Image Docker - php:7.4.13-alpine with Bitcoin Miner

[eversdn1]

After install a new clean server on aws e use this php:7.4.3-alpine image on my docker compose, after 30 minutes the cpu jump to 100%.
the synthoms and behavior is exact the same like this article.
https://www.linkedin.com/pulse/kinsing-malware-permanent-solution-amul-patel

Regards,
Everson Nunes

[JoelLinn]

Can you isolate this issue to one or at least a minimal set of components? How are you measuring the cpu usage (trying to rule out you misinterpret the steal time)

[eversdn1]

Unfortunately it´s difficult to believe, but it´s simple, a new clean installation of the official php image are infected by a miner.
.

[JoelLinn]

what are you running inside the php container? just the plain image or some other php software?

[wglambert]

Looks like that kdevtmpfsi is on the host system and not the container, what options are you running the container with?

Issues with kdevtmpfsi
redis/docker-library-redis#225
redis/docker-library-redis#217
docker-library/postgres#798 (comment)

This is an unfortunate consequence of having a public-facing instance with a compromised (or simple) password

[eversdn1]

docker-compose file

version: '3.7'
services:
        nginx:
                container_name: nginx
                image: nginx:1.19.6-alpine
                restart: unless-stopped
                depends_on:
                     - php
                volumes:
                      - ./www:/www
                      - ./nginx.conf:/etc/nginx/conf.d/nginx.conf
                ports:
                      - "8000:8000"
                links:
                      - php
                networks:
                      - proxy

        php:
                container_name: php
                image: php:7.4.13-fpm-alpine
                restart: unless-stopped
                ports:
                      - "9000:9000"
                networks:
                      - proxy
networks:
  proxy:
     driver: bridge

what are you running inside the php container? just the plain image or some other php software?
I´m running just phpinfo.

Looks like that kdevtmpfsi is on the host system and not the container, what options are you running the container with?

Issues with kdevtmpfsi
docker-library/redis#225
docker-library/redis#217
docker-library/postgres#798 (comment)

This is an unfortunate consequence of having a public-facing instance with a compromised (or simple) password

wglambert - When the container is stopped the kdevtmpfsi stopped to. Now i´m running 7.3.25 php image and the problem are solved.

[tianon]

You definitely don't want to expose PHP-FPM to the public internet -- you want it in the same Docker Network as NGINX so NGINX can access it, but nothing else (drop the 9000:9000 from the php service definition).

I'm certain there are all sorts of nasty things an attacker could do with a public FPM instance. 😱 😞

[eversdn1]

Thanks for all feedback.
I will close 9000 port of php-fpm and create a new server. Let´s wait and monitor to see.

Printscreen - top command on container php.

[JoelLinn]

Probably should be closed by now

[eversdn1]

Sure, solved after close PHP Port. Regards, Everson Em qua, 10 de fev de 2021 04:55, Joel Linn <notifications@github.com> escreveu:

…

Probably should be closed by now — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#1110 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ASLEW2FQ5LFP7YWMKHKU55DS6I3YLANCNFSM4VTE2F3A> .

[hakuno]

Is it enough? I'm unsure.

You can close the listening port (incoming). But it may have some outgoing connection.

ps. also known as reverse connection.