Someone got in my back door... giggity

[iamgadgetman 4]

I was working on containers today when I noticed one that I didn't recognize.   A little digging revealed that someone recently created a container on my server without my knowledge and it was mining bitcoin and sending the data back to the hacker.  I have cut off the traffic on my firewall, but I'm really curious to know as to how the heck they got in.  Any ideas?  To be fair, I did have a non-standard port opened on the firewall for access to the admin page.

[jonathanm 1276]

32 minutes ago, iamgadgetman said:

I did have a non-standard port opened on the firewall for access to the admin page.

 

32 minutes ago, iamgadgetman said:

how the heck they got in.

I believe you answered your own question. Once they have access to the Unraid GUI, they have complete control. You must secure any access with a VPN tunnel or something similar, i.e. teamviewer or other secure remote access through another machine on the LAN

[tjb_altf4 118]

2 hours ago, iamgadgetman said:

I was working on containers today when I noticed one that I didn't recognize. 

You probably created it yourself, if you omit a name it generates one for you

https://github.com/moby/moby/blob/master/pkg/namesgenerator/names-generator.go

[iamgadgetman 4]

@jonathanm I agree.  I had honestly forgotten that it was there lol.

@tjb_altf4 the only thing is that I didn't set up anything at that time, that I know of.  It won't even let me look at the console.

It's also oddly set up.

Take a look at the logs.  I eventually blocked the outbound TCP port, so I could keep the container without worrying about it getting out.

 

admiring_noyce.log.txt