How to Permanently Kill and Remove kdevtmpfsi or kinsing

I had an issue with one of my staging servers on Digital Ocean, running Ubuntu 20.04. CPU utilization was at 100% for a couple of hours, and I knew something had to be up. Upon further investigation, I found that 100% of my CPU was being utilized by a process called “kdevtmpfsi”.

After some Googling, I found that this was a crypto-miner malware. However, everything I found on how to remove it was regarding to people using Docker containers and Redis — but I wasn’t. It was a very basic Ubuntu image, running Nginx and serving up PHP content.

None of the other solutions seemed to work for me, so I had to find my own. The following commands seemed to work for me. I’ve regained my CPU usage back, and haven’t had any further issues.

First, kill the existing processes:

sudo kill -9 
sudo kill -9 
Delete the files. These were the locations of mine, but I’ve heard that sometimes they will have different folder names:

sudo rm -f /tmp/kdevtmpfsi
sudo rm -f /var/tmp/kinsing
sudo rm -f /tmp/kinsing
Block exposed ports:

sudo apt install ufw
sudo ufw allow 80 #enable port 80, if needed
sudo ufw allow 443 #enable port 443, if needed
sudo ufw allow "OpenSSH" #enable SSH connections, if it's not already and it's needed
sudo ufw deny 9000
sudo ufw enable

After making these changes, I’ve been running for a solid week without any other issues. Previously, all other fixes I had tried would work for about an hour, and then come back.

Hope this helps!

5 thoughts on “How to Permanently Kill and Remove kdevtmpfsi or kinsing

  1. kdevtmpfsi come from php:7-fpm official docker image..

    # php:
    # image: php:7-fpm
    # restart: unless-stopped
    # ports:
    # – “9000:9000”

  2. Thanks for your post it was very helpful.I just had this problem today, and the processes were associated with the user id belonging to Docker

Leave a Reply

Your email address will not be published.