-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
port 900 is exposed to the world in fpm example docker-compose. may provide malware access to container. #129
Comments
I'm unable to verify your findings when running |
I'll check. Saw that article few hours ago. However it happened on two different systems. In two different countries. One without any incoming traffic (testing server). I will try to replicate again on a third system. I Was not able to Find anything suspicious in the docker layer info in dockerhub. But it is still wierd |
the more I look into it the more it looks like a php-fpm related attack. (it has also appeated on the 1.4.11-fpm-alpine instance I've been running). I'll update the results and update the original issue to reflect the actual issue. sorry for the false blame. |
I also have been pawned by this malware and also have the port 9000 open but it's whats the example provided is suggesting : https://github.com/roundcube/roundcubemail-docker/blob/master/examples/docker-compose-fpm.yaml I also have a ufw firewall on the host, not allowing the port 9000 from outside ... so I don't get how they had get access through this ... I am probably mistaking something but please, can you clarify for me ? |
@pilere Docker and firewalls (on the host) don't play nicely, so you probably are not blocking that port at all. If you host everything on the same host, there is no need to expose the port 9000. |
Hi, I understood that docker was playing with the iptables rules to make it easier for user to start ... at the end I was making 2 stupid errors, opening the port 9000 that should not and can stay container accessible only ... and 2 not checking the iptables rules directly ... I found that repo to help me out with this : https://github.com/chaifeng/ufw-docker Thanks for your help ! |
--- Update ---
Upon further investigation Issue seems to be related to exposed php-fpm port. I'm verifying it's the root cause.
--- Original report ---
latest-fpm-alpine (2021/4/1)
https://hub.docker.com/layers/roundcube/roundcubemail/latest-fpm-alpine/images/sha256-9098e0ffc0c9012ea079448439766944af7793936a022f8882320b8282761668?context=explore
contains crypto malware baked into the image.
it is not present in the previous 1.4.11 which this repo contains.
https://hub.docker.com/layers/roundcube/roundcubemail/1.4.11-fpm-alpine/images/sha256-eef9d3f21a44e442f609a39e5675348bfe16653695af1e5427837686c5e74737
added the the ps output of the running containers.
this is not a welcomed april fools joke. please remove infected version from dockerhub.
2021/04/01 - latest-fpm-alpine
1.4.11-fpm-alpine
The text was updated successfully, but these errors were encountered: