Kthreadd is a malware process, that will pop up again even we killed it. It will mostly attack through cron jobs by unknown ips. Also the cronjob will use more than 100% cpu and makes server unavailable to access.
Note:
Kthread is a default kernel process with PPid 1. (This is not the one we need to focus or check).
Basic Checking to kill the kthreadd Process:
1) Remove unwanted port opeing with cloud SG, mostly remove all the rules which is open to all.
2) Remove the unused users and change the ssh port. Then restart the sshd server.
3)Do basic ssh hardening steps like remove root password and change user password which having sudo access without password.
passwd -d root
Now try to list and check for kthreadd process and either kill or stop it.
ps -ef |grep kthreadd
kill -9 <Process_id>
Pkill -9f <PPid>
4) If its still not resolved, From /etc/sudoers remove user permissions which is having NOPASSWD for sudo access and create user with password for sudo switch and add it in visudo file.
<username> ALL=(ALL) ALL instead
<username> ALL=(ALL) NOPASSWD: ALL
5)Change the password for the user which is added to the visudo file.
passwd <username>
Note:
Create random password for the user,
cat /dev/urandom | tr -dc A-Za-z0-9 | head -c 13 ; echo ‘ ‘
6)Remove the authorized keys and known hosts entries.
cat /dev/null > authorized_keys
cat /dev/null > known_hosts
userdel –r <username with homedir>
while IFS= read -r line; do userdel -r $line; done < <File_having_Userlist>
7)Check the crontab and remove the newly added malware cronjob. Also check and remove the file which is referred in the cronjob.
crontab -l –> to check the cronjobs
8)Check the whole process command,
ps -aux | grep kthreadd
If kthreadd or kthreaddk run with any port then check whether thats related to any service and deny the Cloud SG rule for that particular remote ip and its subnet also.
Example we blocked the network 194.38.0.0 and the ip is 194.38.23.2/32
Apart from the above steps follow the basic ssh hardening steps to avoid the malware attacks:
1)Do not enable root user login for SSH client access.
PermitRootLogin no –> parameter in /etc/ssh/sshd_config file
2) Different Port number for ssh rather default 22.
port 64004 –> parameter in /etc/ssh/sshd_config file
3)Restart the SSH service
service ssh restart
4)Don’t forget Fail2ban
yum install fail2ban
Hope this will do trick for the malware attacks. Lets protect our servers against these MALWARES!!!!!!!!!!!!!!!!!!!!!!!!!
Site Title 