Well, a couple days ago my friend contacted me that his server on Linode Cloud Hosting & Linux Servers was infected a malware. His server that had cpu high usage. After checking in-depth that the name of malware is kinsing, and was owned by postgres user.
Removing the malware
On this step we'll remove the malware manually. FYI, the characteristic of malware that he will create a kdevtmpfsi on /tmp and kinsing on /var/tmp directory, and the impact is it will consuming high CPU on the server. Every time I tried to removed the kdevtmpfsi and kinsing file on /tmp and /var/tmp but no luck, it will recreating by itself and running as postgres user.
Step to remove
As describe here, assuming you have been removed the malware on /tmp and /var/tmp directory, then create a kdevtmpfsi and kinsing file as follow: At first, find and remove it:
# find / -iname kdevtmpfsi -exec rm -fv {} \;
# find / -iname kinsing -exec rm -fv {} \; Then create it:
# touch /tmp/kdevtmpfsi && touch /var/tmp/kinsing
# chmod 000 /tmp/kdevtmpfsi && chmod 000 /var/tmp/kinsing
# chattr +i /tmp/kdevtmpfsi && chattr +i /var/tmp/kinsingThen purge remove of postgresql.
# apt-get remove --purge postgresqlThat's all!
References:
https://boxmatrix.info/wiki/Property:kdevtmpfs
https://en.wikipedia.org/wiki/Chattr#In_Linux_systems_.28chattr_and_lsattr.29
https://htop.dev/
https://linux.die.net/man/1/top