Best workaround to combat Kinsing malware (kdevtmpfsi)

Best workaround to combat Kinsing malware (kdevtmpfsi)

We noticed strange CPU traffic on a Docker-running Ubuntu server last week.

At first, it was believed to be a problem with the code running in the container. However, when we examined how much CPU each process was using, a process called “kdevtmpfsi” was using between 100% and 200%.

I discovered that the problem was not with .NET or Postgres running in Docker, but with something else.

kdevtmpfsi is using %197.3 CPU

A malware virus known as Kinsing exploits a port on the Docker API that is unprotected and can operate on Ubuntu systems. Resources can be managed and used according to their wishes.

The solution I found is simple and quick, even though it isn’t elegant.

## Create a script to kill and remove kdevtmpfsi

Create a new bash script file:

nano kill.sh

and add the following code to it.

#!/bin/bash
kill $(pgrep kdevtmp)
kill $(pgrep kinsing)
find / -iname kdevtmpfsi -exec rm -fv {} \;
find / -iname kinsing -exec rm -fv {} \;
rm /tmp/kdevtmp*
rm /tmp/kinsing*

Make the script executable.

chmod +x kill.sh

Add a cron job to run the script every minute.

sudo crontab -e

Be sure that you give the correct path for your script.

* * * * * /usr/bin/scripts/sh kill.sh

If you want to be sure that the script is running, you can verify the cron job with the following command.

systemctl status cron