[TriLUG] Kinsing ( Help? )

Bill Weinel via TriLUG trilug at trilug.org
Tue Dec 22 09:00:19 EST 2020 

Sorry to hear about that...

I know this is probably not what you will want to hear, but I would 
suggest doing a complete wipe and reinstall. If you have a backup from 
before the infection, you could do a complete wipe and restore from the 
backup.

Since there's no way to know what files may have been compromised in the 
attack, the safest course is to just delete everything from the time of 
the attack forward and reinstall. Even with the best 'cleanup', you may 
not get everything that was compromised. Not to mention that it's going 
to be a very time consuming process (which you may end up having to 
preform multiple times if you miss stuff.) In the end, it's probably a 
better course of action and will be less time consuming to just do a 
reinstall.

Whenever I build a system here, I use Clonezilla to make a complete 
post-install backup copy on a spare hard drive to place on the storage 
shelf. Then I snapshot the system once a quarter using rsync/tar (which 
works well for this process and can even be automated.) That way, should 
something get compromised down the line, I'm back up immediatly and only 
at worst three months behind on file updates.

cheers,
bill


On 12/21/20 9:23 PM, Brian McCullough via TriLUG wrote:
> Greetings, all.
>
> I have been fighting an infection for a while now, and must beg for
> help.
>
> I have a machine, running Nginx and PHP5-FPM which first exhibited this
> infection last winter ( just about exactly a year ago ).  I followed
> instructions that I found, and things seemed to get better.
>
> However, about a week ago, it popped up again.  I have been doing what I
> can to block and eliminate it, but it keeps coming back.
>
> One apparent source of infection was a line that was being inserted into
> www-data's crontab.  I deleted that line three or four times, and then
> had the bright idea of making that file read-only.  It hasn't been
> modified again, but Kinsing keeps coming back.
>
> One of the suggestions was to create "dummy" copies of the files
> "kinsing" and "kdevtmpfsi," originally found, one in each of /var/tmp/
> and /tmp.  I was able to block /var/tmp, but now it is creating both
> files ( but "special" versions of each that don't collide with my dummy
> copies ) in /tmp.
>
> The piece of information that I missed was that this system is a Debian
> 8 machine.
>
>
>
> Does anybody have any other ideas for "cleaning" this problem?
>
>
> Thank you,
> Brian
>

More information about the TriLUG mailing list