How I got infiltrated

I left my Docker API Port unsecured for about 5 Days. Yeah thats kinda dumb, but I didn’t expect much to happen.

The Server and the remote raspberry. Portainer is way to awesome 😀

Some days ago I opened up portainer and saw 307 stopped containers. That already shocked me and then I saw a running container named monreo-miner and a lot of stopped ones. So basically someone mined cryptocurrency on my raspberry 😂

And as it could not be worse the host system itself has also been accessed. Directly in the root were bash scripts. They created users called richard and frank, which had sudo (visudo) rights to do everything. Also the attackers turned on PasswordAuthentication and PermitRootLogin and added additional ssh ports.

Lesson learned: Never leave a port (especially docker) unsecured, even if it is for a short time.

1 thought on “How I got infiltrated”

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.