kinsing kdevtmpfsi on cpanel

ajaym4a

• October 11, 2021 08:08

im facing kinsing kdevtmpfsi attack on my server, under an account. the files that runs are /dev/shm/.ICEd-unix /tmp/.ICEd-unix /tmp/libsystem.so /tmp/kinsing /tmp/kdevtmpfsi i changed the permission of these files and disable cronjob for this account too, but its still creates the files in tmp folder with other name, can anyone help how to rid this off from server. while its running it creates cronjob and consumes lot of cpu.

• 

  cPRex Jurassic Moderator

  • October 11, 2021 14:49

  Hey there! The best thing to do if you suspect the server has been compromised or is being attacked would be to reach out to a security expert to examine the system directly. I do see there is a lot of information online about this specific issue, but everyone seems to recommend handling it a different way, so your situation is also likely unique.

  0
• 

  steventeo

  • October 12, 2021 07:43

  Hey there! The best thing to do if you suspect the server has been compromised or is being attacked would be to reach out to a security expert to examine the system directly. I do see there is a lot of information online about this specific issue, but everyone seems to recommend handling it a different way, so your situation is also likely unique.

  
  this seems to be a cPanel level issue. i started with 1 machine reporting this issue last week, and just yesterday, it came up on 2 of my other cPanel machine.

  0
• 

  steventeo

  • October 12, 2021 08:17

  im facing kinsing kdevtmpfsi attack on my server, under an account. the files that runs are /dev/shm/.ICEd-unix /tmp/.ICEd-unix /tmp/libsystem.so /tmp/kinsing /tmp/kdevtmpfsi i changed the permission of these files and disable cronjob for this account too, but its still creates the files in tmp folder with other name, can anyone help how to rid this off from server. while its running it creates cronjob and consumes lot of cpu.

  
  On cPanel, this seems to be caused by CVE-2021-41773, CVE-2021-42013. You will probably have Apache HTTP Server 2.4.49 and 2.4.50 installed and running. Just do a EasyApache4 to update your Apache MPM. In Apache Status, it should reflect 2.4.51, and that should fix the issue. You will need to remove those files, and check the cron jobs for all your accounts still. At least, this is working for us for now, will update if otherwise.

  0
• 

  cPRex Jurassic Moderator

  • October 12, 2021 12:49

  Interesting - I hadn't heard of that being related to the Apache issue yet on my end. Let us know if you need anything else.

  0
• 

  steventeo

  • October 12, 2021 16:42

  Interesting - I hadn't heard of that being related to the Apache issue yet on my end. Let us know if you need anything else.

  
  relatively new, but is definitely going wild. it has been more than 24 hours since our update to 2.4.51. seems to fix the issue.

  0
• 

  ajaym4a

  • October 13, 2021 03:58

  thankas for the replys

  0
• 

  Daniel12345

  • October 13, 2021 18:57

  Good day! Thank you @steventeo for updating the thread with this information and the solution. Our security team put out an emergency security patch on Oct 7th regarding this CVE as seen in the

  0

Please sign in to leave a comment.