How to remove kdevtmpfsi cryptominer malware

Question

I used Alibaba Cloud ECS to set up a server. In the past 2 months, this is the third time it has been attacked by a mining virus, so I want to get a solution here. The following are my attempts to some public answers on the Internet, but they didn’t succeed in the end

top output:

    PID USER      PR  NI    VIRT    RES    SHR S  %CPU  %MEM     TIME+ COMMAND                                                         

 552060 root      20   0 2873424   2.3g   2712 S 129.4   3.7  51:33.70 kdevtmpfsi                                                   

 551850 root      20   0 3070036   2.3g   2712 S 123.5   3.7  47:00.41 kdevtmpfsi                                                   

 552074 root      20   0 3070032   2.3g   2712 S 123.5   3.7  49:39.04 kdevtmpfsi                                                   

  23883 1000      20   0 6785676 408104  26328 S   5.9   0.6   2:09.43 java                                                          

 564739 root      20   0  227268   4788   3868 R   5.9   0.0   0:00.02 top                                                           

      1 root      20   0  170004  12132   9124 S   0.0   0.0   0:03.19 systemd                                                       

      2 root      20   0       0      0      0 S   0.0   0.0   0:00.01 kthreadd                                                      

      3 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_gp                                                        

      4 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 rcu_par_gp                                                    

      6 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/0:0H-events_highpri                                   

      8 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 mm_percpu_wq                                                  

      9 root      20   0       0      0      0 S   0.0   0.0   0:00.00 rcu_tasks_rude_                                               

     10 root      20   0       0      0      0 S   0.0   0.0   0:00.00 rcu_tasks_trace                                               

     11 root      20   0       0      0      0 S   0.0   0.0   0:00.25 ksoftirqd/0                                                   

     12 root      20   0       0      0      0 I   0.0   0.0   0:21.31 rcu_sched                                                     

     13 root      rt   0       0      0      0 S   0.0   0.0   0:00.01 migration/0                                                   

     14 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/0                                                       

     15 root      20   0       0      0      0 S   0.0   0.0   0:00.00 cpuhp/1                                                       

     16 root      rt   0       0      0      0 S   0.0   0.0   0:00.58 migration/1                                                   

     17 root      20   0       0      0      0 S   0.0   0.0   0:00.78 ksoftirqd/1                                                   

     19 root       0 -20       0      0      0 I   0.0   0.0   0:00.00 kworker/1:0H-events_highpri

kill -9 PID not work (kdevtmpfsi will restart in 1 minute)
There is no kdevtmpfsi file in the /tmp path
systemctl status PID also not work
nothing in the crontab
use find / -iname kdevtmpfsi* -exec rm -fv {} ;

Terminal commands tried:

[root@Stock-DMP tmp]# ps -ef | grep kdevtmpfsi
root      551850   35245 99 15:02 ?        00:49:38 /tmp/kdevtmpfsi
root      552060   35687 99 15:02 ?        00:54:11 /tmp/kdevtmpfsi
root      552074   35462 99 15:02 ?        00:52:16 /tmp/kdevtmpfsi
root      565438  543813  0 15:41 pts/0    00:00:00 grep --color=auto kdevtmpfsi
[root@Stock-DMP tmp]# pwd
/tmp
[root@Stock-DMP tmp]# ll
total 12
-rw------- 1 root root    0 Jan  5 12:12 AliyunAssistClientSingleLock.lock
-rw-r--r-- 1 root root    3 Jan  5 13:00 CmsGoAgent.pid
drwx------ 3 root root 4096 Jan  5 13:00 systemd-private-cef6b94dbb0f4abbb2fb81aed53c1bdf-chronyd.service-iwnjti
drwx------ 3 root root 4096 Jan  5 13:00 systemd-private-cef6b94dbb0f4abbb2fb81aed53c1bdf-systemd-resolved.service-KyX7Wf
[root@Stock-DMP tmp]# systemctl status 551850
Failed to get unit for PID 551850: PID 551850 does not belong to any loaded unit.
[root@Stock-DMP tmp]# systemctl status 552060
Failed to get unit for PID 552060: PID 552060 does not belong to any loaded unit.
[root@Stock-DMP tmp]# systemctl status 552074
Failed to get unit for PID 552074: PID 552074 does not belong to any loaded unit.
[root@Stock-DMP tmp]# systemctl status 555438
Failed to get unit for PID 555438: PID 555438 does not belong to any loaded unit.
[root@Stock-DMP tmp]# ls -l /proc/551850/exe
lrwxrwxrwx 1 root root 0 Jan  6 15:02 /proc/551850/exe -> '/tmp/kdevtmpfsi (deleted)'
[root@Stock-DMP tmp]# ls -l /proc/552060/exe
lrwxrwxrwx 1 root root 0 Jan  6 15:02 /proc/552060/exe -> '/tmp/kdevtmpfsi (deleted)'
[root@Stock-DMP tmp]# ls -l /proc/552074/exe
lrwxrwxrwx 1 root root 0 Jan  6 15:02 /proc/552074/exe -> '/tmp/kdevtmpfsi (deleted)'
[root@Stock-DMP tmp]# ls -l /proc/555438/exe
ls: cannot access '/proc/555438/exe': No such file or directory
[root@Stock-DMP tmp]# crontab -l
no crontab for root
[root@Stock-DMP tmp]# find / -iname kdevtmpfsi* -exec rm -fv {} \;
removed '/var/lib/docker/overlay2/003f8255259b3a7551887255badebc03e3051bf7ccbf39cdabb669be17454cc9/merged/tmp/kdevtmpfsi'
removed '/var/lib/docker/overlay2/ebb11958a3df7d4dc3019a6b7f5d9f6d6e0bad8e6c8330b3cb2d994000b0d70e/merged/tmp/kdevtmpfsi'
removed '/var/lib/docker/overlay2/7782d102817437c1dc0e502b5f2ceb47f485ca9c69961b90f3d1f828074be59d/merged/tmp/kdevtmpfsi'
find: ‘/proc/571578’: No such file or directory
find: ‘/proc/571579’: No such file or directory
[root@Stock-DMP tmp]# find / -iname kinsing* -exec rm -fv {} \;

I want to know where kdevtmpfsi hacked into my server
How to delete kdevtmpfsi completely
Later defense methods (I use home network development, so it is difficult to close all ports in the security group or restrict access to designated IP)

Have you tried following the steps in this blog? https://brycematheson.io/how-to-permanently-kill-and-remove-kdevtmpfsi-kinsing/ Apparently it can also show up in `/var/tmp/kinsing` and `/tmp/kinsing` — tnwei, Jan 14 '22 at 08:15
hey maybe i can help you, try to follow these posts already in Stackoverflow https://stackoverflow.com/questions/60151640/kdevtmpfsi-using-the-entire-cpu And closed post: https://stackoverflow.com/questions/59487096/kdevtmpfsi-how-to-find-and-delete-that-miner — Sergio Bentes, Mar 30 '22 at 16:11

How to remove kdevtmpfsi cryptominer malware

0 Answers0