kdevtmpfsi virus use 99% of cpu

[safaeean]

hello

i use php:7.3-fpm in my project

5 minute after start container kdevtmpfsi proccess started and use all cpu

file exist in :
/tmp/kdevtmpfsi

[JoelLinn]

How do you start the container? Is your setup similar to the one described in #1110

[safaeean]

docker compose file

version: '3'


services:
  web:
    container_name: ${APP_NAME}_web
    build:
      context: ./docker/web
      dockerfile: Dockerfile
    volumes:
    - ./:/var/www/app
    - ./docker/certbot/conf:/etc/letsencrypt
    - ./docker/certbot/www:/var/www/certbot
    - ./docker/web/nginx/:/etc/nginx/conf.d/
    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
    links:
      - php
    ports:
    - 80:80
    - 443:443
  certbot:
    container_name: ${APP_NAME}_certbot
    image: certbot/certbot
    volumes:
      - ./docker/certbot/conf:/etc/letsencrypt
      - ./docker/certbot/www:/var/www/certbot
      - ./docker/certbot/letsencrypt:/var/log/letsencrypt
    entrypoint: "/bin/sh -c 'trap exit TERM; while :; do certbot renew; sleep 12h & wait $${!}; done;'"
  php:
    container_name: ${APP_NAME}_php
    build:
      context: ./docker/php
      dockerfile: Dockerfile
    volumes:
      - ./:/var/www/app
      - ./docker/php/crontab:/etc/cron.d/
    ports:
    - 9000:9000

my php Dockerfile

FROM php:7.3-fpm

RUN apt-get update && \
    apt-get install -y \
        zlib1g-dev  libzip-dev


RUN docker-php-ext-install mysqli pdo pdo_mysql



RUN rm /etc/apt/preferences.d/no-debian-php
RUN apt-get update && apt-get install -y libxml2-dev \
    && pear install -a SOAP-0.13.0 \
    && docker-php-ext-install soap;


RUN docker-php-ext-install zip
RUN docker-php-ext-install exif

RUN apt-get update && apt-get install -y \
    cron wget nano \
    libfreetype6-dev \
    libjpeg62-turbo-dev \
    libpng-dev \
    && docker-php-ext-configure gd --with-jpeg-dir --with-freetype-dir \
    && docker-php-ext-install -j$(nproc) gd




RUN rm -rf /var/lib/apt/lists/*


RUN php -r "readfile('https://getcomposer.org/installer');" | php -- --install-dir=/usr/bin/ --filename=composer

COPY crontab/crontab /etc/cron.d/crontab
RUN chmod 0644 /etc/cron.d/crontab
RUN crontab /etc/cron.d/crontab
RUN touch /var/log/cron.log

COPY entrypoint.sh /
WORKDIR /var/www/app/private
RUN chown -R www-data:www-data /var/www
EXPOSE 9000

[JoelLinn]

    ports:
    - 9000:9000

Same cause as in #1110 . With this, you open your php fpm instance to the WWW.

[safaeean]

    ports:
    - 9000:9000

Same cause as in #1110 . With this, you open your php fpm instance to the WWW.

tank you
after remove this section and docker-compose down -v && docker-compose build --no-cache && docker-compose up -d problem fixed

[wglambert]

There was also a lot of discussion on this malware over at redis/docker-library-redis#217 (comment)

If you want more information you could look through the other issues we've had https://github.com/issues?q=is:issue+org:docker-library+kdevtmpfsi
Or you could also try asking over at the Docker Community Forums, Docker Community Slack, or Stack Overflow

Going to close since this seems resolved

[hakuno]

Is it enough? I'm unsure.

You can close the listening port (incoming). But it may have some outgoing connection (also known as reverse connection).

ps. the @wglambert links seem good references

[tianon]

(Locking this for the same reason as in redis/docker-library-redis#217 (comment) -- if you've been hacked, you need to perform appropriate remediation on your server and deployments, and the details of that remediation is out of scope for this repository.)