Get a free advice now!

    Pick the topic

    Developer OutsourcingWeb developingApp developingDigital MarketingeCommerce systemseEntertainment systems

    Thank you for your message. It has been sent.

    Blog
    Tags

    Kinsing malware (kdevtmpfsi) – how to kill

    Maciej Brzeziński
    December 23, 2022
    < 1 min read
    Kinsing malware (kdevtmpfsi) – how to kill

    Contents
    1. Identify the issue
    2. Proper fix
    3. Fix solution 2
    4. Alternative solution
    5. Bash script
    6. Run the script in the background

    CHALLENGE: Apache server is working really slow. The Docker process, called kdevtmpfsi is using 100% processor and server memory.

    SOLUTION: Create a bash script to kill the process.

    Kinsing malware is targeting misconfigured Docker containers, especially redis instances (port 6379). The malware is running a linux process in the background: kdevtmpfsi, which is occupying server processor and memory. The main purpose of the virus is to set up a cryptocurrency miner. It seems that container environment attacks have been on the rise recently, with a huge spike in the number of cases in March 2020. Below, we provide a number of possible solutions to tackle the problem.

    Identify the issue

    Having root access to the server can help to find and delete the malware.
    # Check if the malicious process is running
    htop

    # Find infected files:
    find / -name kdevtmpfsi
    find / -name kinsing

    Proper fix

    Properly configured Docker with updated dependencies should resolve the issue.

    Fix solution 2

    Another solution will be to block the process from executing. This solution was described on Koacervate’s blog: https://koacervate.blogspot.com/2020/05/your-containers-cpu-usage-is-more-than.html?m=0

    Alternative solution

    If you still have the problem, we came up with an alternative solution:
    – prepare a bash script that will kill the process every 20 seconds
    – run the bash script in the background

    Bash script

    # /root/scripts/ctKillProc.sh
    #!/bin/sh
    # do what you need to here
    while true; do
    processId=$(ps -ef | grep ‘kdevtmpfsi’ | grep -v ‘grep’ | awk ‘{ printf $2 }’)
    echo $processId
    kill -9 $processId
    echo “[“`date +%Y%m%d%H%M`”] kdevtmpfsi killed.”
    sleep 20
    done
    exit 1

    Run the script in the background

    nohup sh /root/scripts/ctKillProc.sh &

    Now, the script will be executing in the background solving your Kinsing malware problem even if you close shell connection,.
    Script logs can be found in the nohup.out file.

    More info on Kinsing:
    https://blog.trendmicro.com/trendlabs-security-intelligence/exposed-redis-instances-abused-for-remote-code-execution-cryptocurrency-mining/
    https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

    Maciej Brzeziński, Written on December 23, 2022

    Techleader of createIT, working in the IT sector for over 14 years. Innovator, author, and owner of an e-shop that he has been continuously developing for over 10 years. Currently, with his team of over 20 developers, he supervises all kinds of e-commerce projects of varied structure, characteristics, and size: from simple on-line shops for retail clients to advanced B2B platforms with support of multiple shopping carts, multiple languages, and integration with external systems. His work also involves modifying and expanding the existing platforms with millions of products in their databases, platforms that support variable pricing (several variants of the same product), dropshipping modules, integration with storage systems, integration with courier delivery services, and the last but not least, the optimization of scripts. By participating in a multitude of projects, he had the opportunity to “test out” all kinds of platforms (open-source, SaaS – Cloud-Hosted eCommerce Platforms) and dedicated platforms.
    ask the author
    Techleader of createIT, working in the IT sector for over 14 years. Innovator, author, and owner of an e-shop that he has been continuously developing for over 10 years. Currently, with his team of over 20 developers, he supervises all kinds of e-commerce projects of varied structure, characteristics, and size: from simple on-line shops for retail clients to advanced B2B platforms with support of multiple shopping carts, multiple languages, and integration with external systems. His work also involves modifying and expanding the existing platforms with millions of products in their databases, platforms that support variable pricing (several variants of the same product), dropshipping modules, integration with storage systems, integration with courier delivery services, and the last but not least, the optimization of scripts. By participating in a multitude of projects, he had the opportunity to “test out” all kinds of platforms (open-source, SaaS – Cloud-Hosted eCommerce Platforms) and dedicated platforms.
    ask the author
    Comments
    0 response

    Add comment

    Your email address will not be published. Required fields are marked *

    Popular news

    PHPStorm – how to replace HTML tags using regex?
    • Dev Tips and Tricks

    PHPStorm – how to replace HTML tags using regex?

     May 18, 2023 by createIT
    Ultimate GDPR – get user consent logs
    • Dev Tips and Tricks

    Ultimate GDPR – get user consent logs

     May 5, 2023 by createIT
    Backend Developer – how to become one?
    • Technology
    • Trends

    Backend Developer – how to become one?

     May 5, 2023 by createIT
    SEO Checklist for website migration
    • Services

    SEO Checklist for website migration

     April 4, 2023 by createIT
    A game changer for WooCommerce users
    • Our Highlights

    A game changer for WooCommerce users

     March 24, 2023 by createIT
    Write content that sells
    • Trends

    Write content that sells

     March 21, 2023 by createIT
    The differences between a web app and a mobile app
    • Services
    • Technology
    • Trends

    The differences between a web app and a mobile app

     March 7, 2023 by createIT
    Webrooming and showrooming
    • Trends

    Webrooming and showrooming

     February 14, 2023 by createIT
    PHPStorm – fix long load time of a directory window
    • Dev Tips and Tricks

    PHPStorm – fix long load time of a directory window

     January 20, 2023 by createIT
    reCAPTCHA v3 – WordPress implementation
    • Dev Tips and Tricks

    reCAPTCHA v3 – WordPress implementation

     January 20, 2023 by createIT
    Show more

    Support – Tips and Tricks
    All tips in one place, and the database keeps growing. Stay up to date and optimize your work!

    Contact us

    Privacy settings

    Decide which cookies you want to allow. You can change these settings at any time. However, this can result in some functions no longer being available. For information on deleting the cookies, please consult your browser’s help function. Learn more about the cookies we use.

    With the slider, you can enable or disable different types of cookies:

    • Block all
    • Essentials
    • Functionality
    • Analytics
    • Advertising

    This website will:

    This website won't:

    • Essential: Remember your cookie permission setting
    • Essential: Allow session cookies
    • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
    • Essential: Keep track of what you input in a shopping cart
    • Essential: Authenticate that you are logged into your user account
    • Essential: Remember language version you selected
    • Functionality: Remember social media settings
    • Functionality: Remember selected region and country
    • Analytics: Keep track of your visited pages and interaction taken
    • Analytics: Keep track about your location and region based on your IP number
    • Analytics: Keep track of the time spent on each page
    • Analytics: Increase the data quality of the statistics functions
    • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
    • Advertising: Gather personally identifiable information such as name and location
    • Remember your login details
    • Essential: Remember your cookie permission setting
    • Essential: Allow session cookies
    • Essential: Gather information you input into a contact forms, newsletter and other forms across all pages
    • Essential: Keep track of what you input in a shopping cart
    • Essential: Authenticate that you are logged into your user account
    • Essential: Remember language version you selected
    • Functionality: Remember social media settings
    • Functionality: Remember selected region and country
    • Analytics: Keep track of your visited pages and interaction taken
    • Analytics: Keep track about your location and region based on your IP number
    • Analytics: Keep track of the time spent on each page
    • Analytics: Increase the data quality of the statistics functions
    • Advertising: Tailor information and advertising to your interests based on e.g. the content you have visited before. (Currently we do not use targeting or targeting cookies.
    • Advertising: Gather personally identifiable information such as name and location
    Save & Close