-
Notifications
You must be signed in to change notification settings - Fork 122
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
roundcubemail container is constantly infected with kdevtmpfsi and kinsing #215
Comments
Ok, I just deleted my roundcubemail container, deleted the contents of data/rcm/www and data/rcm/pgsql then restarted and looked at the logs. Here is what I just saw:
Then... :
But kdevtmpfsi it is not visible for now in htop on the host. |
I deleted everything, except the data from my mailserver.
then I tried again, but this time without the alpine versions of the containers, that is : I also replaced my nginx config with this:
The malware was back when I woke up this morning. I just found that I'm not the only one with this problem : "I also have been pawned by this malware" |
According to @erlangparasu 's comment, the weak spot might be postgres. Running a plain Roundcube container does not show such files and thus there's little we can do about. But I'm leaving this issue open to collect more information and possibly solutions for those who are affected. |
@manuviens Docker and firewalls (on the host) don't play nicely, so you probably are not blocking that port at all. If you host everything on the same host, there is no need to expose the port 9000. |
i dont open fpm port. @navossoc 's comment is spam or may be scam. |
@erlangparasu You maybe not, but he did. I just tagged the wrong person. |
In htop on the host where is running my containers, I noticed that a process (kdevtmpfsi) was launched twice from /tmp. Each of them was using 50% of my CPU. While searching on the web, I learned that kdevtmpfsi was often related to another file, kinsing, and that it is probably a cryptocurrency miner.
Not finding these files on the host and noticing that the processes disappeared from htop if I turned off the containers, I searched inside the containers and found /tmp/kinsing in the roundcubemail container.
Deleting the container and restarting it solves the problem for a while only, within 24 hours both kdevtmpfsi processes are hogging my CPU again.
Have others experienced this problem, or is it my configuration that is to blame?
Here is a copy of my docker-compose.yml :
Maybe the breach is in my nginx configuration?
Other than that, everything works fine.
P.S. I'm using this VPS for 1 week only, what you see in docker-compose.yml is the only things running on this server.
I'm using Ansible to manage this server, I can provide you how I install docker, etc. if it can help.
The text was updated successfully, but these errors were encountered: