search

docker-library / wordpress

Docker Official Image packaging for WordPress
https://wordpress.org/
GNU General Public License v2.0
1.77k stars 1.07k forks source link

Is this malware in wordpress docker image? #846

Closed ghost closed 11 months ago

ghost commented 1 year ago

I just found something weird, some weird logs and probably crypto miner in try to run Wordpress website using this image wordpress:6.3.1-php8.1-fpm. After few hours of running this website with clean install on clean Ubuntu server, I found this issue. Wordpress was just installed without any other changes. So here is the docker compose and log images.

version: "3.9"

networks:
  wordpress:
    ipam:
      config:
        - subnet: 172.25.0.0/16

services:
  nginx:
    image: nginx:1.15.12
    ports:
        - '8077:80'
    volumes:
        - ./nginx:/etc/nginx/conf.d
        - ./logs/nginx:/var/log/nginx
        - ./.htpasswd-test:/etc/nginx/.htpasswd-test
        - ./wordpress:/var/www/html
    links:
        - wordpress
    networks:
        - wordpress
    restart: always
  mysql:
    image: mysql:5.7.43
    command: '--default-authentication-plugin=mysql_native_password'
    env_file:
      - .env
    ports:
        - '3304:3306'
    volumes:
        - ./db-data:/var/lib/mysql
    environment:
        - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
        - MYSQL_USER=${MYSQL_USER}
        - MYSQL_DATABASE=${MYSQL_DATABASE}
        - MYSQL_PASSWORD=${MYSQL_PASSWORD}
    restart: always
    networks:
      - wordpress
  wordpress:
    image: wordpress:6.3.1-php8.1-fpm
    ports:
        - '9000:9000'
    volumes:
        - ./wordpress:/var/www/html
    env_file:
      - .env
    environment:
        - WORDPRESS_DEBUG=${WORDPRESS_DEBUG}
        - WORDPRESS_DB_USER=${WORDPRESS_DB_USER}
        - WORDPRESS_DB_NAME=${WORDPRESS_DB_NAME}
        - WORDPRESS_TABLE_PREFIX=${WORDPRESS_TABLE_PREFIX}
        - WORDPRESS_DB_HOST=${WORDPRESS_DB_HOST}
        - WORDPRESS_DB_PASSWORD=${WORDPRESS_DB_PASSWORD}
    networks:
      - wordpress
    links:
        - mysql
    restart: always

kinsing

kinsing2

I have tested it a few times in the past few days and the outcome is always the same. Kinsing malware files appeared in the docker overlay2 folder inside folders related to the Wordpress container (UpperDir). It does not appear immediately when you run docker container, it appears a few hours later.

heart commented 11 months ago

My WordPress site always consumes 100% CPU after I update the docker image version (about 5 days ago)

Today I decided to change the docker image to Bitnami Wordpress instead

I'll wait and see if the abnormality goes away.

ghost commented 11 months ago

Apparently the problem was in the opened port for fpm in wordpress:6.3.1-php8.1-fpm service. Somehow attackers install malware through fpm/FastCGI in just a few seconds using this 9000 port. So if you don't need this port publicly opened, set it as '127.0.0.1:9000:9000' in your docker compose file.

yosifkit commented 11 months ago

Apparently the problem was in the opened port for fpm in wordpress:6.3.1-php8.1-fpm service. Somehow attackers install malware through fpm/FastCGI in just a few seconds using this 9000 port. So if you don't need this port publicly opened, set it as '127.0.0.1:9000:9000' in your docker compose file.

Correct, if you expose the fpm port to the broad internet, it is simple for hackers to exploit: https://blogs.juniper.net/en-us/threat-research/rce-attacks-targeting-misconfigured-open-php-fpm. We recommend that you only expose it within a local-only network (like a docker network or kubernetes pod).

The Docker Official Images CI does not build any malware/crypto currency miners into the images (or any scripts/binaries to install a miner/malware). No Docker systems have any access to containers or databases you create with Official Images. The exact Dockerfiles used to build the wordpress images are in this repo.