pinpoint-flink runs malware called kinsing

[dorian-kwon]

version: 2.3.3

User 9999 I never created runs flink process.

kdevtmpfsi / kinsing process called mine malware are ran by this user.

this process doesn't show up immediately. it needs at least 1~2 days to show up.

If you kill flink containers by command "docker kill pinpoint-flink-jobmanager / pinpoint-flink-taskmanager" then malware will go away.

[emeroad]

Have you exposed your containers to external networks?
Containers should never be exposed to external networks.
We recommend that you check the network security.

https://flink.apache.org/security.html

Frequently Asked Questions
We strongly discourage users to expose Flink processes to the public internet.

[dorian-kwon]

I just executed docker-compose pull & docker-compose up -d.

Is there any config I have to set?
Or should I set firewalls up?

As I know, docker will change firewall tables when container's port is exposed.

[emeroad]

I think your server has already been hacked.

Read the article below.
https://blog.aquasec.com/threat-alert-kinsing-malware-container-vulnerability

[dorian-kwon]

We had thought of that and we watched our all processes all the time after killing pinpoint-flink. It reveals soon that our host server is not infected.
First,
When I run docker-compose except flink the malware doesn't show up.
Here is the second situation.
I ran flink and then waited 1~2 days till the malware was running.
then I killed flink processes like task and job manager. the malware was killed by this action as well even we didn't kill it directly.

This is ports we open.

[erlangparasu]

https://techcommunity.microsoft.com/t5/microsoft-defender-for-cloud/initial-access-techniques-in-kubernetes-environments-used-by/ba-p/3697975