[🐛 Bug]: Potential Malware (perfctl) Injected via Selenium Chrome in Docker Container

[ILYAGVC]

What happened?

Description

I've noticed a persistent security issue where a malware named perfctl infiltrates my Docker container when using Selenium Chrome. Despite multiple attempts to remove the malware and rebuild the container, it keeps reappearing.

Steps to Reproduce

1. Use Selenium Chrome in a Docker container.
2. Run the container and monitor processes.
3. Notice the perfctl malware appearing and executing suspicious activities.

Expected Behavior

No unauthorized processes or malware should be present in the container.

Actual Behavior

The perfctl malware keeps reappearing, potentially compromising security.

Potential Impact

This issue poses a security risk as it allows unauthorized access and execution of malicious activities within the container.

Request for Investigation

Please investigate whether the base image, dependencies, or any other component in Selenium Chrome is compromised. Any guidance on mitigation or security best practices would also be appreciated.

Command used to start Selenium Grid with Docker (or Kubernetes)

docker run -d -p 4444:4444 -p 7900:7900 --shm-size="2g" selenium/standalone-chrome:latest

Relevant log output

‌

Operating System

Ubuntu 22

Docker Selenium version (image tag)

4.28.1-20250202

Selenium Grid chart version (chart version)

No response

[github-actions]

@ILYAGVC, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[cgoldberg]

perfctl sounds really nasty... basically turning your system into a cryptominer:

https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/

There are several known vulnerabilities and ways to exploit a Selenium Grid that's exposed to the internet. This is explicitly warned about here:

https://www.selenium.dev/documentation/grid/getting_started/#warning

So I'm wondering why your Grid isn't protected from public access? Is that something to do with the selenium-docker container configuration or just bad security practices on your part? (I'm not very familiar with selenium-docker, but I do know a Grid should never be publicly accessible)

[VietND96]

All package installed in docker image could be tracked via https://github.com/SeleniumHQ/docker-selenium/releases/download/4.29.0-20250303/package_versions.txt, and I don't see perfctl
Looks like it is SeleniumGreed attack - https://www.selenium.dev/blog/2024/protecting-unsecured-selenium-grid/
Can you enable basic auth for Hub by setting env var SE_ROUTER_USERNAME, SE_ROUTER_PASSWORD
In client code, how to add basic auth, you can refer to https://www.selenium.dev/documentation/webdriver/drivers/http_client/
I see your OS is Ubuntu, is it a VM provisioned on cloud? If yes, can you expose container port 4444 to another host port which is not default 4444.

[ILYAGVC]

perfctl sounds really nasty... basically turning your system into a cryptominer:

https://www.aquasec.com/blog/perfctl-a-stealthy-malware-targeting-millions-of-linux-servers/

There are several known vulnerabilities and ways to exploit a Selenium Grid that's exposed to the internet. This is explicitly warned about here:

https://www.selenium.dev/documentation/grid/getting_started/#warning

So I'm wondering why your Grid isn't protected from public access? Is that something to do with the selenium-docker container configuration or just bad security practices on your part? (I'm not very familiar with selenium-docker, but I do know a Grid should never be publicly accessible)

Thanks
Can you guide how to secure Selenium Grid?

[cgoldberg]

@ILYAGVC

https://www.selenium.dev/documentation/grid/configuration/help/#security

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.