commit b179c5771e4099c59969c5b1e1c9164d988f6d39 Author: hhf Date: Tue Nov 26 12:37:31 2024 +0530 Add kinsing_cleanup.sh diff --git a/kinsing_cleanup.sh b/kinsing_cleanup.sh new file mode 100644 index 0000000..3622bff --- /dev/null +++ b/kinsing_cleanup.sh @@ -0,0 +1,124 @@ +#!/bin/bash + +# Kinsing Malware Cleanup Script +# WARNING: Use with caution and understand each step before running +# Recommended to review and modify as per your specific server configuration + +# Ensure script is run with root privileges +if [[ $EUID -ne 0 ]]; then + echo "This script must be run as root" + exit 1 +fi + +# Function to log actions +log() { + echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" | tee -a /var/log/kinsing_cleanup.log +} + +# Cleanup Function +cleanup_kinsing() { + # Step 0: Backup critical system files before cleanup + log "Creating backup of critical files before cleanup" + mkdir -p /root/kinsing_backup + cp /etc/crontab /root/kinsing_backup/ + cp /var/spool/cron/crontabs/root /root/kinsing_backup/root_crontab + + # Step 1: Disable Cron + log "Stopping cron service" + systemctl stop cron + + # Step 2: Delete Malware Files + log "Removing known Kinsing malware files" + rm_files=( + "/etc/data/kinsing" + "/etc/kinsing" + "/tmp/kdevtmpfsi" + "/usr/lib/secure" + "/usr/lib/secure/udiskssd" + "/usr/bin/network-setup.sh" + "/usr/.sshd-network-service.sh" + "/usr/.network-setup" + "/usr/.network-setup/config.json" + "/usr/.network-setup/xmrig-*tar.gz" + "/usr/.network-watchdog.sh" + "/dev/shm/kdevtmpfsi" + "/etc/data/libsystem.so" + ) + + for file in "${rm_files[@]}"; do + # Remove immutable flag if present + chattr -i "$file" 2>/dev/null + rm -rf "$file" 2>/dev/null + done + + # Step 3: Remove Suspicious Services + suspicious_services=( + "bot.service" + "systemd_s.service" + "sshd-network-service.service" + "network-monitor.service" + ) + + for service in "${suspicious_services[@]}"; do + log "Stopping and disabling $service" + systemctl stop "$service" 2>/dev/null + systemctl disable "$service" 2>/dev/null + rm "/lib/systemd/system/$service" 2>/dev/null + rm "/etc/systemd/system/$service" 2>/dev/null + done + + # Reload systemd to recognize changes + systemctl daemon-reload + + # Step 4: Kill Suspicious Processes + log "Killing suspicious processes" + ps aux | grep -E 'kinsing|udiskssd|kdevtmpfsi|bash2|.network-setup|syshd|atdb' | awk '{print $2}' | xargs kill -9 2>/dev/null + + # Step 5: Remove Preloaded Libraries + log "Removing preloaded libraries" + if [ -f "/etc/ld.so.preload" ]; then + # Kill processes using the library + lsof | grep libsystem.so | awk '{print $2}' | xargs kill -9 2>/dev/null + rm /etc/ld.so.preload + fi + + # Step 6: Clean Suspicious Cron Jobs + log "Cleaning suspicious cron jobs" + # Remove immutable attribute from crontab + chattr -ia /var/spool/cron/crontabs/root 2>/dev/null + chattr -ia /var/spool/cron/root 2>/dev/null + + # Clean root user crontab + (crontab -l 2>/dev/null | grep -v "atdb") | crontab - 2>/dev/null + + # Additional Security Steps + log "Installing security scanning tools" + apt-get update + apt-get install -y chkrootkit rkhunter + + # Run rootkit hunter + log "Running rkhunter security scan" + rkhunter --check --sk + + # Find recently modified files (last 2 days) + log "Finding recently modified files" + find / -mtime -2 2>/dev/null > /root/kinsing_recent_files.txt +} + +# Main execution +main() { + log "Starting Kinsing Malware Cleanup Process" + + # Confirm before proceeding + read -p "WARNING: This script will make significant system changes. Are you sure you want to continue? (y/N) " response + if [[ "$response" =~ ^[Yy]$ ]]; then + cleanup_kinsing + log "Cleanup process completed. Please review the log and recent files list." + else + log "Cleanup process aborted by user" + exit 1 + fi +} + +# Run the main function +main \ No newline at end of file