Virus in contailner image

Question

Virus in contailner image

Closed this issue 4 years ago · 7 comments

Hi
PHP 7.4 fpm image has a kdevtmpfsi virus miner and It utilized 100% of all CPUs and RAM...
I think it is not a coincidence problem!

Answer 1 · 2020-11-15T15:02:29.000Z

Thanks for reporting! I'm investigating the issue.

Answer 2 · 2020-11-15T15:31:15.000Z

Hi @rezakho, I'm trying to reproduce the problem, but I need a little more context, please.

I've attempted to create (without launching) containers from chialab/php:7.4, chialab/php:7.4-apache, and chialab/php:7.4-fpm images, then inspecting the container's filesystem looking for a binary named kdevtmpfsi, but found nothing:

$ docker create --name test chialab/php:7.4
0f4ff4f8987061f3fb2098608b230260f095c382dfc5e410f3f56e9af11dfc51
$ docker export test | tar t | grep kdevtmpfsi
$ docker rm -fv test
test

$ docker create --name test chialab/php:7.4-apache
28ffc81e0ded750c0ce1622508b5c4e3ab8111dc87e1802b085e2af56791ed59
$ docker export test | tar t | grep kdevtmpfsi
$ docker rm -fv test
test

$ docker create --name test chialab/php:7.4-fpm
91b78221d265100cee016b2ff968f03d997f289780616c1c2a69bb3e06c9c83c
$ docker export test | tar t | grep kdevtmpfsi
$ docker rm -fv test
test

I understand you're using chialab/php:7.4 image, right? Which flavour are you using? I assume it is chialab/php:7.4-apache, am I correct?

I've also started a container with the latest chialab/php:7.4-apache image, then inspected the running processes with docker top, and I'm unable to see anything weird:

Can you please help me with some more steps so that I can reproduce the problem? If possible, please share your Dockerfile and build scripts so that we can investigate the issue furtherly — either by including it in the issue, or you can email it to me at the email address in my GitHub profile if there is anything you don't want to share publicly.

Answer 3 · 2020-11-16T22:15:24.000Z

Seems it is a nginx + php-fpm vulnerability!!!
https://www.trendmicro.com/vinfo/in/security/news/vulnerabilities-and-exploits/php-fpm-vulnerability-cve-2019-11043-can-lead-to-remote-code-execution-in-nginx-web-servers

Answer 4 · 2020-11-17T06:46:26.000Z

The vulnerability you're pointing out was patched as of October 2019:

Administrators and IT teams using NGINX with PHP-FPM are recommended to update their PHP to their latest or stable versions (7.2.24 or 7.3.11), which have addressed the vulnerability

Right now, our images run PHP 7.2.34 and 7.3.24. PHP 7.4 was released after that vulnerability was fixed, and we must assume that every stable release of 7.4.x was unaffected, unless the bug was somehow reintroduced…

Answer 5 · 2020-11-17T08:29:54.000Z

No! Unfortunately this vulnerability exists in php 7+ but not related directly to your repo or docker (I'm not sure!):
https://github.com/neex/phuip-fpizdam

6.This exploit works only for PHP 7+, but the bug itself is present in earlier versions (see below).

Answer 6 · 2020-11-17T23:03:25.000Z

Hello @rezakho,
our images do not include nginx out of the box, and the vulnerability is patched in PHP 7.4, 7.3.11, 7.2.24 and 7.1.33 (see the changelog), so the only versions that could be susceptible are 5.6 and 7.0.

Could you share more information on you setup? What flavor are you using, php, php-apache or php-fpm? What makes you think that the problem is the vulnerability you linked?

Answer 7 · 2020-11-23T09:31:42.000Z

I'm closing this issue, as we're unable to reproduce the scenario described starting from the base image.

Feel free to open a new issue, but please include detailed steps to reproduce the problem with the chialab/php image — keep in mind that we can't fix PHP's own vulnerabilities in this repository apart from installing and possibly pre-configuring it with sane, reasonable defaults.