I got hacked: My Hetzner server started mining Monero

Posted by jakelsaunders94 7 days ago

I got hacked: My Hetzner server started mining Monero(blog.jakesaunders.dev)

604 points | 409 commentspage 4

pigbearpig 6 days ago|

You might want to harden that those outbound firewall rules as another step. Did the Umami container need the ability to initiate connections? If not, that would eliminate the ability to do the outbound scans.

Also could prevent something to exfiltrate sensitive data.

xp84 6 days ago||

I wonder in a case like this how hard it would be to "steal" the crypto that you've paid to mine. But I assume these people are probably smart enough to where everything is instantly forwarded to their C&C server to prevent that.

akimbostrawman 6 days ago||

Unless you know the wallets seed phrase you can not access the mined funds. At best you could replace there wallet with your own to mine it yourself.

tgsovlerkhgsel 6 days ago||

There is no need for the node doing the mining calculations to have access to the private key of the payout wallet.

ryanto 6 days ago||

Sorry to hear you got hacked.

I know we aren't supposed to rely on containers as a security boundary, but it sure is great hearing stories like this where the hack doesn't escape the container. The more obstacles the better I guess.

DANmode 6 days ago|

Hacks are humans. For like, ten more minutes anyway.

If the human involved can’t escalate, the hack can’t.

elif 6 days ago||

This is a perfect example of how honeypots, anti-malware organizations, and blacklists are so important to security.

Even if you are an owasp member who reads daily vulnerability reports, it's so easy to think you are unaffected.

LelouBil 6 days ago||

Something similar happened to me last year, it was with an unsecured user account accessible over ssh with password authentication, something like admin:admin that I forgot about.

At least that's what I think happened because I never found out exactly how it was compromised.

The miner was running as root and it's file was even hidden when I was running ls ! So I didn't understand what was happening, it was only after restarting my VPS from with a rescue image, and after mounting the root filesystem, that I found out the file I was seeing in the processes list did indeed exist.

exceptione 6 days ago||

The first step I would take is running podman instead of Docker to prevent container escapes. Podman can be run truly rootless and doesn't mess with your firewall. Next I would drop all caps if possible.

doodlesdev 6 days ago|

What's the difference between running Podman and running Docker in rootless mode? (Other than Docker messing with the firewall, which apparently OP doesn't know about… yet). I understand Podman doesn't require a daemon, but is that all there is to it, or is there something I'm missing?

exceptione 6 days ago|||

The runtime has been designed from the ground up to be run daemonless and rootless. They also have a K8s runtime, that has an extremely small surface, just enough to be K8s compliant.

But podman has also great integration with systemd. With that you could use a socket activated systemd unit, and stick the socket inside the container, instead of giving the container any network at all. And even if you want networking in the container, the podman folks developed slirp4netns, which is user space networking, and now something even better: passt/pasta.

crimsonnoodle58 6 days ago|||

Rootless docker is more compatible than podman I found. I experienced crash dumps in say mssql with podman, but not with rootless docker.

Also rootless docker does not bypass ufw like rootful docker does.

IlikeMadison 6 days ago||

I don't think using key-based authentication for SSH and enabling Fail2ban is necessary. Fail2ban is only useful if you keep password authentication. But I might be wrong.

Sohcahtoa82 6 days ago|

I should check my SSH logs.

My intuition is that since the SSH server reports what auth methods are available, once a bot sees that password auth is disabled, they will disconnect and not try again.

But I also know that bots can be dumb.

racl101 6 days ago||

This is weird. I viewed this blog post on Chrome and it loaded fine. But I sent the link to my fellow dev and he tried viewing it on Microsoft Edge on MacOS but the browser showed a red page with the "This site has been reported as unsafe" message by the Microsoft Defender SmartScreen.

It highlighted the domain: 'jakesaunders.dev' in the address bar in red text.

kalaksi 6 days ago||

After reading some comments: this probably goes without saying, but one should be very careful what to expose to the internet. Sounds like the analytics-service maybe could have been available only over VPN (or similar, like mTLS etc.)

And for basic web sites, it's much better if it requires no back-end.

Every service exposed increases risk and requires additional vigilance to maintain. Which means more effort.

aborsy 6 days ago|

If I’m not wrong, a hetzner VM by default has no firewall enabled. If you are coming from providers with different default settings, that might bite you. Containers that you thought were not open to internet have been open all this time. Two firewalls failed: They bypassed ufw and there was no external firewall either.

You have to define a firewall policy and attach it to the VM.

More comments...