#!/bin/bash # Kinsing Malware Cleanup Script # WARNING: Use with caution and understand each step before running # Recommended to review and modify as per your specific server configuration # Ensure script is run with root privileges if [[ $EUID -ne 0 ]]; then echo "This script must be run as root" exit 1 fi # Function to log actions log() { echo "[$(date +'%Y-%m-%d %H:%M:%S')] $*" | tee -a /var/log/kinsing_cleanup.log } # Cleanup Function cleanup_kinsing() { # Step 0: Backup critical system files before cleanup log "Creating backup of critical files before cleanup" mkdir -p /root/kinsing_backup cp /etc/crontab /root/kinsing_backup/ cp /var/spool/cron/crontabs/root /root/kinsing_backup/root_crontab # Step 1: Disable Cron log "Stopping cron service" systemctl stop cron # Step 2: Delete Malware Files log "Removing known Kinsing malware files" rm_files=( "/etc/data/kinsing" "/etc/kinsing" "/tmp/kdevtmpfsi" "/usr/lib/secure" "/usr/lib/secure/udiskssd" "/usr/bin/network-setup.sh" "/usr/.sshd-network-service.sh" "/usr/.network-setup" "/usr/.network-setup/config.json" "/usr/.network-setup/xmrig-*tar.gz" "/usr/.network-watchdog.sh" "/dev/shm/kdevtmpfsi" "/etc/data/libsystem.so" ) for file in "${rm_files[@]}"; do # Remove immutable flag if present chattr -i "$file" 2>/dev/null rm -rf "$file" 2>/dev/null done # Step 3: Remove Suspicious Services suspicious_services=( "bot.service" "systemd_s.service" "sshd-network-service.service" "network-monitor.service" ) for service in "${suspicious_services[@]}"; do log "Stopping and disabling $service" systemctl stop "$service" 2>/dev/null systemctl disable "$service" 2>/dev/null rm "/lib/systemd/system/$service" 2>/dev/null rm "/etc/systemd/system/$service" 2>/dev/null done # Reload systemd to recognize changes systemctl daemon-reload # Step 4: Kill Suspicious Processes log "Killing suspicious processes" ps aux | grep -E 'kinsing|udiskssd|kdevtmpfsi|bash2|.network-setup|syshd|atdb' | awk '{print $2}' | xargs kill -9 2>/dev/null # Step 5: Remove Preloaded Libraries log "Removing preloaded libraries" if [ -f "/etc/ld.so.preload" ]; then # Kill processes using the library lsof | grep libsystem.so | awk '{print $2}' | xargs kill -9 2>/dev/null rm /etc/ld.so.preload fi # Step 6: Clean Suspicious Cron Jobs log "Cleaning suspicious cron jobs" # Remove immutable attribute from crontab chattr -ia /var/spool/cron/crontabs/root 2>/dev/null chattr -ia /var/spool/cron/root 2>/dev/null # Clean root user crontab (crontab -l 2>/dev/null | grep -v "atdb") | crontab - 2>/dev/null # Additional Security Steps log "Installing security scanning tools" apt-get update apt-get install -y chkrootkit rkhunter # Run rootkit hunter log "Running rkhunter security scan" rkhunter --check --sk # Find recently modified files (last 2 days) log "Finding recently modified files" find / -mtime -2 2>/dev/null > /root/kinsing_recent_files.txt } # Main execution # Function to check for suspicious users check_suspicious_users() { log "Checking for suspicious system users" # Create a report file SUSPICIOUS_USERS_REPORT="/root/suspicious_users_report.txt" > "$SUSPICIOUS_USERS_REPORT" # Check for users with UID 0 (root privileges) other than root echo "Users with UID 0 (excluding root):" >> "$SUSPICIOUS_USERS_REPORT" awk -F: '($3 == 0 && $1 != "root") {print $1}' /etc/passwd >> "$SUSPICIOUS_USERS_REPORT" # Check for users with sudo access echo -e "\nUsers with sudo access:" >> "$SUSPICIOUS_USERS_REPORT" getent group sudo | cut -d: -f4 | tr ',' '\n' >> "$SUSPICIOUS_USERS_REPORT" # Check for users with unusual shell access echo -e "\nUsers with non-standard shells:" >> "$SUSPICIOUS_USERS_REPORT" awk -F: '($7 != "/usr/sbin/nologin" && $7 != "/bin/false" && $7 != "/bin/sync") {print $1 " - " $7}' /etc/passwd >> "$SUSPICIOUS_USERS_REPORT" # Check for recently added users echo -e "\nUsers added in the last 30 days:" >> "$SUSPICIOUS_USERS_REPORT" for user in $(cut -d: -f1 /etc/passwd); do created=$(grep "^$user:" /etc/shadow | cut -d: -f3) if [[ -n "$created" ]]; then days_since_creation=$(($(date +%s) / 86400 - created)) if [[ $days_since_creation -le 30 ]]; then echo "$user (created $days_since_creation days ago)" >> "$SUSPICIOUS_USERS_REPORT" fi fi done # Check SSH authorized_keys files for all users echo -e "\nUnauthorized SSH keys:" >> "$SUSPICIOUS_USERS_REPORT" for home in /home/*; do if [[ -d "$home/.ssh" ]]; then user=$(basename "$home") if [[ -f "$home/.ssh/authorized_keys" ]]; then echo "Checking SSH keys for user $user:" >> "$SUSPICIOUS_USERS_REPORT" cat "$home/.ssh/authorized_keys" >> "$SUSPICIOUS_USERS_REPORT" fi fi done # Check root's SSH directory if [[ -f "/root/.ssh/authorized_keys" ]]; then echo -e "\nRoot SSH authorized_keys:" >> "$SUSPICIOUS_USERS_REPORT" cat "/root/.ssh/authorized_keys" >> "$SUSPICIOUS_USERS_REPORT" fi # Log the report log "Suspicious users report generated at $SUSPICIOUS_USERS_REPORT" } main() { log "Starting Kinsing Malware Cleanup Process" # Confirm before proceeding read -p "WARNING: This script will make significant system changes. Are you sure you want to continue? (y/N) " response if [[ "$response" =~ ^[Yy]$ ]]; then cleanup_kinsing # Additional user and security checks check_suspicious_users log "Cleanup process completed. Please review the following reports:" log "1. /var/log/kinsing_cleanup.log" log "2. /root/kinsing_recent_files.txt" log "3. /root/suspicious_users_report.txt" else log "Cleanup process aborted by user" exit 1 fi } # Run the main function main