Kdevtmpfsi processing of mining virus -- Practice

Symptoms

The server CPU The use of resources has always been 100% The state of , adopt top Command view , Detect suspicious processes kdevtmpfsi. adopt google Search for , It's a mining virus .

Investigation method

First ： see kdevtmpfsi process , Use ps -ef | grep kdevtmpfsips -ef | grep kinsing Command view , See the picture below .

PS： adopt ps -ef Order to find out kdevtmpfsi Process number , direct kill -9 Process number and delete /tmp/kdevtmpfsi Executable files . But I haven't 1 Minute process is running again , Then I can think of ,kdevtmpfsi There are daemons or scheduled tasks . adopt crontab -l See if there are any suspicious planned tasks .

The second step ： According to the above results, we know kdevtmpfsi Process number is 10393, Use systemctl status 10393 Find out kdevtmpfsi There are daemons , See the picture below .

The third step ：kill fall kdevtmpfsi Daemon kill -9 30903 30904, Again killall -9 kdevtmpfsi Mining virus , Finally delete kdevtmpfsi Execution procedure rm -f /tmp/kdevtmpfsi.

After the fact check

• adopt Does the command search have kdevtmpfsi file
• find / -name "kdevtmpfsi"
• find / -name "kinsing"
• see Linux ssh Log in to the audit log .Centos And RedHat The audit log path is /var/log/secure,Ubuntu And Debian The audit log path is /var/log/auth.log.
• Check crontab Is there any suspicious task in the planned task
• find / -name kdevtmpfsi
• find / -name kinsing
• cd /var/spool/cron  
• Check whether there are related Trojan horse scheduled tasks executing   
• If so, delete and restart crontab
• Turn off scheduled tasks
• service crond stop

Follow up work traceability , Find program vulnerabilities , No access ip, Is not normal ip. Source program download .

Use clamav To the whole Linux Do a full scan , Identify the infected file and delete .

  Find the variant name of the daemon file .

Delete all  

• find / -name "kdevtmpfsi" | xargs rm -rf
• find / -name "kinsing" | xargs rm -rf

So far, the anti-virus work has basically come to an end . Observe the server service in the next few days , Whether the process is abnormal .

Later protection

• Enable ssh Public key login , Disable password login .
• Virtual machine ： Perfect security strategy , Inlet flow , Generally only open 80 443 Just port , The outlet flow can be unlimited by default , If there is a need to limit according to demand . The physical machine ： Can pass Hardware firewall perhaps On the machine iptables To open the flow rules at the entrance and exit .
• This machine does not directly need to provide external services , You can reject all traffic at the entrance of the external network card , adopt jumper Machine intranet login service machine .
• The company has the ability to build security scanning services , Check the machine regularly for leaks and fix .

Summary ： Here are some measures , Incomplete . Here is just the effect of throwing a brick to attract jade , More measures need to be combined with the actual situation of their own business , Otherwise, it will be a castle in the air .

Then check the network connection of the system

netstat -anpt

1

Found that there are still connections

Next, check the file locations that can be connected

ps aux | grep 6712

1

Found the file in /tmp/kinsing stay tmp There is no such file in view , Maybe it's just that the process hasn't shut down

Use the command to close the abnormal process

kill -9 6712

1

Check the network connection again , No problem

Add a little knowledge

ps -ef | grep kdevtmpfsi

The reason why the process number has been changing

ps -ef | grep xx The displayed process is the process you are looking for , Every time you check it, it changes

Ha ha ha , I'm weak

My blog will be synchronized to tencent cloud + Community , Invite everyone to join us ：https://cloud.tencent.com/developer/support-plan?invite_code=3jmgtho7tfs40