Kinsing/(kdevtmpfsi) Cryptomining Attack and Cleanup
Due to a remote execution flaw in CyberPanel, I had to clean up after this attack. The most useful site I found was Kinsing malware (kdevtmpfsi) – how to kill on CreateIt. The instructions there are useful. Don’t forget to do the full search, as if you have any “kinsing” files left, they’ll get things started all over again. I’m posting this primarily to add a link to their post with the appropriate keywords to help others find it. It’s not directly related to CyberPanel, so I hope having this link will help someone.
The directories used in my case were /etc, /etc/data, /dev/shm, and /tmp.
CyberPanel has issued an update. I had to clean up the crypto issue before updating, but after the update everything got back to normal.
A number of people were attacked by ransomware encryption. That is the problem with remote execution flaws.
Here’s an additional valuable link to help check this and related issues. You need to be certain your server is clean after the update.
https://community.cyberpanel.net/t/critical-security-alert-vulnerable-cyberpanel-instance-detected-on-your-network/56021