1

I found some strange process on my centos 8 machine check above photo:

screen shot of ps output

when I type cat /etc/passwd I don't see user 990 anywhere also this kinsing process is strange because this is the same process that infected my machine in the first place using redis.

How can I locate this and figure out what is going on? i already removed it from my system uninstall redis also delete the redis username that used to run the miner process but the process that is running in the image i am interested in is clear they still have something in my system how can I find out where are the files running this process ? and who is this 990 username running this process.

Aditional information i just found regarding the process:

ls -la /proc/41325/exe
lrwxrwxrwx 1 990 987 0 Feb 28 21:53 /proc/41325/exe -> '/var/tmp/kinsing (deleted)'
Jack Duldi
  • 19

1 Answers1

3

It sounds to me that this process was already running (ie in memory) when you did your cleanup and you didn't kill it, so its still there.

The 990 username means the user no longer exists. It appears that the user associated with redus that you deleted had the userid 990.

You can, of-course, terminate the running instance by 'kill 41325'

While it is impossible to guarantee that a server has been fully unhacked, no evidence has been shown that the user managed to escalate themselves to root, so you may well be OK. You may want to run a command like " find / -user 990" to check if there are any traces of this account left.

davidgo
  • 6,504