Search

Total Pageviews

Categories

Linux (8) Windows (5) Container (4) Development (4) Database (3) Docker (3) Mac OS (3) QuickStart (3) Ubuntu (3) AWS (1) Fedora (1) FreeBSD (1) Git (1) Java (1) MyBatis (1) Oracle Linux (1) Spring Boot (1) Unix (1) VMware (1) Virtualization (1) kdevtmpfsi (1) kinsing (1)

Featured Post

Your container's CPU usage is more than 100%, "kdevtmpfsi" the cryptomining malware is running | So how to resolve

How to resolve when "kdevtmpfsi" the crypto-mining malware is running and taking all CPU load of your server (container). One d...

Showing posts with label kinsing. Show all posts
Showing posts with label kinsing. Show all posts

Wednesday, May 6, 2020

Your container's CPU usage is more than 100%, "kdevtmpfsi" the cryptomining malware is running | So how to resolve

How to resolve when "kdevtmpfsi" the crypto-mining malware is running and taking all CPU load of your server (container).


One day your server (container) running with CPU load so high, more than 100% then you check the processes with "top" command and short by CPU load with shortcut keys "Shift + p", it looks like below:


So, I'm sorry your server is infected the crypto-mining malware that named "kdevtmpfsi", similar "kdevtmpfs" a system Linux process.

I will list some links about the malware, the cause, and it's propagating mechanism end of this post.

Now I go to the detail steps to resolve this issue in my server,  I'm using Amazon Linux 2 AMI.

Step 1: As you can see in the image above, the process is running by the root user, so I need to check the root's cronjob.


As you can see, this cronjob will download script unk.sh from the hacker's server 195.3.146.118 and execute it in your server. So you need to remove the cronjob by the following command.

sudo crontab -u root -r

You should re-check to make sure the cronjob is already removed.

Step 2: Find path to 2 scripts "kdevtmpfsi" and "kinsing" with commands:

sudo find / -name kdevtmpfsi
sudo find / -name kinsing

You will get the results like the paths: "/tmp/kdevtmpfsi" and "/var/tmp/kinsing", so please remove all access permissions to the files.

sudo chmod 000 /tmp/kdevtmpfsi
sudo chmod 000 /var/tmp/kinsing

Note: remove access permissions to the files, not remove the files because they can self-propagate again via "kinsing" daemon.

Step 3: Kill process "kdevtmpfsi" first, you can check the process id from the "top" command above.

sudo kill -9 14867

Step 4: Now check with "top" command you can see process "kinsing" is running, its trying to re-initialize "kdevtmpfsi" process, check it's process id or with command "sudo netstat -lnp | grep kinsing" then kill it.

sudo kill -9 32222

Note: if you not yet kill process "kdevtmpfsi" you can not see process "kinsing".

Step 5: Come back with "top" command and make sure the both processes are not running anymore. If they still running, so kill again with order: "kdevtmpfsi" first, then "kinsing" second, and wait for moments about 5 - 10 minutes to make sure they have not come back. Ok, now you can delete for both scripts "/tmp/kdevtmpfsi" and "/var/tmp/kinsing".

sudo rm -rf  /tmp/kdevtmpfsi
sudo rm -rf /var/tmp/kinsing

Ok, with these steps I already resolve the issue with "kdevtmpfsi" the cryptomining malware running in my server, Amazon Linux 2 AMI. Hope that these steps helpful for you.

Here are links about malware "kdevtmpfsi": the cause, and it's propagating mechanism: