Best workaround to combat Kinsing malware (kdevtmpfsi)
We noticed strange CPU traffic on a Docker-running Ubuntu server last week.
At first, it was believed to be a problem with the code running in the container. However, when we examined how much CPU each process was using, a process called “kdevtmpfsi” was using between 100% and 200%.
I discovered that the problem was not with .NET or Postgres running in Docker, but with something else.
A malware virus known as Kinsing exploits a port on the Docker API that is unprotected and can operate on Ubuntu systems. Resources can be managed and used according to their wishes.
The solution I found is simple and quick, even though it isn’t elegant.
## Create a script to kill and remove kdevtmpfsi
Create a new bash script file:
nano kill.sh
and add the following code to it.
#!/bin/bashkill $(pgrep kdevtmp)kill $(pgrep kinsing)find / -iname kdevtmpfsi -exec rm -fv {} \;find / -iname kinsing -exec rm -fv {} \;rm /tmp/kdevtmp*rm /tmp/kinsing*
Make the script executable.
chmod +x kill.sh
Add a cron job to run the script every minute.
sudo crontab -e
Be sure that you give the correct path for your script.
* * * * * /usr/bin/scripts/sh kill.sh
If you want to be sure that the script is running, you can verify the cron job with the following command.
systemctl status cron