Anand Sukumaran Nair

Startup Founder, Software Engineer, Abstract thinker
Co-founder & CTO @ Engagespot (Techstars NYC '24)

kdevtmpfsi using 100% of CPU? Here is how you can fix that

May 07, 2020

[update] - Never knew this problem was faced by a lot of people. Around 20k people read this article.

I have some EC2 instances running Redis and one day it has become really slow. When I SSHed into the instance, I could hardly type anything. I thought it was a network issue until I checked the running processes and found a strange process kdevtmpfsi using 125% of my CPU!

And it was running under Redis user. It felt suspicious and a google search revealed that it’s a cryptocurrency miner script that’s utilizing your CPU. It looks like a security flaw in Redis if you have opened the port to the public and don’t use a password for Redis. If you like to read more about vulnerability, here is a detailed article.

You can fix this through the following steps

  1. Make sure that the Redis port 6379 is not opened to the public. (That is, you should never open this port in your AWS security group. Just keep the Redis connection within your internal private network).
  2. Redis should bind only to localhost, or the internal IP. Never bind Redis to your public IP. To check this, open /etc/redis/redis.conf file and look for the line that starts with bind. It should be
    _bind 127.0.0.1 or bind _
  3. Kill the kdevtmpfsi process. Run the top command in terminal to list all running process. Note the PID of the kdevtmpfsi process and terminate the process using command
    _kill -9 _
  4. Delete the script file. I found the script in both /var/tmp and /tmp directory. Delete the files that contain kdevtmpfsi in the filename. Also, you can search your entire disk using the command find / -iname kdevtmpfsi and remove all instances of that file.
  5. Make sure that the process didn’t come back by examining the active processes using the top command

Done! You’ll no longer see the kdevtmpfsi process running on your server.

If this solved your issue, would you mind giving my article a (or more) clap(s)?