Postgres Malware Issue

[kobecachuela]

T

here's a malware running in the postgres container i created using the official docker image. The specific command I used
docker pull postgres
docker run --name postgres_db -e POSTGRES_USER=postgres -e POSTGRES_PASSWORD=mypassword -e POSTGRES_DB=middleware_db -p 5432:5432 -d postgres

Running the postgres container is one of the things I did in the early stages of development. So it has been running for quite some time.
Through the malware the attacker was able to mine crypto, utilizing the resources of an expensive server.

Below is my docker version:
Docker version
Client: Docker Engine - Community
Version: 27.3.1
API version: 1.47
Go version: go1.22.7
Git commit: ce12230
Built: Fri Sep 20 11:41:00 2024
OS/Arch: linux/amd64
Context: default

Server: Docker Engine - Community
Engine:
Version: 27.3.1
API version: 1.47 (minimum version 1.24)
Go version: go1.22.7
Git commit: 41ca978
Built: Fri Sep 20 11:41:00 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.7.24
GitCommit: 88bf19b2105c8b17560993bee28a01ddc2f97182
runc:
Version: 1.2.2
GitCommit: v1.2.2-0-g7cb3632
docker-init:
Version: 0.19.0
GitCommit: de40ad0

[tianon]

Oof, this is never a fun time -- sorry you're going through it!

See #1054 (comment) for some more references, but generally this is a side effect of having an instance exposed publicly, especially with an easy-to-guess or common password (like mypassword 😬).

For a bit more context, -p 5432:5432 is the part of your command which is taking this instance and "exposing" it externally. If your host/VM instance has a public IP, this is publicly accessible on the internet, and with a password like mypassword, it's not surprising that it was found and exploited. 🙈

I would suggest taking that container down ASAP and taking extra steps to secure any future deployment. 🙇

Good luck! (I'm going to close since this isn't something from the image itself, but an exploited insecure configuration.)