1

I found some strange process on my centos 8 machine check above photo:

screen shot of ps output

when I type cat /etc/passwd I don't see user 990 anywhere also this kinsing process is strange because this is the same process that infected my machine in the first place using redis.

How can I locate this and figure out what is going on? i already removed it from my system uninstall redis also delete the redis username that used to run the miner process but the process that is running in the image i am interested in is clear they still have something in my system how can I find out where are the files running this process ? and who is this 990 username running this process.

Aditional information i just found regarding the process:

ls -la /proc/41325/exe
lrwxrwxrwx 1 990 987 0 Feb 28 21:53 /proc/41325/exe -> '/var/tmp/kinsing (deleted)'
Jack Duldi
  • 19
  • 8
  • Here's a random link talking about it: https://forum.manjaro.org/t/i-have-a-mining-virus-on-my-machine-kdevtmpfsi/121040/10 . Of course you should now follow something like this (it's too late to try and clean): https://serverfault.com/questions/218005/how-do-i-deal-with-a-compromised-server/218011#218011 – A.B Feb 29 '20 at 18:48
  • hello and thanks for the help but i already removed it from my system uninstall redis also delete the redis username that used to run the miner process but the process that is running in the image i am interested in is clear they still have something in my system how can I find out where are the files runing this process ? – Jack Duldi Feb 29 '20 at 19:00
  • i found the vulnerability how he got in it was via redis. the miner is no longer on my system but there is still in the process kinsing i am trying to locate from where is this process coming from. – Jack Duldi Feb 29 '20 at 19:06
  • 1
    As I mentioned in https://serverfault.com/questions/1005092/how-to-uninstall-redis-on-centos-8/, you really need to start over. I strongly recommend restoring from backups. There is absolutely no guarantee that you will ever be able to eradicate the malware on the existing server. – David W Feb 29 '20 at 19:09
  • I dont have backups David and i uninstall redis the miner is no more but there is still this strange process that i show in the picture how can i find out where this process is coming from – Jack Duldi Feb 29 '20 at 19:10
  • This question should actually be closed due to the topic and the professional recommendation that we will continue to give (see the "How do I deal with a compromised server link), so I won't provide a formal "answer". But unofficially, you can do a "ps aux | grep kinsing" to get more information about that process. I would install and use rkhunter and clamav to help clean things up. – David W Feb 29 '20 at 19:22
  • thanks david the file is only in /var/tmp/kinsing but is deleted why is the process still running if the file is deleted and how i kill this process ? – Jack Duldi Feb 29 '20 at 19:25

1 Answers1

3

It sounds to me that this process was already running (ie in memory) when you did your cleanup and you didn't kill it, so its still there.

The 990 username means the user no longer exists. It appears that the user associated with redus that you deleted had the userid 990.

You can, of-course, terminate the running instance by 'kill 41325'

While it is impossible to guarantee that a server has been fully unhacked, no evidence has been shown that the user managed to escalate themselves to root, so you may well be OK. You may want to run a command like " find / -user 990" to check if there are any traces of this account left.

davidgo
  • 5,964
  • 2
  • 21
  • 38
  • 1
    thank for this great answer exactly what i needed and a correct answer to. i typed find / -user 990 and they are is a huge list pop in up. what should i do next ? 990 was redis username – Jack Duldi Feb 29 '20 at 19:33
  • 1
    i still have a dilema regarding this /proc/18464 no such file or directory what about this ? find / -user 990 /run/user/990 /run/user/990/bus /run/user/990/systemd /run/user/990/systemd/private /run/user/990/systemd/notify find: ‘/proc/18464/task/18464/fd/8’: No such file or directory find: ‘/proc/18464/task/18464/fdinfo/8’: No such file or directory find: ‘/proc/18464/fd/7’: No such file or directory find: ‘/proc/18464/fdinfo/7’: No such file or directory /etc/redis.conf.rpmsave /var/log/redis /var/log/redis/redis.log /var/log/redis/redis.log-20200202 – Jack Duldi Feb 29 '20 at 19:47
  • 1
    I can't answer that as I don't have enough info. The simplest but least comprehensive approach would be to delete those files. I might be inclined to quaranteen them and look at what they contain, and their creation dates for clues about what they may have gotten up to and when. The location of the files may or may not also tell you things. – davidgo Feb 29 '20 at 19:47
  • 1
    I might be inclined to reboot the system. This will clear crap in /process (because its a virtual filesystem) – davidgo Feb 29 '20 at 19:49
  • thank you for your help davidgo you helped me a lot. – Jack Duldi Feb 29 '20 at 19:51