All Products
Search

This Product

    :Processing of kdevtmpfsi mining virus implanted in Linux instances

    Document Center

    :Processing of kdevtmpfsi mining virus implanted in Linux instances

    Last Updated:Jun 08, 2021

    Problem description

    The CPU in the instance is full. Run the top command to view the existence of abnormal processes. If kdevtmpfsi is found to occupy a large amount of CPU, run the kill command to end the process or delete the command file, indicating that the file is still invalid. Try to check the scheduled task. The cron service still fails after it is disabled.

    Cause

    In addition to the kdevtmpfsi process, the monitored process also has a daemon process named kinsing.

    Solution

    Alibaba Cloud reminds you that:

    • Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
    • You can modify the configurations and data of instances including but not limited to Elastic Compute Service (ECS) and Relational Database Service (RDS) instances. Before the modification, we recommend that you create snapshots or enable RDS log backup.
    • If you have authorized or submitted sensitive information such as the logon account and password in the Alibaba Cloud Management Console, we recommend that you modify such information in a timely manner.

    Perform the following steps.

    Note: this method is only a temporary solution. There are many virus implantation scenarios and, accordingly, there are probably vulnerabilities in the operating system or applications that can be exploited. It is recommended to back up the data in a timely manner and thoroughly clean it up through initialization to avoid virus residue. After the business is redeployed, we recommend that you check whether weak passwords are used in a timely manner. Fix the vulnerabilities in the operating system and applications in a timely manner. Before you start working on a process or a file, make sure that you have backed up the snapshot.

    1. Run the following command to check whether a scheduled task exists in the instance. If a scheduled task exists, use a number sign (#) to comment out the task entry. Then, disable the cron service. 
      crontab -e
    2. Run the following command to view the files on which the two processes are dependent. 
      ps -aux | grep kdevtmpfsi
      ps -aux | grep kinsing
    3. Run the following command to delete the corresponding file: 
      rm -rf kdevtmpfsi
      rm -rf kinsing
    4. Run the following commands to end the kdevtmpfsi and kinsing processes. 
      kill -9 [$PID]
      Note:[$PID] indicates the process numbers of kdevtmpfsih and kinsing.
    5. Check whether the CPU load has returned to normal.

    Application scope

    • Elastic Compute Service
    • Simple Application Server