[TriLUG] Kinsing ( Help? )
Bill Weinel via TriLUG
trilug at trilug.org
Tue Dec 22 09:00:19 EST 2020
Sorry to hear about that...
I know this is probably not what you will want to hear, but I would
suggest doing a complete wipe and reinstall. If you have a backup from
before the infection, you could do a complete wipe and restore from the
backup.
Since there's no way to know what files may have been compromised in the
attack, the safest course is to just delete everything from the time of
the attack forward and reinstall. Even with the best 'cleanup', you may
not get everything that was compromised. Not to mention that it's going
to be a very time consuming process (which you may end up having to
preform multiple times if you miss stuff.) In the end, it's probably a
better course of action and will be less time consuming to just do a
reinstall.
Whenever I build a system here, I use Clonezilla to make a complete
post-install backup copy on a spare hard drive to place on the storage
shelf. Then I snapshot the system once a quarter using rsync/tar (which
works well for this process and can even be automated.) That way, should
something get compromised down the line, I'm back up immediatly and only
at worst three months behind on file updates.
cheers,
bill
On 12/21/20 9:23 PM, Brian McCullough via TriLUG wrote:
> Greetings, all.
>
> I have been fighting an infection for a while now, and must beg for
> help.
>
> I have a machine, running Nginx and PHP5-FPM which first exhibited this
> infection last winter ( just about exactly a year ago ). I followed
> instructions that I found, and things seemed to get better.
>
> However, about a week ago, it popped up again. I have been doing what I
> can to block and eliminate it, but it keeps coming back.
>
> One apparent source of infection was a line that was being inserted into
> www-data's crontab. I deleted that line three or four times, and then
> had the bright idea of making that file read-only. It hasn't been
> modified again, but Kinsing keeps coming back.
>
> One of the suggestions was to create "dummy" copies of the files
> "kinsing" and "kdevtmpfsi," originally found, one in each of /var/tmp/
> and /tmp. I was able to block /var/tmp, but now it is creating both
> files ( but "special" versions of each that don't collide with my dummy
> copies ) in /tmp.
>
> The piece of information that I missed was that this system is a Debian
> 8 machine.
>
>
>
> Does anybody have any other ideas for "cleaning" this problem?
>
>
> Thank you,
> Brian
>
More information about the TriLUG
mailing list