CHALLENGE: Apache server is working really slow. The Docker process, called kdevtmpfsi is using 100% processor and server memory.
SOLUTION: Create a bash script to kill the process.
Kinsing malware is targeting misconfigured Docker containers, especially redis instances (port 6379). The malware is running a linux process in the background: kdevtmpfsi, which is occupying server processor and memory. The main purpose of the virus is to set up a cryptocurrency miner. It seems that container environment attacks have been on the rise recently, with a huge spike in the number of cases in March 2020. Below, we provide a number of possible solutions to tackle the problem.
Identify the issue
Having root access to the server can help to find and delete the malware.
# Check if the malicious process is running
htop
# Find infected files:
find / -name kdevtmpfsi
find / -name kinsing
Proper fix
Properly configured Docker with updated dependencies should resolve the issue.
Fix solution 2
Another solution will be to block the process from executing. This solution was described on Koacervate’s blog: https://koacervate.blogspot.com/2020/05/your-containers-cpu-usage-is-more-than.html?m=0
Alternative solution
If you still have the problem, we came up with an alternative solution:
– prepare a bash script that will kill the process every 20 seconds
– run the bash script in the background
Bash script
# /root/scripts/ctKillProc.sh
#!/bin/sh
# do what you need to here
while true; do
processId=$(ps -ef | grep ‘kdevtmpfsi’ | grep -v ‘grep’ | awk ‘{ printf $2 }’)
echo $processId
kill -9 $processId
echo “[“`date +%Y%m%d%H%M`”] kdevtmpfsi killed.”
sleep 20
done
exit 1
Run the script in the background
nohup sh /root/scripts/ctKillProc.sh &
Now, the script will be executing in the background solving your Kinsing malware problem even if you close shell connection,.
Script logs can be found in the nohup.out file.
More info on Kinsing:
https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
Do you need someone to implement this solution for you? Check out our specialists for hire in the outsourcing section.
Are you considering a global project and are uncertain how to proceed? See how we do it.
Thank you for this script. I am running it now and the few steps you have given here are better than anything I have found on the web thus far to kill this malware.