I left my Docker API Port unsecured for about 5 Days. Yeah thats kinda dumb, but I didn’t expect much to happen.
Some days ago I opened up portainer and saw 307 stopped containers. That already shocked me and then I saw a running container named monreo-miner and a lot of stopped ones. So basically someone mined cryptocurrency on my raspberry 😂
And as it could not be worse the host system itself has also been accessed. Directly in the root were bash scripts. They created users called richard and frank, which had sudo (visudo) rights to do everything. Also the attackers turned on PasswordAuthentication and PermitRootLogin and added additional ssh ports.
Lesson learned: Never leave a port (especially docker) unsecured, even if it is for a short time.