Add kinsing_cleanup.sh

kinsing_cleanup.sh

@@ -0,0 +1,124 @@
+#!/bin/bash
+
+# Kinsing Malware Cleanup Script
+# WARNING: Use with caution and understand each step before running
+# Recommended to review and modify as per your specific server configuration
+
+# Ensure script is run with root privileges
+if [[ $EUID -ne 0 ]]; then
+   echo "This script must be run as root" 
+   exit 1
+fi
+
+# Function to log actions
+log() {
+    echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" | tee -a /var/log/kinsing_cleanup.log
+}
+
+# Cleanup Function
+cleanup_kinsing() {
+    # Step 0: Backup critical system files before cleanup
+    log "Creating backup of critical files before cleanup"
+    mkdir -p /root/kinsing_backup
+    cp /etc/crontab /root/kinsing_backup/
+    cp /var/spool/cron/crontabs/root /root/kinsing_backup/root_crontab
+
+    # Step 1: Disable Cron
+    log "Stopping cron service"
+    systemctl stop cron
+    
+    # Step 2: Delete Malware Files
+    log "Removing known Kinsing malware files"
+    rm_files=(
+        "/etc/data/kinsing"
+        "/etc/kinsing"
+        "/tmp/kdevtmpfsi"
+        "/usr/lib/secure"
+        "/usr/lib/secure/udiskssd"
+        "/usr/bin/network-setup.sh"
+        "/usr/.sshd-network-service.sh"
+        "/usr/.network-setup"
+        "/usr/.network-setup/config.json"
+        "/usr/.network-setup/xmrig-*tar.gz"
+        "/usr/.network-watchdog.sh"
+        "/dev/shm/kdevtmpfsi"
+        "/etc/data/libsystem.so"
+    )
+    
+    for file in "${rm_files[@]}"; do
+        # Remove immutable flag if present
+        chattr -i "$file" 2>/dev/null
+        rm -rf "$file" 2>/dev/null
+    done
+
+    # Step 3: Remove Suspicious Services
+    suspicious_services=(
+        "bot.service"
+        "systemd_s.service"
+        "sshd-network-service.service"
+        "network-monitor.service"
+    )
+    
+    for service in "${suspicious_services[@]}"; do
+        log "Stopping and disabling $service"
+        systemctl stop "$service" 2>/dev/null
+        systemctl disable "$service" 2>/dev/null
+        rm "/lib/systemd/system/$service" 2>/dev/null
+        rm "/etc/systemd/system/$service" 2>/dev/null
+    done
+    
+    # Reload systemd to recognize changes
+    systemctl daemon-reload
+
+    # Step 4: Kill Suspicious Processes
+    log "Killing suspicious processes"
+    ps aux | grep -E 'kinsing|udiskssd|kdevtmpfsi|bash2|.network-setup|syshd|atdb' | awk '{print $2}' | xargs kill -9 2>/dev/null
+
+    # Step 5: Remove Preloaded Libraries
+    log "Removing preloaded libraries"
+    if [ -f "/etc/ld.so.preload" ]; then
+        # Kill processes using the library
+        lsof | grep libsystem.so | awk '{print $2}' | xargs kill -9 2>/dev/null
+        rm /etc/ld.so.preload
+    fi
+
+    # Step 6: Clean Suspicious Cron Jobs
+    log "Cleaning suspicious cron jobs"
+    # Remove immutable attribute from crontab
+    chattr -ia /var/spool/cron/crontabs/root 2>/dev/null
+    chattr -ia /var/spool/cron/root 2>/dev/null
+
+    # Clean root user crontab
+    (crontab -l 2>/dev/null | grep -v "atdb") | crontab - 2>/dev/null
+
+    # Additional Security Steps
+    log "Installing security scanning tools"
+    apt-get update
+    apt-get install -y chkrootkit rkhunter
+
+    # Run rootkit hunter
+    log "Running rkhunter security scan"
+    rkhunter --check --sk
+
+    # Find recently modified files (last 2 days)
+    log "Finding recently modified files"
+    find / -mtime -2 2>/dev/null > /root/kinsing_recent_files.txt
+}
+
+# Main execution
+main() {
+    log "Starting Kinsing Malware Cleanup Process"
+    
+    # Confirm before proceeding
+    read -p "WARNING: This script will make significant system changes. Are you sure you want to continue? (y/N) " response
+    if [[ "$response" =~ ^[Yy]$ ]]; then
+        cleanup_kinsing
+        log "Cleanup process completed. Please review the log and recent files list."
+    else
+        log "Cleanup process aborted by user"
+        exit 1
+    fi
+}
+
+# Run the main function
+main