Closed pwdel closed 2 months ago
Set up a firewall on Digital Ocrean, documented this on documentation branch. That should allow incoming access of other ports.
More solutions to do to try to really confidently close out this ticket:
Deleting libsystem.so, /.ICEd-unix, zzz, kinsing files from /tmp is not a permantent solution.. The cron process will rename the files and start again. I was able to remove it permanently by following these steps:
I haven't seen this malware pop back up after removing unnecessary ports, so I think this has been solved.
I was attempting to adapt a prototype version of SocialPredict as a production instance just to see what would happen and see if I can hack together a solution to adapt our development version of SocialPredict to prod.
When deploying to a Digital Ocean droplet, I noticed that the CPU was suddenly super high at about 6AM CST this morning after having deployed a test yesterday.
Running top, there was one process,
kdevtmpfsi
taking up 99% of the CPU.This is a cryptocurrency mining malware which is associated with redis:
https://www.createit.com/blog/kinsing-malware-kdevtmpfsi-how-to-kill/
That being said, this kdevtmpfsi is typically associated with Redis, which we are not using. While Digital Ocean does make a Redis plugin available, we are not using it. While we are using a Digital Ocean shared server, these shared servers evidently don't use Redis to function.
Also, this high CPU usage didn't emerge right away, it happened after about 18 hours of having been deployed first.
So basically, it seems to be because our nginx is just not configured properly, so the ports exposed our server.
https://www.reddit.com/r/docker/comments/k2lwvd/protect_your_docker_containers_from_kinsing/