My Ubuntu server has been infected by a virus kdevtmpfsi

Do a

chmod 000 /tmp/kdevtmpfsi

first. That will kill access to that file

From a user prompt if possible if that is not YOUR user:

sudo -u fabio
crontab -l 

otherwise you only need the LAST line of these 2. If it is in there

crontab -e

to edit and remove that line. If not crontabs are stored in /var/spool/cron/crontabs/. There will be a fabio there. Nuke it all.

And it is not a virus. It is a miner that you probably installed yourself or installed as part of some piece of software. IF NOT consider your server compromised, format the disks and restore a backup. If you did please stick to regular and trusted sources.

edit: found some more about this.

Also related to this:

/tmp/zzz  

That seems to be the bootstrap file. chmod that one too and nuke it after you verified you killed it or it killed itself.

The chmod removes permissions so the miner can not recreate the file nor write or read from it. Effectively killing it. THEN start hunting down the files. Nuke /tmp/* /var/tmp/* for anything with kinsing in the name plus the files listed above.

Try to execute deletes in ONE command so it does not get a chance to initialize itself.

Interesting topic on github about how to remove it.

It has been documented here. Redis is known to be easy hackable unless you set up a decent protection yourself.

My server got this bitcoin trojan via postgres. In my case, no containers. All explanations above matched, but it is clear the scripts were improved to make detection and killing more difficult. The main change was that the kdevtmpfsi file was instantly renamed to a random 8-char string and the kinsing file would come and go in a matter of seconds. After I avoided the file renaming the kdevtmpfsi showed up with top processes. Someone, not the virus, changed file names after I changed permissions to 000 and size to 0. Also, I did remove the crontab entry, but it came back 1 day later.

Today when when I logged in again saw the files I had nuked were gone, but there were symbolic links, which made evident there was manual intervention, with root access somehow. So I repeated the process and changed all sudo passwords again, and not it seems to be gone. I still see repeated ssh root attempts, without success.

For those curious, here are some of the commands I used to trace and disable this bitcoin trojan:

$ netstat -a -t|grep 'ssh'

$ ls -l /var /var/tmp|grep 'postgres'

$ sudo ps -u postgres|grep 'kdevtmpfsi'>ps.txt
$ echo -n "sudo kill -9 ">./tmp.sh
$ sudo cat psid.txt>>./tmp.sh
$ set +x tmp.sh
$ sudo rm /tmp/kdevtmpfsi

$ sudo crontab -u postgres -l
$ sudo crontab -u postgres -r

$ sudo curl http://195.3.146.118/pg.sh

$ sudo kill -9 ..

In some cases this may be due to a security breach found in a Laravel package (facade/ignition) <= v8.4.2. CVE-2021-3129

Here we have an article that explains how the malware works: Laravel <= v8.4.2 debug mode: Remote code execution (CVE-2021-3129)

If I were in your place, I would consider your instance as compromised and create a new one. In the tests I did, the malware changes places and adapts to changes made to the system in an attempt to stop it.

RE: kinsing and kdevtmpfsi CPU usage and bitcoin mining

One additioanl vector has been identified in systems that our team is managing.

If you are also using COMPOSER, make sure that you have the correct version of: phpunit/phpunit

There are some versions that are compromised: https://packagist.org/packages/phpunit/phpunit

Compromised versions identifed are: 4.8.19 -> 4.8.27 AND 5.0.10 -> 5.6.2

An update of the phpunit/phpunit on composer did repair this vector.

This would have saved a lot of time if we had this information earlier. I hope this helps others.

Kdevtmpfsi is a crypto mining virus. Kindly run below script inside crond service for every 1 minuter interval or you can choose time interval according your server.

#!/bin/bash
report=/var/log/incident.log
if [  -f "$report" ]
then
echo
else
touch $report
fi
chattr +i /tmp/kdevtmpfsi

fixing () {
rm -rfv /tmp/kdevtmpfsi*
touch /tmp/kdevtmpfsi
rm -rfv /tmp/cron*
kill -9 $((ps -aux | grep -i 'kdevtmpfsi\|kinsing') 2>/dev/null |grep -v grep |awk '{print $2}')
cat /var/spool/cron/zimbra |grep -i unk.sh && rm -rfv /var/spool/cron/zimbra
kin=$(ls /opt/zimbra/log/ |grep -i kinsing) && rm -rfv /opt/zimbra/log/${kin}
}
log () {
 echo  "$(date) by user:$(whoami) executed:<$0> virus:kdevtmpfsi action:>killed Pattern:spoofing Target:<CPU> host:$(hostname):<$(curl -s ident.me)>" >> $report
}
fixing
log

Note: this script running-log will be saved on /var/log/incident.log

• install tmux
• start a new tmux session tmux new -s kdevtmpfsi
• create a new file nano script.sh and add the following code in it :

#!/bin/sh
# do what you need to here
while true; do
processId=$(ps -ef | grep ‘kdevtmpfsi’ | grep -v ‘grep’ | awk ‘{ printf $2 }’)
echo $processId
kill -9 $processId
echo “[“`date +%Y%m%d%H%M`”] kdevtmpfsi killed.”
sleep 2
done
exit 1

• save the file
• chmod +x script.sh
• run the script ./script.sh
• exit the tmux

now every two seconds this crypto miner BS wont be able to do anything.

NOTE: this is not the right solution imo, there should be a way to completely get rid of this. I am unable to because even the root user is not allowed to delete /tmp/kdevtmpfsi

-r--r--r-- 1 root root 23 Aug 5 20:31 kdevtmpfsi

if anyone knows how please help. Cheers