Researching where a malware came from

1. Caddy version (caddy version):

v2.4.3 h1:Y1FaV2N4WO3rBqxSYA8UZsZTQdN+PwcoOcAiZTM8C0I=

2. How I run Caddy:

Installed from PPA following steps in:

a. System environment:

Ubuntu 20.04 in DigitalOcean (Fresh new droplet created on July 26th (Yesterday)

b. Command:

caddy start after setting up the Caddyserver file {
# Set this path to your site’s directory.
root * /var/www/somefolder
# Enable the static file server.
encode gzip zstd
# Another common task is to set up a reverse proxy:
# reverse_proxy localhost:8080
# Or serve a PHP site through php-fpm:
try_files {path} {path}/index.php
php_fastcgi localhost:9000
# Refer to the Caddy docs for more information:
# The Caddyfile — Caddy Documentation
@cachedFiles {
path *.ico *.css *.js *.gif *.jpg *.jpeg *.png *.svg *.woff
header @cachedFiles Cache-Control max-age=5184000

Before running caddy I installed php7.4 and php7.4-fpm and then configured the www.conf file so it uses the port 9000 to listen. After that I ran caddy with the Caddyfile configuration above.

c. Service/unit/compose file:

Paste full file contents here.
Make sure backticks stay on their own lines,
and the post looks nice in the preview pane.

d. My complete Caddyfile or JSON config:

Paste config here, replacing this text.
Use `caddy fmt` to make it readable.
DO NOT REDACT anything except credentials.
Make sure the backticks stay on their own lines.

3. The problem I’m having:

4. Error messages and/or full log output:

After the above, about 1 to 2 hours after install the bitcoin miner kinsing started.

5. What I already tried:



Currently this happened before in Digitalocean with other tools installed, but this is the first time I have gotten to only doing very few things:

  1. Create the digitalocean droplet using Ubuntu 20.04
  2. Installed php7.4 and php7.4-fpm
  3. Installed caddy from PPA
  4. Configured Caddyfile and started the service

That was all. Is kinsing able to use or infect golang now?

6. Links to relevant resources:

I don’t think this has anything to do with Caddy. A quick google search for “Kinsing” shows this article, which suggests it’s a vulnerability in container software or something else.

Make sure you closed ports that you don’t need, and that your SSH is properly secured, etc.

So it could be the docker containers in DigitalOcean that are getting infected?


All I can say is that I highly doubt Caddy is the issue. Caddy installed via the deb package only spins up a systemd service which runs as the caddy user, and that user has no permissions to install additional software. So it can’t be Caddy which triggered the installation of malware. It must be something else.

Correct, thank you. Yes am trying to pinpoint where the issue starts. Thank you buddy.

This topic was automatically closed after 30 days. New replies are no longer allowed.