Cryptojacking is a malware that hides on your server (or any other device with CPU) and steals its computing resources in order to mine for valuable online currencies like Bitcoin.
Kinsing is Cryptojacking malware known by compromising ‘Docker’ instances through to docker API, you can read more about this malware in this link. However, in this series we will see that this malware can infect our server through a recent vulnerability found in laravel debug mode.
Today we will tell you how to detect if your server has been compromised for this malware and one of the possible attack vectors.
- If you have access to your server, check your resource usage (e.g. htop, top, nmon, etc.) and find for unusual process (process which CPU usage is unreasonable). In most cases the process name for this malware is kdevtmpfsi and kinsing.
2. Check the connections. At this moment the malware is establishing connection with a remote host. You can check your connections with ‘ss’
As you can see, the malware is sending some results to 192.87.102.77. Is a good idea to add this IP into a blacklist, here are more reported IPs which the malware establishes connections.
3. Who started the process or command? This is a interesting question because it helps us understand how the server was compromised. In htop you can see the user, for this case is ‘daemon’ user who starts and owned the apache service, you can also verify that running:
systemctl status <pid>
4. Once the evidence is collected, it is time to try to stop the malware and eliminate any persistence actions. In some cases, the malware create a cronjob to download the script when is necessary, you can find any suspicious cronjob entry for all users with the following bash oneliner (delete the suspicious ones ):
root# for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l; doneKill the process you found in step 1
root# kill -9 <pid># or based on name
root# pkill kinsing --signal 9
root# pkill kdevtmpfsi --signal 9
# also you can KILL the process in htop by pressing F9
Now, overwrite all ‘kinsing’ ‘kdevtmpfsi’ files:
root# find / -type f \( -iname "kinsing" -o -iname "kdevtmpfsi" \) -exec sh -c "echo 'bye' > {}" \;At this point the malware should have disappeared, if the process start again it means the door still open, as you can see in step 3, the malicious process were started by the webserver user, so we can determinate that the door is our web application. We’ll discuss this in the next part.