[TriLUG] Kinsing ( Help? )
Brian McCullough via TriLUG
trilug at trilug.org
Mon Dec 21 21:23:42 EST 2020
Greetings, all.
I have been fighting an infection for a while now, and must beg for
help.
I have a machine, running Nginx and PHP5-FPM which first exhibited this
infection last winter ( just about exactly a year ago ). I followed
instructions that I found, and things seemed to get better.
However, about a week ago, it popped up again. I have been doing what I
can to block and eliminate it, but it keeps coming back.
One apparent source of infection was a line that was being inserted into
www-data's crontab. I deleted that line three or four times, and then
had the bright idea of making that file read-only. It hasn't been
modified again, but Kinsing keeps coming back.
One of the suggestions was to create "dummy" copies of the files
"kinsing" and "kdevtmpfsi," originally found, one in each of /var/tmp/
and /tmp. I was able to block /var/tmp, but now it is creating both
files ( but "special" versions of each that don't collide with my dummy
copies ) in /tmp.
The piece of information that I missed was that this system is a Debian
8 machine.
Does anybody have any other ideas for "cleaning" this problem?
Thank you,
Brian
More information about the TriLUG
mailing list