Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kdevtmpfsi malware miner found in 12-Alpine docker #817

Closed
khuntia opened this issue Feb 18, 2021 · 4 comments
Closed

kdevtmpfsi malware miner found in 12-Alpine docker #817

khuntia opened this issue Feb 18, 2021 · 4 comments
Labels
question Usability question, not directly related to an error with the image

Comments

@khuntia
Copy link

khuntia commented Feb 18, 2021

Hi Postgres team

I had a few hours back taken the 12-Alpine docker image of postgres and in 30 mins kdevtmpfsi was running in my system.
I traced it back to this container. On stopping this container, the miner also stopped. I have decent security and everything was stable until I installed this package. I am pretty sure this package is compromised. Please check. FYI

Thanks for the open source software and support, You guys are awesome :)

Cheers
@wglambert wglambert added the question Usability question, not directly related to an error with the image label Feb 18, 2021
@wglambert
Copy link

This is an unfortunate consequence of having a public-facing instance with a compromised (or simple) password.
#798 (comment)

See also:
redis/docker-library-redis#217
redis/docker-library-redis#225
docker-library/php#1110
docker-library/php#1127

@khuntia
Copy link
Author

khuntia commented Feb 18, 2021

I have postgres behing traefik and on internal docker network only, Its not public facing and the password is strong (UID based). I was using postgres:latest image and there is no problem like this, as soon as I downloaded 12.alpine today, i see this happening. Not sure what or how this attack got initiated, but as soon as i deleted all present instance of kdevtmpfsi running on machine (only source found was from docker images temp folders) and then removed 12-alpine it is back to normal. This is more of a FYI for postgres team incase their image is compromised. I will close the issue if team is sure its a mistake on my part, I will deep dive to root cause it later, Cheers

@tianon
Copy link
Member

tianon commented Feb 18, 2021

Can you share your container runtime parameters?
(docker run arguments, compose.yml/stack.yml, k8s yaml, etc)

The image itself definitely doesn't have kdevtmpfsi in it:

$ docker pull postgres:12-alpine
12-alpine: Pulling from library/postgres
ba3557a56b15: Already exists 
0dae7ecc9e7b: Pull complete 
e47d778d7c5a: Pull complete 
eaa7d72c898f: Pull complete 
915125e90fa6: Pull complete 
d7790599cf66: Pull complete 
2243c254efcb: Pull complete 
27471ff83dbb: Pull complete 
Digest: sha256:af41889f0fa073328856551f1dc1df68b5a5b9540ddc4ab2b892c32843882028
Status: Downloaded newer image for postgres:12-alpine
docker.io/library/postgres:12-alpine

$ docker run -it --rm postgres:12-alpine sh
/ # find / -name kdevtmpfsi
/ #

@wglambert
Copy link

Going to close since this seems resolved and is a duplicate of the other kdevtmpfsi malware issues

@swelljoe swelljoe mentioned this issue Mar 28, 2021
Closed
@wglambert wglambert mentioned this issue Oct 14, 2021
Closed
@wglambert wglambert mentioned this issue Feb 27, 2023
Closed
@manuelep manuelep mentioned this issue Jan 10, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Usability question, not directly related to an error with the image
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tianon @khuntia @wglambert