SOLVED kinsing kdevtmpfsi on cpanel

ajaym4a

Member
Nov 27, 2019
5
0
1
INDIA
cPanel Access Level
Root Administrator
im facing kinsing kdevtmpfsi attack on my server, under an account. the files that runs are
/dev/shm/.ICEd-unix
/tmp/.ICEd-unix
/tmp/libsystem.so
/tmp/kinsing
/tmp/kdevtmpfsi

i changed the permission of these files and disable cronjob for this account too, but its still creates the files in tmp folder with other name, can anyone help how to rid this off from server. while its running it creates cronjob and consumes lot of cpu.
 

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
7,496
1,009
313
cPanel Access Level
Root Administrator
Hey there! The best thing to do if you suspect the server has been compromised or is being attacked would be to reach out to a security expert to examine the system directly. I do see there is a lot of information online about this specific issue, but everyone seems to recommend handling it a different way, so your situation is also likely unique.
 

steventeo

Registered
Oct 12, 2021
3
2
3
Singapore
cPanel Access Level
Root Administrator
Hey there! The best thing to do if you suspect the server has been compromised or is being attacked would be to reach out to a security expert to examine the system directly. I do see there is a lot of information online about this specific issue, but everyone seems to recommend handling it a different way, so your situation is also likely unique.
this seems to be a cPanel level issue. i started with 1 machine reporting this issue last week, and just yesterday, it came up on 2 of my other cPanel machine.
 

steventeo

Registered
Oct 12, 2021
3
2
3
Singapore
cPanel Access Level
Root Administrator
im facing kinsing kdevtmpfsi attack on my server, under an account. the files that runs are
/dev/shm/.ICEd-unix
/tmp/.ICEd-unix
/tmp/libsystem.so
/tmp/kinsing
/tmp/kdevtmpfsi

i changed the permission of these files and disable cronjob for this account too, but its still creates the files in tmp folder with other name, can anyone help how to rid this off from server. while its running it creates cronjob and consumes lot of cpu.
On cPanel, this seems to be caused by CVE-2021-41773, CVE-2021-42013. You will probably have Apache HTTP Server 2.4.49 and 2.4.50 installed and running.
Just do a EasyApache4 to update your Apache MPM. In Apache Status, it should reflect 2.4.51, and that should fix the issue. You will need to remove those files, and check the cron jobs for all your accounts still. At least, this is working for us for now, will update if otherwise.
 
  • Like
Reactions: cPRex

steventeo

Registered
Oct 12, 2021
3
2
3
Singapore
cPanel Access Level
Root Administrator
Interesting - I hadn't heard of that being related to the Apache issue yet on my end. Let us know if you need anything else.
relatively new, but is definitely going wild.


it has been more than 24 hours since our update to 2.4.51. seems to fix the issue.
 
  • Like
Reactions: cPRex

cPanelDaniel

Member
Apr 6, 2021
13
1
78
cPanel
cPanel Access Level
Root Administrator
Good day!

Thank you @steventeo for updating the thread with this information and the solution.

Our security team put out an emergency security patch on Oct 7th regarding this CVE as seen in the EasyApache changelog. We always recommend staying up to date with the latest updates to ensure vulnerabilities and bugs are patched as soon as possible.