[TriLUG] Kinsing ( Help? )
David Brain via TriLUG
trilug at trilug.org
Tue Dec 22 07:48:48 EST 2020
Any reason not to just wipe/rebuild? - if it's been infected for any length
of time ago knows what else is on there by now.
David
On Mon, Dec 21, 2020, 9:30 PM Brian McCullough via TriLUG <trilug at trilug.org>
wrote:
> Greetings, all.
>
> I have been fighting an infection for a while now, and must beg for
> help.
>
> I have a machine, running Nginx and PHP5-FPM which first exhibited this
> infection last winter ( just about exactly a year ago ). I followed
> instructions that I found, and things seemed to get better.
>
> However, about a week ago, it popped up again. I have been doing what I
> can to block and eliminate it, but it keeps coming back.
>
> One apparent source of infection was a line that was being inserted into
> www-data's crontab. I deleted that line three or four times, and then
> had the bright idea of making that file read-only. It hasn't been
> modified again, but Kinsing keeps coming back.
>
> One of the suggestions was to create "dummy" copies of the files
> "kinsing" and "kdevtmpfsi," originally found, one in each of /var/tmp/
> and /tmp. I was able to block /var/tmp, but now it is creating both
> files ( but "special" versions of each that don't collide with my dummy
> copies ) in /tmp.
>
> The piece of information that I missed was that this system is a Debian
> 8 machine.
>
>
>
> Does anybody have any other ideas for "cleaning" this problem?
>
>
> Thank you,
> Brian
>
> --
> This message was sent to: dbrain at gmail.com <dbrain at gmail.com>
> To unsubscribe, send a blank message to trilug-leave at trilug.org from that
> address.
> TriLUG mailing list : https://www.trilug.org/mailman/listinfo/trilug
> Unsubscribe or edit options on the web :
> https://www.trilug.org/mailman/options/trilug/dbrain%40gmail.com
> Welcome to TriLUG: https://trilug.org/welcome
More information about the TriLUG
mailing list