My Ubuntu server has been infected by a virus kdevtmpfsi

Do a

chmod 000 /tmp/kdevtmpfsi

first. That will kill access to that file

From a user prompt if possible if that is not YOUR user:

sudo -u fabio
crontab -l 

otherwise you only need the LAST line of these 2. If it is in there

crontab -e

to edit and remove that line. If not crontabs are stored in /var/spool/cron/crontabs/. There will be a fabio there. Nuke it all.

And it is not a virus. It is a miner that you probably installed yourself or installed as part of some piece of software. IF NOT consider your server compromised, format the disks and restore a backup. If you did please stick to regular and trusted sources.


edit: found some more about this.

Also related to this:

/tmp/zzz  

That seems to be the bootstrap file. chmod that one too and nuke it after you verified you killed it or it killed itself.

The chmod removes permissions so the miner can not recreate the file nor write or read from it. Effectively killing it. THEN start hunting down the files. Nuke /tmp/* /var/tmp/* for anything with kinsing in the name plus the files listed above.

Try to execute deletes in ONE command so it does not get a chance to initialize itself.

Interesting topic on github about how to remove it.


It has been documented here. Redis is known to be easy hackable unless you set up a decent protection yourself.