Is there any security vulnerable in this docker setup? I got attack kdevtmpfsi

itmicus / cmdbuild_docker

CMDBuild 3.4 with READY2USE 2.3 and openMAINT 2.3 in Docker

85 stars 56 forks source link

Is there any security vulnerable in this docker setup? I got attack kdevtmpfsi #29

Closed ridwankustanto closed 1 year ago

ridwankustanto commented 3 years ago

Hi, so I'm trying this image, and yesterday I setup an fresh instance just for this app, and not long after that, I found my server cpu so high.

I found out that I got attack by this script called kdevtmpfsi. I searched it that it's a cryptocurrency miner script that’s utilizing your CPU.

And I deleted the first instance and setup another one, and it's happening again now.

So, how this could happen?

Any help would be appreciated 🙏

afcarvalho1991 commented 3 years ago

That is weird, I haven't experienced anything like it. Can you share more details on how you access the host machine etc? I fear that the host machine might be the root cause for it.

afcarvalho1991 commented 1 year ago

This is a crypto miner software. we found that the root cause for this is having:

basic username and password for the database
Having the database port exposed to the internet... which is always a bad idea and should never be done, please check your docker-compose.yaml check here: https://github.com/itmicus/cmdbuild_docker/blob/de17bcf169213dbe1c80ebf5b5afdeeb494c7fb9/3.4.1/docker-compose.yml#L12-L13 on production enviroments you should never have this port exposed...

afcarvalho1991 commented 1 year ago

Perhaps,by default, we should disable exposing the DB port.

https://github.com/itmicus/cmdbuild_docker/pull/36