I got hacked: My Hetzner server started mining Monero

Posted by jakelsaunders94 7 days ago

I got hacked: My Hetzner server started mining Monero(blog.jakesaunders.dev)

604 points | 409 commentspage 6

rendaw 6 days ago|

I didn't see it mentioned, but wouldn't having a RO root filesystem with writable directories mounted noexec also have been sufficient?

zamadatix 7 days ago||

I don't use Docker for my containers at home, but I take it by the concern that user namespacing is not the employed by them or something?

heavyset_go 7 days ago|

If you're root in a namespace and manage to escape, you can have root privileges outside of it.

zamadatix 7 days ago||

Are you referring to user namespaces and, if so, how does that kind of break out to host root work? I thought the whole point of user namespaces was your UID 0 inside the container is UID 100000 or whatever from the perspective of outside the container. Escaping the container shouldn't inherently grant you ability to change your actual UID in the host's main namespace in that kind of setup, but I'm not sure Docker actually leverages user namespaces or not.

E.g. on my systemd-nspawn setup with --private-users=pick (enables user namespacing) I created a container and gave it a bind mount. From the container it appears like files in the bind mount created by the container namespace's UID 0 are owned by UID 0 but from outside the container the same file looks owned by UID 100000. Inverted, files owned by the "real" UID 0 on the host look owned by 0 to the host but as owned by 65534 (i.e. "nobody") from the container's perspective. Breaking out of the container shouldn't inherently change the "actual" user of the process from 100000 to 0 any more than breaking out of the container as a non-0 UID in the first place - same as breaking out of any of the other namespaces doesn't make the "UID 0" user in the container turn into "UID 0" on the host.

heavyset_go 7 days ago||

Users in user namespaces are granted capabilities that root has, user namespaces themselves need to be locked down to prevent that, but if a user with root capabilities escapes the namespace, they have the capabilities on the host.

They also expose kernel interfaces that, if exploited, can lead to the same.

In the end, namespaces are just for partitioning resources, using them for sandboxes can work, but they aren't really sandboxes.

mikaelmello 7 days ago||

This article is very interesting at first but I once again get disappointed after reading clear signs of AI like "Why this matters" and "The moment of truth", and then the whole thing gets tainted with signs all over the place.

dinkleberg 7 days ago|

Yeah personally I’d much rather read a poorly constructed article with actually interesting content than the same content put into the formulaic AI voice.

venturecruelty 7 days ago||

Article's been edited:

>Edit: A few people on HN have pointed out that this article sounds a little LLM generated. That’s because it’s largely a transcript of me panicking and talking to Claude. Sorry if it reads poorly, the incident really happened though!

For what it's worth, this is not an excuse, and I still don't appreciate being fed undisclosed slop. I'm not even reading it.

nunodonato 6 days ago||

The world will be a better place when all crypto just disappears

tgsovlerkhgsel 6 days ago|

Would it be better for the victim if that was ransomware (asking for Apple gift cards) or some malware that stealthily siphons off data until it finds something valuable?

eyberg 7 days ago||

a) containers don't contain

b) if you want to limit your hosting environment to only the language/program you expect to run you should provision with unikernels which enforce it

tgsovlerkhgsel 6 days ago|

> a) containers don't contain

Except it seems to have done so in this case?

Computer0 7 days ago||

Still confused what I am supposed to do to avoid all this.

movedx 7 days ago||

Learning to manage an operating system in full, and having a healthy amount of paranoia, is a good first step.

doublerabbit 7 days ago||

Then, write all your own software to please the paranoia for the next 15 years.

Next year is the 5th year of my current personal project. Ten to go.

nikanj 6 days ago||

Host your personal blog on wordpress.com or similar

venturecruelty 7 days ago||

I still can't believe that there are so many people out here popping boxen and all they do is solve drug sudokus with the hardware. Hacks are so lame now.

tolerance 7 days ago||

Was dad notified of the security breach? If not he may want to consider switching hosting providers. Dad deserves a proper LLM-free post mortem.

jakelsaunders94 7 days ago|

Hahaha, I did tell him this afternoon. This is the bloke who has the same password for all his banking apps despite me buying him 1password though. The imminent threat from RCE's just didn't land.

dylan604 7 days ago|||

Buying someone 1Pass, or the like, and calling it good is not enough. People using password managers forget how long it takes to visit all of the sites you use to create that site's record, then update the password to a secure one, and then log out and log back in with the new password to test it is good. For a lot of people having a password manager bought for them is going to be over it after the second site. Just think about how many videos on TikTok they could have been watching instead

venturecruelty 7 days ago||

Yeah, mom and I sat down one afternoon and we changed all of her passwords to long, secure ones, generated by 1Password. It was a nice time! It also helped her remember all of the different services she needs to access, and now they're all safely stored with strong passwords. And it was a nice way to connect and spend some time together. :)

suspended_state 6 days ago|||

Careful, HN isn't your average IRC channel.

codegeek 7 days ago||

tl:dr: He got hacked but the damage was only restricted to one docker container runn ing Umami (that is built on top of NextJS). Thankfully, he was running the docker container as a non privileged non-root user which saved him big time considering the fact that the attack surface was limited only within the container and could not access the entire host/filesystem.

Is there ever a reason someone should run a docker container as root ?

d4mi3n 7 days ago|

If you're using the container to manage stuff on the host, it'll likely need to be a process running as root. I think the most common form of this is Docker-in-Docker style setups where a container is orchestrating other containers directly through the Docker socket.

eikowagenknecht 5 days ago|

I got another mail from Hetzner on Dec 10, telling me that the BSI told them my web site was having serious security problems with Next.JS. Not having high opinions on the BSI, I first thought this was some very elaborate scam attack but no, it turns out it was legit and also Umamis inbuilt Next.JS for me. But apparently there was no crypto miner or other active abuse yet.

More comments...