Step 1: Pause Suspicious Processes
First, pause or stop any processes related to malware.
- View the list of processes:
ps aux | grep -E 'kinsing|udiskssd|kdevtmpfsi|bash2'
- Then I checked the status of process kdevtmpfsi:
systemctl status <PID>
Copy the file calling paths and delete in the step below
- Stop the malware process:
sudo kill -9 <PID>
(Replace <PID> with the ID of the kinsing process or other suspicious processes.)
Step 2: Remove Suspicious Service
Check and remove the bot.service:
sudo systemctl stop bot.service
sudo systemctl disable bot.service
sudo rm /lib/systemd/system/bot.service
sudo systemctl daemon-reload
Step 3: Delete Malware Files
Remove the malware files from the system, such as /etc/data/kinsing and /tmp/kdevtmpfsi.
sudo rm -f /etc/data/kinsing
sudo rm -f /etc/kinsing
sudo rm -f /tmp/kdevtmpfsi
Step 4: Delete Suspicious Cron Jobs
Malware often adds tasks to crontab to automatically restart itself. To remove suspicious crontab entries:
- Open the root
crontab:
sudo crontab -e
- Delete any unknown or suspicious lines.
More Info via cmt:
