2025-01-04
Happy New Year! Or so I thought. After a refreshing Christmas vacation with my family, I was hiding something in our storage room when I noticed the server fan running at maximum speed. This was unexpected, as my server is powered by an Intel i3 and should handle all the light tasks I run without a hitch. However, I continued unpacking and thought no more about it. Today, while running a simulation on my laptop, the fan noise reminded me of my earlier observation. I decided to SSH into my server to check its status.
The Kinsing malware
To my surprise, when running htopI see two processes running at 100% CPU usage named kdevtmpfsi. Reading the first couple of search results confused me – I was a victim of a known malware called Kinsing. This tends to run crypto-mining activities at full blast on both cores of my server. According to htopit continued for more than 8 days.
I immediately investigated the potential cause and found that there was an exploit targeting unprotected and exposed Docker containers (SOURCE). This is a bit of a relief, because the latest change I made was to spin up a postgres_alpine Docker container before the holidays. Spinning it was done in a hurry, because I wanted to use it remotely for a personal project while I was away from home. It also means it’s exposed to the internet, with open router firewall ports and all. Considering the process has been running for 8 days, this means that the infection occurred just one day after the database was created. None of the database guides I followed warned me about the dangers of exposing a docker containerized database to the internet. Of course I password protected it, but since it was meant to be temporary, I didn’t try to secure it properly.
Fortunately, despite the alarming log entries showing attempts to change privileges and delete critical folders, it seems that all malicious activity is contained. And luckily for me, the kdevtmpfsi the processes are stopped when I stop the postgres_alpine container.
Minimize the Attack Surface
However, while checking my system logs, I found out that someone is always trying to brute force into my server. A quick IP search revealed that it was registered to a Chinese ISP and located in the Russian Federation. Although I believe this is not an immediate threat, I decided to close access to my home network for VPN and SSH connections to my server. After checking my UPnP and DMZ settings, it turns out that there are no more ports open on my home network.
With this, the attack surface of my home network should be limited to exploits against my router firewall, and thus be minimized as much as possible. This leaves the problem that I can’t VPN into my LAN to run simulations on my desktop from the outside, so I may have to check again to open that up at some point. For now, I hope to get some rest soon.
Lessons Learned
For those of you who have never had this feeling: Be careful about exposing your home setup on the internet! I have learned my lesson, and the next time I want to disclose something on the internet, I will make sure to take the necessary precautions.
Happy New Year!
2025-01-05 12:36:00
