10 comments

[ 3.0 ms ] story [ 22.1 ms ] thread
It's a docker image, NOT qbittorrent.
Well. An unpaid volunteer found a way how to get paid!

/s

Omg! I am one of the user! Good find. I maily use for built-in VPN facility, gluetun do not cut out. But now time to re-think. I thought my 2000+ linux iso was causing medium CPU usage. But still lack of GPU, on my unraid server with 50+ docker containers running 24/7 CPU load is 2.31 2.04 2.00 so I wonder mining ever triggered?

Ps. I do have such binary on my machine as well, ps -ef | grep netservlet root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet

Why do people use these stupid third-party container images?
And yet everything is open source and easily auditable. Most likely OP got pwnd and clearly is unable to understand sarcasm.

You all really think that hotio snuck a crypto miner in somehow with all clearly open source code - and not a single person but OP noticed for years?

The article hasn’t proven that the infection is in the GHCR Docker image, let alone the newest version. It only says that they had the image installed, then (unknown time later) noticed the infection.

According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.

If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.

Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.