Cleaning up after my Docker container got hit with the Kinsing malware

Question

I have a VPS where I run an instance of devilbox, a dockerized LAMP stack. I just discovered that I got hit with the Kinsing malware, due most likely to a dockerized Redis server that I inadvertently left expose without a password (insert facepalm emoji here). Once I stopped the container, the malware disappeared from the process list.

Anyway, I've been reading the instructions for cleaning it up at Redis' Github page, and I don't see any of the stuff it mentions in my host computer: nothing in /tmp, nothing in /var/tmp, no cron entries... so I understand that the malware's files have all been created, if anything, inside the container.

I deleted all the Docker images I had and downloaded them again from Docker Hub. Am I supposed to do anything else, or should I be in the clear?

Edit: I guess what I'm asking is: since the service that got hacked is inside a Docker container, is it enough to stop it and redownload a "clean" image, or do I have to wipe out the host computer too?

Answer 1

If you are 100% only your docker containers were affected I see no need to wipe the host computer.

However, I'm not sure if you are using something like app armor right now : https://docs.docker.com/engine/security/apparmor/ - if not this might be worth considering since you will greatly limit the attack surface.

Another option to explore would be the more PaaS like (container)hosting services that AWS, GCP and Azure offer - that case you'll never have to worry about the host computer again.