A story on home server security

submited by
Style Pass
2025-01-05 13:00:05

Happy New Year! Or so I thought. After a refreshing Christmas vacation with my family, I was stashing something away in our storage room when I noticed the server fan running at maximum speed. This was very unexpected, considering my server is powered by an Intel i3 and should handle all the light tasks I run quite effortlessly. Anyways, I continued unpacking and didn't think much more of it. Today, while running a simulation on my laptop, the fan noise reminded me of my earlier observation. I decided to SSH in to my server to check its status.

To my surprise, when running htop, I saw two processes running at 100% CPU utilization named kdevtmpfsi. Reading the first couple of search results left me baffeled - I had fallen victim for a known malware called Kinsing. It was most likely running crypto-mining activities on full blast on two cores on my server. According to htop, this had been going on for over 8 days.

I quickly investigated the potential cause and found that there is an exploit targeting unprotected and exposed Docker containers (source). This was somewhat releiving, as the latest change I made was spinning up a postgres_alpine container in Docker right before the holidays. Spinning it up was done in a hurry, as I wanted to have it available remotely for a personal project while I was away from home. This also meant that it was exposed to the internet, with open ports in the router firewall and everything. Considering the process had been running for 8 days, this means that the infection occured just a day after creating the database. None of the database guides I followed had warned me about the dangers of exposing a docker containerized database to the internet. Ofcourse I password protected it, but seeing as it was meant to be temporary, I didn't dive into securing it properly.

Leave a Comment