I got a server infected with the Kinsing malware, which mines crypto on your server, maxing out your CPUs.
The malware initially creates the files /tmp/kdevtmpfs and /tmp/kinsing If you delete these files and kill the process they get recreated elsewhere in the disk, and also inside your containers to continue with their mining job.
I initially applied this solution, I was free from it for a few minutes, but soon it had respawned with a slightly different name:
I have come across many posts pointing to vulnerabilities in Docker, such as its ability to control iptables, etc.
I have set DOCKER_OPTS="--iptables=false" immediately after installing docker and raised the firewall on a fresh build Blocking all incomming requests except for ssh http and https, but it didn't seem to affect the bug's ability to infect my server.
I am guessing its entering via compromised Docker images. I am using the following images pulled-in via docker-compose:
* dpage/pgadmi4
* rocker/shinyverse
* kartoza/postgis:12.0
I haven't seen any public statements from dockerhub admins raising the possibility of compromised images spreading this malware, so I am posting this here to ask for suggestion on how to mitigate this issue and also avoid being re-infected in the future.
I have considered dropping docker altogether and go back to old-fashioned server configuration and deploy, but without being sure about how this thing spreads, I'd rather delay this decision.
http://dlvr.it/S294SR
No comments:
Post a Comment