-
Notifications
You must be signed in to change notification settings - Fork 577
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
a suspicious process named 'kdevtmpfsi',likely related to redis offical image 'redis:4-alpine' in docker hub #217
Comments
Remove the added cron and |
Yeah that file isn't supposed to be there #140 (comment)As noted by the creator of redis; it is very easy to "hack" a redis server and change files: http://antirez.com/news/96.
We do not build images with malware installed (I did just pull and check them in case there was some sort of exploit of Docker Hub). The affected users are likely exposing their redis to the public internet where it is trivial to "hack". Edit: previous users with problems by "hackers", #44 (comment), #44 (comment), #44 (comment) |
This is not a redis issue. This is a known crypto mining malware unrelated to redis |
See also docker-library/docs#1571 where this was officially documented. Also, just to be fully explicit: $ docker pull redis:4-alpine
4-alpine: Pulling from library/redis
Digest: sha256:cc33d01d0c96e498284886d2afc0a5d09250334efd61dd430e5edce9b89a9a3c
Status: Image is up to date for redis:4-alpine
docker.io/library/redis:4-alpine
$ docker run --rm redis:4-alpine find / -iname kdevtmpfsi
$ |
@iamareebjamal happen to have any more info/links on that? Can't seem to find anything |
thanks! |
Guys the same issue for me. do you have any workaround? |
Remove /tmp/kdevtmpfsi, /tmp/zzz and /var/tmp/ executables and replace with blank files with no permissions, then the miner cannot readd the files, then kill the running process |
Or follow this - laradock/laradock#2451 (comment) |
@iamareebjamal A big thank you to you . I did something like this:
but after a couple of mitues it started again ! |
/tmp/zzz is the bootstrap file. Do the same with it as well |
@iamareebjamal do you mean something like this?
|
You also should change your container to not expose the database port publicly. |
And, perhaps above all, require a strong password to connect. |
this solve for me. |
So, if you aren't even using Docker, and this thing has affected you, it might be due to an unpatched PHP Remote Code Execution vulnerability. (We don't use Docker, got hit with this thing and couldn't get it to stop trying to run the script that reinstalls the CRON job, even after we locked it down otherwise.) In any case, this is the vulnerability you need to check. Hope this helps someone! https://www.sourceclear.com/vulnerability-database/security/remote-code-execution-rce/php/sid-4487 |
It's work for me ! |
Do not expose Redis ports to host without Iptables rules! kill - 9 miner_PIDs_here |
maybee this works... `#!/bin/bash kill the tmp dirschattr -iR /tmp/ 2>/dev/null set recursive chattr -ichattr -iR /etc/ 2>/dev/null find & kill kinsing* binarysfind / -name 'kinsing*' -exec rm -rv {} ; kill kinsing procspkill -f kinsing clean crontabs/jobsCRONCLEAN=("/var/spool/cron/" "/var/spool/cron/crontabs/" "/etc/cron.d/" "/etc/cron.daily/" "/etc/cron.hourly/" "/etc/cron.monthly/" "/etc/cron.weekly/") |
I found all the above solution helpful but all of them are seems the temporary solution as we need to monitor the instance and if we notice any malicious activity then do the same process again. I have come across this virus around 1 month back and applied all the solution above which works fine for the limited period after that, it will come again. Even I didn't install docker in the system so docker open API port was not an issue. But there are some open source software which are the open gate for kinsing. PhpMailer and Solr have some Remote Code Exec vulnerability cause the whole issue. Easy solution is upgrade your Solr version to 8.5.1 and there one more thing you can set as security which will 100% remove the virus and it will be the permanent. Here is the full explanation: https://github.com/amulcse/solr-kinsing-malware |
kinsing is not only distributed via docker api, it penetrates massively via redis, docker api, kubernet, rfi e.t.c .... into the systems! to avoid reinfect you could try the following (yes not the cleanest way but it works) :::
if in doubt contact me and let me check your system from the outside. can you hack it then I hack it and record my procedure / the vulnerable. (I am a private person not a company !!!) PS: amulcse did it come back under the same name? were the files in the same places? if so then they have not considered the variant with the file dumys. I would be happy to receive further information. please take a look at these candidates here, not as common as kinsing but also current and dangerous: https://github.com/CKmaenn/CryptoHijacking_Binarys.and.InstallScripts_sorted have a nice day ;) |
Hey CKmaenn. As your suggested solution might work but they will try always the different directory and anonymous name of the folder. So basically you should identify the entry gate instead of changing the permission of the folder and files. One more thing, even it will not harm by changing the permission still it will annoyingly try to access the system in different ways. Yes, It did not come in my system again as I knew the entry point. Thanks |
I noticed a bunch of commands spread out amonst many different comments... Here is what I have found helpful and working:
Immediately after performing the above steps, I see the process disappear and usage return to normal. I have been running now 6 hours with no more usage issues. If you MUST leave open your redis without password - say you use an application that does not support passwords - you can clean up the miners as described above and do the following:
You can also allow/deny other common services to the world:
Note: if you allow your IP you will want to remove the allow 22 or deny 22 rule with This is by no means considered a 'secure' way to fix the issue, the secure way is to recode the program to work with a redis password. This is because if the firewall is disabled for any reason, the server is immediately insecure again and can be breached. This is however a temporary fix for those who are not programmers. |
As I have Redis Docker, first, i restart Redis docker container, and find out the I went to
I get the following result:
So my kdevtmpfsi was in docker tmp instead of system local /tmp
|
That typically means your Redis server is exposed to the public internet, and you really should fix that problem ASAP. |
If other solutions not working. Use it.
And add it to screen by command: |
@Vendenisko your script will consume high CPU usage too, it may be better to put |
I'm sorry, my mistake. I will edit my comment and add sleep to loop. |
You really, really ought to fix it by stopping the remote access from unauthorized users. Just stopping their mining process means that they still have access to your redis database and can do anything with the data it contains. The two simplest ways should be to not expose the port to the world (no |
Yes you are right, I said better is remove the problem completely. Not use my solution all time. This is a temporary solution. Or if you don't have better ideas, or you can't use another solution. |
My friend has this problem, temporary used my simple PHP script, then I logged to his machine I removed it completely. |
How did you removed it completely? |
OK, so I would love for someone to explain what is happening in my case... No docker image, no Redis installed, no Apache Solr installed, no PHPMailer installed and PHP is installed but is latest 7.4... Where is the vulnerability in this case? Miner gets reinstalled on average every 2 days, NO CRONJOBS gets installed (from what I can see) and I have authorized keys to enter the SSHD... Saw a couple of strange PORT open with ss -plntu = I kill the process that had them open. How is the miner getting installed in my case I only have 80,443 and 25 ports open. Must be an apache vulnerability or could it be Centos 7? |
JEAholding, Your situation sounds similar to ours. In our case it was a Remote Code Execution vulnerability in PHP Unit. Basically, it (PHP Unit) included a script that would accept a php file upload and execute it. That was how the miner was getting reinstalled on our box. We removed PHP Unit and the problem went away. (PHP Unit can be part of other 3rd party utilities and can get installed without you realizing it. That's what happened to us.) Hope this helps! |
I have the latest PHPunit 8.5^ wasn't this fix on later versions? Or phpunit is vulnerable even on latest updated version ? What version of phpunit did you have on your box ? |
@JEAholding - Honestly, I don't remember. (We resolved this about a year ago.) I would hope that it had been resolved in PHPUnit, but it could always be a similar issue in another library. :/ Sorry I can't be more help there. |
This comment has been minimized.
This comment has been minimized.
Apologies for locking the conversation. This is not a general discussion board for issues of being hacked and If you have real bugs with the |
I notice that there is a kdevtmpfsi executable file under my redis:4-alpine container fs /tmp and a process named 'kdevtmpfsi' cost about 400% cpu, when i remove redis container and run again the file is gone. is this normal? seems like being hijacked to mine cryptocurrency or something.
The text was updated successfully, but these errors were encountered: