Is this malware in wordpress docker image?

[ghost]

I just found something weird, some weird logs and probably crypto miner in try to run Wordpress website using this image wordpress:6.3.1-php8.1-fpm. After few hours of running this website with clean install on clean Ubuntu server, I found this issue. Wordpress was just installed without any other changes. So here is the docker compose and log images.

version: "3.9"

networks:
  wordpress:
    ipam:
      config:
        - subnet: 172.25.0.0/16

services:
  nginx:
    image: nginx:1.15.12
    ports:
        - '8077:80'
    volumes:
        - ./nginx:/etc/nginx/conf.d
        - ./logs/nginx:/var/log/nginx
        - ./.htpasswd-test:/etc/nginx/.htpasswd-test
        - ./wordpress:/var/www/html
    links:
        - wordpress
    networks:
        - wordpress
    restart: always
  mysql:
    image: mysql:5.7.43
    command: '--default-authentication-plugin=mysql_native_password'
    env_file:
      - .env
    ports:
        - '3304:3306'
    volumes:
        - ./db-data:/var/lib/mysql
    environment:
        - MYSQL_ROOT_PASSWORD=${MYSQL_ROOT_PASSWORD}
        - MYSQL_USER=${MYSQL_USER}
        - MYSQL_DATABASE=${MYSQL_DATABASE}
        - MYSQL_PASSWORD=${MYSQL_PASSWORD}
    restart: always
    networks:
      - wordpress
  wordpress:
    image: wordpress:6.3.1-php8.1-fpm
    ports:
        - '9000:9000'
    volumes:
        - ./wordpress:/var/www/html
    env_file:
      - .env
    environment:
        - WORDPRESS_DEBUG=${WORDPRESS_DEBUG}
        - WORDPRESS_DB_USER=${WORDPRESS_DB_USER}
        - WORDPRESS_DB_NAME=${WORDPRESS_DB_NAME}
        - WORDPRESS_TABLE_PREFIX=${WORDPRESS_TABLE_PREFIX}
        - WORDPRESS_DB_HOST=${WORDPRESS_DB_HOST}
        - WORDPRESS_DB_PASSWORD=${WORDPRESS_DB_PASSWORD}
    networks:
      - wordpress
    links:
        - mysql
    restart: always

I have tested it a few times in the past few days and the outcome is always the same. Kinsing malware files appeared in the docker overlay2 folder inside folders related to the Wordpress container (UpperDir). It does not appear immediately when you run docker container, it appears a few hours later.

[heart]

My WordPress site always consumes 100% CPU after I update the docker image version (about 5 days ago)

Today I decided to change the docker image to Bitnami Wordpress instead

I'll wait and see if the abnormality goes away.

[ghost]

Apparently the problem was in the opened port for fpm in wordpress:6.3.1-php8.1-fpm service. Somehow attackers install malware through fpm/FastCGI in just a few seconds using this 9000 port. So if you don't need this port publicly opened, set it as '127.0.0.1:9000:9000' in your docker compose file.

[yosifkit]

Apparently the problem was in the opened port for fpm in wordpress:6.3.1-php8.1-fpm service. Somehow attackers install malware through fpm/FastCGI in just a few seconds using this 9000 port. So if you don't need this port publicly opened, set it as '127.0.0.1:9000:9000' in your docker compose file.

Correct, if you expose the fpm port to the broad internet, it is simple for hackers to exploit: https://blogs.juniper.net/en-us/threat-research/rce-attacks-targeting-misconfigured-open-php-fpm. We recommend that you only expose it within a local-only network (like a docker network or kubernetes pod).

The Docker Official Images CI does not build any malware/crypto currency miners into the images (or any scripts/binaries to install a miner/malware). No Docker systems have any access to containers or databases you create with Official Images. The exact Dockerfiles used to build the wordpress images are in this repo.