I got hacked: My Hetzner server started mining Monero

Posted by jakelsaunders94 7 days ago

I got hacked: My Hetzner server started mining Monero(blog.jakesaunders.dev)

604 points | 409 commentspage 5

dilippkumar 6 days ago|

I’m sorry you went through this.

But I am interested in the monero aspect here.

Should I treat this as some datapoint on monero’s security having held up well so far?

tgsovlerkhgsel 6 days ago||

> Should I treat this as some datapoint on monero’s security having held up well so far?

No. The reason attackers mine Monero and not some other cryptocurrency isn't the anonymity. Most cryptocurrencies aren't (meaningfully) mineable with CPUs, Monero (apparently) is. There may be others, but I suspect that they either deliver less $ per CPU-second (due to not being valuable), or are sufficiently unknown and/or painful to set up that the attackers just go with the known default.

Trying to mine Bitcoin directly would be pointless, you'd get no money because you're competing with ASIC miners. Some coins were designed to be ASIC resistant, these are mostly mined on GPUs. Monero (and some other coins) were designed to also be GPU resistant (I think). You could see it as a sign that that property has held up (well enough), but nothing else.

Hendrikto 6 days ago||

The main reason to use Monero for stuff like this is their mining algo. They made big efforts and changed algorithms several times to make and keep it GPU and ASIC resistant.

If you used the server to mine Bitcoin, you would make approximately zero (0) profit, even if somebody else pays for the server.

But also yes, Monero has technically held up very well.

cylemons 6 days ago||

Didn't Qubic manage to attack Monero?

akimbostrawman 6 days ago||

They tried to do a 51% attack which at worst could result in double spends. They have never reached more than 35%.

The attack did not and could not compromise or weaken moneros privacy and anonymity features.

qingcharles 7 days ago||

As an aside, if you're using a Hetzner VPS for Umami you might be over-specced. I just cut my Hetzner bill by $4/mo by moving my Umami box to one of the free Oracle Cloud VPS after someone on here pointed out the option to me. Depends whether this is a hobby thing or something more serious, but that option is there.

ianschmitz 7 days ago||

I would pay $4/mo to stay as far away from Oracle as possible

angulardragon03 7 days ago|||

All fine and well, but oracle will threaten to turn off your instance if you don’t maintain a reasonable average CPU usage on the free hosts, and will eventually do so abruptly.

This became enough of a hassle that I stopped using them.

treesknees 7 days ago|||

Do you mean if it’s idle, or if it’s maxed out? I’ve had a few relatively idle free-tier VMs with Oracle and I’ve not received any threats of shutoff over the last 3 years I’ve had them online.

angulardragon03 3 days ago||

Idle - low usage Minecraft server was the issue for me

qingcharles 6 days ago|||

I assumed the same, but as long as you keep a credit card on file apparently they will let you idle it too. I went in and set my max budget at $1/mo and set alerts too, just in case.

spiderfarmer 7 days ago|||

I pay for Hetzner because it’s an EU based, sane company without a power hungry CEO.

mos87 6 days ago||

Orange Man Bad?!?

eb0la 6 days ago||

Yes: Orange clown very bad.

mos87 6 days ago||

>ebola

lol.

jakelsaunders94 7 days ago|||

I've got a whole Hetzner EX41 bare metal server, as opposed to a VPS. It's gotr like 20 services on it.

But yeah it is massively overspecced. Makes me feel cool load testing my go backend at 8000 requests per second though!

tgtweak 7 days ago||

The manageability of having everything on one host is kind of nice at that scale, but yeah you can stack free tiers on various providers for less.

prmoustache 6 days ago||

Author forgot one important take: to limit the attack surface what doesn't need to be public facing should not be public facing. Things such as analytics software can easily be accessed through wireguard or even simpler using ssh as socks proxy.

tgsovlerkhgsel 6 days ago||

Would "user root" without --privileged and excessive mounts have enabled a container escape, or just exposed additional attack surface that potentially could have allowed the attacker to escape if they had another exploit?

PlqnK 6 days ago|

They would need a vulnerability in containerd or the kernel to escape the sandbox and being root in the sandbox would give them more leeway to exploit that vulnerability.

But if they do have a vulnerability and manage to escape the sandbox then they will be root on your host.

Running your processes as an unprivileged user inside your containers reduces the possibility of escaping the sandbox, running your containers themselves as un unprivileged user (rootless podman or docker for example) reduces the attack surface when they manage to escape the sandbox.

cachius 6 days ago||

Does anybody know how to just list the processes running inside a single container from within that container?

And isn’t it a design flaw if you can see all processes from inside a container? This could provide useful information for escaping it.

OutOfHere 7 days ago||

You're lucky that Hetzner didn't delete your server and terminate your account.

mythrwy 6 days ago||

If they do that they don't get paid for the service the subsequent month.

croemer 6 days ago||

With which justification?

OutOfHere 6 days ago||

Cryptocurrency software usage. It is strictly against their policy. Afaik, their policy does not differentiate with voluntary and involuntary use.

They have done it to others.

bradley13 6 days ago||

I had something similar, but I was lucky enough to catch it myself. I've used SSH for years, and never knew that it - by default - also accepts password logins. Maybe dumb on my part, but there you go...

meisel 7 days ago||

Is mining via CPU even worthwhile for the hackers? I thought ASICs dominated mining

jsheard 7 days ago||

ASICs do dominate Bitcoin mining but Monero's POW algorithm is supposed to be ASIC resistant. Besides, who cares if it's efficient when it's someone else's server?

tgtweak 7 days ago|||

Monero's proof of work (RandomX) is very asic-resistant and although it generates a very small amount of earnings, if you exploit a vulnerability like this with thousands or tens of thousands of nodes, it can add up (8 modern cores 24/7 on Monero would be in the 10-20c/day per node range). OPs Vps probably generated about $1 for those script kiddies.

pixl97 7 days ago|||

Hit 1000 servers and it starts adding up. Especially if you live somewhere with a low cost of living.

asdff 6 days ago|||

So $40 a year? Does that imply all monero is mined like this because it's clearly not cost effective at all to mine legitimately?

beeflet 6 days ago||

I think so, but it is hard to say. Could be a lot of people with extra power (or stolen power), but their own equipment. I mine myself with waste solar power

Sohcahtoa82 6 days ago||

Another option:

Deliberate heat generation.

If it's cold and you're going to be running a heater anyways, then if your heat is resistive, then running a cryptominer is just as efficient and returns a couple dollars back to you. It effectively becomes "free" relative to running the heater.

If you use a heat pump, or you rely on burning something (natural gas, wood, whatever) to generate heat, then the math changes.

tgtweak 5 days ago||

Yeah the calculus on that becomes tricky when you have heat pumps since the coefficient of performance is >1 vs resistive heating (often 3-4 depending on the temperature).

I used a rack of GPUs to heat my house for a few years back when gpu mining was decently profitable, and my electricity bill was 3-4x more than with the heat pump - so you have to keep a close eye on the math when you're running at/under profitability.

rnhmjoj 7 days ago|||

This is the PoW scheme that Monero currently uses:

> RandomX utilizes a virtual machine that executes programs in a special instruction set that consists of integer math, floating point math and branches. > These programs can be translated into the CPU's native machine code on the fly (example: program.asm). > At the end, the outputs of the executed programs are consolidated into a 256-bit result using a cryptographic hashing function (Blake2b).

I doubt that you anyone managed to create an ASIC that does this more efficiently and cost effective than a basic CPU. So, no, probably no one is mining Monero using an ASIC.

heavyset_go 7 days ago|||

Yes, for Monero it is the only real viable option. I'd also assume that the OP's instance is one of many other victims whose total mining might add up to a significant amount of crypto.

edm0nd 7 days ago|||

Its easily worth it as they are not spending any money on compute or power.

If they can enslave 100s or even 1000s of machine mining XMR for them, easy money if you set aside the legality of it.

minitech 7 days ago|||

Hard for it not to be worthwhile, since it’s free for them. Same automated exploit run across the entire internet.

Bender 7 days ago|||

Optimal hardware costs money. Easy to hack machines are free and in nearly unlimited numbers.

justinsaccount 7 days ago|||

If the effectiveness of mining is represented as profit divided by the cost of running the infrastructure, then a CPU that someone else is paying for is worth it as long as the profit is greater than zero.

nikanj 6 days ago||

When your cost per host is $0, even $5 / mo / hacked host profit can make for an ok business

throwawayffffas 6 days ago||

> I also enabled UFW (which I should have done ages ago):

Docker will overwrite your rules when you publish ports.

Do not publish ports with docker. Do not run internal services on the publicly accessible system.

majorbugger 6 days ago|

OK, so am I right that this guy had a completely unsecured metrics endpoint running on his server? Why would you do that in the first place?

More comments...