Omg! I am one of the user! Good find. I maily use for built-in VPN facility, gluetun do not cut out. But now time to re-think. I thought my 2000+ linux iso was causing medium CPU usage. But still lack of GPU, on my unraid server with 50+ docker containers running 24/7 CPU load is 2.31 2.04 2.00 so I wonder mining ever triggered?
Ps. I do have such binary on my machine as well,
ps -ef | grep netservlet
root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
The article hasn’t proven that the infection is in the GHCR Docker image, let alone the newest version. It only says that they had the image installed, then (unknown time later) noticed the infection.
According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.
If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.
Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.
10 comments
[ 3.0 ms ] story [ 22.1 ms ] threadhttps://hotio.dev/containers/base/
/s
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
https://github.com/hotio/qbittorrent/pkgs/container/qbittorr...
Based on https://github.com/hotio/base
Should be tracable via GitHub Actions logs for anyone signed on - if it is indeed supply-chain and not a qbittorrent exploit or something else.
Ps. I do have such binary on my machine as well, ps -ef | grep netservlet root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
You all really think that hotio snuck a crypto miner in somehow with all clearly open source code - and not a single person but OP noticed for years?
According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.
If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.
Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.