSenderImpl.java:356)

Option 1: Via Docker

- Install Docker If you not yet.
- Register a Docker ID https://hub.docker.com/ if you don't have.
- Login Docker Hub.

- Skip this step if Docker already installed on your Mac/PC and you already logged in Docker Hub.

Pull and run djfarrelly/maildev Image from Docker Hub.

- Search for "djfarrelly/maildev" in Docker Hub and Checkout the document for more details.

- Run the command below to starting a Local SMTP Mail Server Instance as a Docker container named "MailDev" and mapping port 25(SMTP) and 80(Web) from the container to port 25 and 1080 on your Docker host (your PC/Mac). This will take you a few minutes to download the image and Starting the container.

docker run -d -it --name MailDev -p 1080:80 -p 25:25  djfarrelly/maildev

- Now re-run your test cases again:

2019-11-23 23:26:43.499 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.aop.logging.LoggingAspect  : Enter: me.koacervate.service.MailService.sendCreationEmail() with argument[s] = [User{login='koacervate', firstName='Khue', lastName='Duke', email='koacervate@googlemail.com', imageUrl='null', activated='true', langKey='en', activationKey='null'}]

2019-11-23 23:26:43.500 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.service.MailService        : Sending creation email to 'koacervate@googlemail.com'

2019-11-23 23:26:43.526 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.service.MailService        : Send email[multipart 'false' and html 'true'] to 'koacervate@googlemail.com' with subject 'jsbrgprjs account activation' and content=<!DOCTYPE html>

<html lang="en">

    <head>

        <title>jsbrgprjs account activation</title>

        <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

        <link rel="shortcut icon" href="http://127.0.0.1:8080/favicon.ico" />

    </head>

    <body>

        <p>Dear koacervate</p>

        <p>Your jsbrgprjs account has been created, please click on the URL below to access it:</p>

        <p>

            <a href="http://127.0.0.1:8080/account/reset/finish?key=RCTVtLkilrCdawcCDYKf">http://127.0.0.1:8080/account/reset/finish?key=RCTVtLkilrCdawcCDYKf</a>

        </p>

        <p>

            <span>Regards,</span>

            <br/>

            <em>jsbrgprjs Team.</em>

        </p>

    </body>

</html>

2019-11-23 23:26:44.073 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.service.MailService        : Sent email to User 'koacervate@googlemail.com'

2019-11-23 23:26:44.073 DEBUG 7573 --- [sbrgprjs-task-1] me.koacervate.aop.logging.LoggingAspect  : Exit: me.koacervate.service.MailService.sendCreationEmail() with result = null

- You can see the sent email in Web UI http://localhost:1080/#/email/JevGMzCd

Option 2: Via install maildev node package as below:

$ npm install -g maildev
$ maildev

with options as below:

Usage

maildev [options]

  -h, --help                      output usage information
  -V, --version                   output the version number
  -s, --smtp <port>               SMTP port to catch emails [1025]
  -w, --web <port>                Port to run the Web GUI [1080]
  --ip <ip address>               IP Address to bind SMTP service to
  --outgoing-host <host>          SMTP host for outgoing emails
  --outgoing-port <port>          SMTP port for outgoing emails
  --outgoing-user <user>          SMTP user for outgoing emails
  --outgoing-pass <password>      SMTP password for outgoing emails
  --outgoing-secure               Use SMTP SSL for outgoing emails
  --auto-relay [email]            Use auto-relay mode. Optional relay email address
  --auto-relay-rules <file>       Filter rules for auto relay mode
  --incoming-user <user>          SMTP user for incoming emails
  --incoming-pass <pass>          SMTP password for incoming emails
  --web-ip <ip address>           IP Address to bind HTTP service to, defaults to --ip
  --web-user <user>               HTTP user for GUI
  --web-pass <password>           HTTP password for GUI
  --base-pathname <path>          base path for URLs
  --disable-web                   Disable the use of the web interface. Useful for unit testing
  --hide-extensions <extensions>  Comma separated list of SMTP extensions to NOT advertise
                                  (STARTTLS, SMTPUTF8, PIPELINING, 8BITMIME)
  -o, --open                      Open the Web GUI after startup
  -v, --verbose
  --silent

Please refer to documents at https://hub.docker.com/r/djfarrelly/maildev/ for more details.

Option 3: Integrate via API or SMTP with https://sendgrid.com/

You can register a free account for testing and choose to integrate via API or SMTP then follow the instructions in the website you will have all necessary information to send emails with your code.

  mail:
    host: smtp.sendgrid.net
    port: 465
    username: apikey
    password: SG.t2L6qpv3TjmvgcasoksVbg.DRsZrTwq3LmApU1uaQ6mjv-koafl0NaSzogCW6X9***
    properties:
      mail:
        smtp:
          auth: true
          starttls:
            enable: true

References:
- https://docs.docker.com
- https://hub.docker.com/r/djfarrelly/maildev/
- https://github.com/maildev/maildev

QuickStart: The fastest and easiest way to run an Instance of Oracle Database on Mac OS.

How to find and kill the program that's using a specific port number Windows and Linux

Windows:

1. Find the program that is using a port number:

D:\>netstat -ano | findstr 8090
  TCP    0.0.0.0:8090           0.0.0.0:0              LISTENING       10716
  TCP    [::]:8090              [::]:0                 LISTENING       10716

2. Kill the program:

D:\>taskkill /F /pid 10716
SUCCESS: The process with PID 10716 has been terminated.

Linux:

1. Find the program that is using a port number:

[koacervate@SVT00005523 ~]$ sudo netstat -lnp | grep 6379
tcp        0      0 10.16.30.76:6379        0.0.0.0:*               LISTEN      24982/redis-server
tcp        0      0 127.0.0.1:6379          0.0.0.0:*               LISTEN      24982/redis-server

2. Kill the program:

[koacervate@SVT00005523 ~]$ ps -aef | grep redis
root     24982     1  0 13:31 ?        00:00:00 /usr/local/bin/redis-server 127.0.0.1:6379
htct     25086 24560  0 13:31 pts/0    00:00:00 grep --color=auto redis
[koacervate@SVT00005523 ~]$ sudo kill -9 24982

:))

How to Install and use the Linux Ubuntu Bash Shell on Windows 10

Ubuntu-based Bash shell that can run Linux software directly on Windows. Ofcourse, only softwares based on Bash Shel. This isn’t a virtual machine, a container, or Linux software compiled for Windows (like Cygwin).

This is the version of Windows 10 I'm using to install Linux Ubuntu Bash Shell.

Please make sure your Windows 10 is up to date.

Open the Settings app and head to Update & Security > For Developers. Activate the “Developer Mode” switch here to enable Developer Mode.

Next, open the Control Panel, click “Programs,” and click “Turn Windows Features On or Off” under Programs and Features. Enable the “Windows Subsystem for Linux (Beta)” option in the list here and click “OK.”

After you do, you’ll be prompted to reboot your computer. Click “Restart Now” to reboot your computer and Windows 10 will install the new feature.

After your computer restarts, click the Start button (or press the Windows key), type “bash”, and press “Enter.”

You’ll be prompted to accept the terms of service. You’ll be asked to create a user account and password for use in the Bash environment.

Open your Start menu and search for “bash” or “Ubuntu.” You’ll see a “Bash on Ubuntu on Windows” application.

So now you can using your Linux favorite commands and install bash tools on Windows 10 as you familiar on your Linux.

Please refer to get more info about Linux Ubuntu Bash Shell on Windows 10.

Get error: fatal error C1034: "stdio.h: no include path set" when you compile a C/C++ source code file.

1 2 3 4 5 6 7

F:\ "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.10.25017\bin\HostX64\x64\cl.exe" chrAprMax_byAdd.c Microsoft (R) C/C++ Optimizing Compiler Version 19.10.25019 for x64 Copyright (C) Microsoft Corporation. All rights reserved. chrAprMax_byAdd.c chrAprMax_byAdd.c(1): fatal error C1034: stdio.h: no include path set

- Please make sure you run "Developer Command Prompt for VS 20xx" or set Path variable includes "C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\VC\Tools\MSVC\14.10.25017\bin\HostX64\x64\" before that and run cl.exe in the window opened by "Developer Command Prompt for VS 20xx".

or

-> So now you can compile C/C++ source file without error: "fatal error C1034: stdio.h: no include path set" :)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32

F:\>cl chrAprMax.c Microsoft (R) C/C++ Optimizing Compiler Version 19.10.25019 for x86 Copyright (C) Microsoft Corporation. All rights reserved. chrAprMax.c Microsoft (R) Incremental Linker Version 14.10.25019.0 Copyright (C) Microsoft Corporation. All rights reserved. /out:chrAprMax.exe chrAprMax.obj F:\>chrAprMax Enter a string: just for fun The character that appears the most frequently is "u" with 2 matched. F:\>cl chrAprMax.cpp -o chrAprMaxpp Microsoft (R) C/C++ Optimizing Compiler Version 19.10.25019 for x86 Copyright (C) Microsoft Corporation. All rights reserved. cl : Command line warning D9035 : option 'o' has been deprecated and will be rem oved in a future release chrAprMax.cpp Microsoft (R) Incremental Linker Version 14.10.25019.0 Copyright (C) Microsoft Corporation. All rights reserved. /out:chrAprMax.exe /out:chrAprMaxpp.exe chrAprMax.obj F:\>chrAprMaxpp Enter a string: just for fun The character that appears the most frequently is "u" with 2 matched.

Fix grub boot loader

- Boot to Rescue from Linux installation CD
- Enter command: grub

# grub

grub> find /boot/grub/stage1 #OR /boot/grub/grub.conf OR /grub/grub.conf -> It show: (hdx,y) with x,y from 0 to n.
grub> root(hdx,y)
grub> setup(hdx)
grub> quit

=> done

Before you can run vmware several modules must be compiled and loaded into the running kernel

I have just installed VMware-Workstation 7.1.4 on fedora 15 x86_64 and when I was starting VMware, I get a message window with content similar "before you can run vmware several modules must be compiled and loaded into the running kernel" ...

=>FIX:
Find your kernel:
[dthoan@dthoan ~]$ sudo find / -name kernel
[sudo] password for dthoan:
/selinux/initial_contexts/kernel
/proc/sys/kernel
find: `/home/dthoan/.gvfs': Permission denied
/lib/modules/2.6.38.6-27.fc15.x86_64/kernel
/lib/modules/2.6.38.6-27.fc15.x86_64/kernel/arch/x86/kernel
/lib/modules/2.6.38.6-27.fc15.x86_64/kernel/kernel
/lib/modules/2.6.38.6-26.rc1.fc15.x86_64/kernel
/lib/modules/2.6.38.6-26.rc1.fc15.x86_64/kernel/arch/x86/kernel
/lib/modules/2.6.38.6-26.rc1.fc15.x86_64/kernel/kernel
/sys/kernel
/sys/module/kernel
/usr/lib64/pm-utils/module.d/kernel
/usr/share/selinux/devel/include/kernel

-> So: Browse to "/lib/modules/2.6.38.6-27.fc15.x86_64/build/include/linux/" the VMware-Workstation will loaded correctly kernel-headers if you have installed...
Please replace "2.6.38.6-27.fc15.x86_64" with your "$uname -r"
It's done, good luck to u :) fun

How to enable a script auto startup with system on ubuntu server ?

1. Create a script in the /etc/init.d/ directory
2. Make the script executable

   $ sudo chmod +x /etc/init.d/myscript.sh

3. Make the script start at bootup

   $ sudo update-rc.d myscript.sh defaults

Note: the option “defaults” puts a link to start your script in runlevels 2, 3, 4 and 5, and puts a link to stop in runlevels 0, 1 and 6.

Referenced from:

• Adding a startup script to be run at bootup
• Adding / Removing Shell scripts (Ubuntu 8.10)
• http://jonathonhill.net