Docker - mining virus

Docker containers wrap a piece of software in a complete filesystem that contains everything needed to run: code, runtime, system tools, system libraries – anything that can be installed on a server. This guarantees that the software will always run the same, regardless of its environment.

Moderator: Lillian.W@AST

cheehoong
Posts: 5
youtube meble na wymiar Warszawa
Joined: Thu Feb 20, 2020 10:37 pm

Re: Docker - mining virus

Post by cheehoong »

sandro_rocha wrote:
father.mande wrote:Hi,

for specialist Docker is useful if you create your own container (test new version, create prototype) AND if you assume the permanent update of libraries and scripts inside ...
When you used pre-created container from HUB ... no control is done ... and it's at your OWN risk

Last even a virus check is done ... crypto mining is not a virus ... it's a normal application ... so never identified as a virus ... only the access open (generally a reverse connect) can be (or not) identified.

If you are really interested by container ... use tools where you have all the hand and control (like LXC or direct namespace management) so you keep a very large % of control on what are inside.
or if for you like and want to use Docker (even it's own internal security holes) ... create yourself container ... it's describe as difficult (for selling services) when in reality it's easy if you have a minimum of Linux administration skills (some free student formations exist on the Web)

So best solution is TRASH the bad container and all dependencies (some containers works with others containers started hidden), and search for another HUB and verify that it's not the same with another name

Philippe.
NB I am a user so you can trash this advice, but I have used Docker, LXC and Namespace on multiples NAS (and write some tool-book for another NAS brand) ... and today I build my own isolated environment like myHD APKG (an isolated Ubuntu 18.04 env.) or use LXC
I installed Docker-CE and didn't do anything else, didn't download or install any images, didn't start any containers and, a few hours later, there were four containers running. What explains that? Either the version available for the AS1002T is compromised or there is a security breach that allows external control.
I did some test too. If you DMZ your router to your Asustor, is high chance you will get this issue. Which I did before.
Now I hide it at the back ot router, limit the port open, then I did get issue with docker being injected with the mining "virus"
guess the asustor docker is open to attach, security is not good enough.
AS6302T
sandro_rocha
Posts: 76
Joined: Wed Feb 05, 2020 10:49 am

Re: Docker - mining virus

Post by sandro_rocha »

cheehoong wrote:
sandro_rocha wrote:
father.mande wrote:Hi,

for specialist Docker is useful if you create your own container (test new version, create prototype) AND if you assume the permanent update of libraries and scripts inside ...
When you used pre-created container from HUB ... no control is done ... and it's at your OWN risk

Last even a virus check is done ... crypto mining is not a virus ... it's a normal application ... so never identified as a virus ... only the access open (generally a reverse connect) can be (or not) identified.

If you are really interested by container ... use tools where you have all the hand and control (like LXC or direct namespace management) so you keep a very large % of control on what are inside.
or if for you like and want to use Docker (even it's own internal security holes) ... create yourself container ... it's describe as difficult (for selling services) when in reality it's easy if you have a minimum of Linux administration skills (some free student formations exist on the Web)

So best solution is TRASH the bad container and all dependencies (some containers works with others containers started hidden), and search for another HUB and verify that it's not the same with another name

Philippe.
NB I am a user so you can trash this advice, but I have used Docker, LXC and Namespace on multiples NAS (and write some tool-book for another NAS brand) ... and today I build my own isolated environment like myHD APKG (an isolated Ubuntu 18.04 env.) or use LXC
I installed Docker-CE and didn't do anything else, didn't download or install any images, didn't start any containers and, a few hours later, there were four containers running. What explains that? Either the version available for the AS1002T is compromised or there is a security breach that allows external control.
I did some test too. If you DMZ your router to your Asustor, is high chance you will get this issue. Which I did before.
Now I hide it at the back ot router, limit the port open, then I did get issue with docker being injected with the mining "virus"
guess the asustor docker is open to attach, security is not good enough.
I closed the modem and router ports, leaving only those necessary to access the applications (8000, 8112, 8989, 8096, 9000, 9800, 9117 and 51417) and even then Docker continues to run containers that I did not install. Any tips?
User avatar
father.mande
Posts: 1810
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: Docker - mining virus

Post by father.mande »

Hi,

I can't help you on docker ... but just for your information

backdoor or mining (in docker) use only output connection ... so closing port is not enough
... lot of them use tools like Ngrok (I use it :mrgreen: ) or equivalent ... this tools is a getaway in Internet (like ez-connect used by Asustor)
... NAS do a connection to the server ... the client do a connection to the server (gateway) and a tunnel is created to localhost on NAS ... so after you can do what you want and enter in the NAS (or any server) easily

So they used ONLY output connection, they can hide client under any name, because it's statically linked (no dynamic library) ...

The only way (to verify if it is or not your case) is to do a survey of output connection and limit it, if iptables in NAS have the tables and rules present to do that.

It's one (not the only) reason that I disapprove of any usage of Docker (except if you do it yourself) ... but each can have a different advice ... :mrgreen:

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
sandro_rocha
Posts: 76
Joined: Wed Feb 05, 2020 10:49 am

Re: Docker - mining virus

Post by sandro_rocha »

father.mande wrote:Hi,

I can't help you on docker ... but just for your information

backdoor or mining (in docker) use only output connection ... so closing port is not enough
... lot of them use tools like Ngrok (I use it :mrgreen: ) or equivalent ... this tools is a getaway in Internet (like ez-connect used by Asustor)
... NAS do a connection to the server ... the client do a connection to the server (gateway) and a tunnel is created to localhost on NAS ... so after you can do what you want and enter in the NAS (or any server) easily

So they used ONLY output connection, they can hide client under any name, because it's statically linked (no dynamic library) ...

The only way (to verify if it is or not your case) is to do a survey of output connection and limit it, if iptables in NAS have the tables and rules present to do that.

It's one (not the only) reason that I disapprove of any usage of Docker (except if you do it yourself) ... but each can have a different advice ... :mrgreen:

Philippe.
I know it's a stupid question, but how do I survey outgoing connections? And if so, how do I use iptables (if it exists on the NAS) to limit them?

ps: I have an Ez-Connect account, although I never used it to access the NAS. I usually use No-IP (DDNS). I travel a lot and I need access to the NAS when I'm away from home.

ps2: I also don't like the docker very much. But it is that or not to have applications, since Asustor does not provide native versions of them.
User avatar
father.mande
Posts: 1810
Joined: Sat Sep 12, 2015 2:55 am
Location: La Rochelle (France)

Re: Docker - mining virus

Post by father.mande »

Hi,
sandro_rocha wrote: I know it's a stupid question, but how do I survey outgoing connections? And if so, how do I use iptables (if it exists on the NAS) to limit them?
ps: I have an Ez-Connect account, although I never used it to access the NAS. I usually use No-IP (DDNS). I travel a lot and I need access to the NAS when I'm away from home.
ps2: I also don't like the docker very much. But it is that or not to have applications, since Asustor does not provide native versions of them.
Hum! no a so simple things and certainly NOT stupid ...
Tools exist but are not user friendly
... I speak about full tools, provide by Entware APKG like netstat to know actives connections or just closing wait ... to any port , I.P. and or DNS name
... ... but docker can hide this
... tcdump and wireshark are very low level debugging tools for network connection ... but need some practice ...
But ... it's complex some malware use port normally used for authorized purpose, etc. ; docker can hide some link, even on NAS it's more difficult to create an alternate I.P. to hide connections on known network ...

I can only suggest you to ask the support and manage to open a ssh connection for us (at a defined time and change password just for the time need to connect us) ... so they can manage network trace for you (I suppose)

Sorry to don't be able to help you more ... I don't have large free time and go in travel tomorrow ...

Last, please list your software requirement, even not available as is ... perhaps other solution (than docker) exist and can have advantage to permit a full control and not put a "black box" (docker) in your NAS.

Philippe.
AS6602T / AS5202T /AS5002T / AS1002T / FS6706T
Post Reply

Return to “Docker”