alt Hacker NewsI got hacked: My Hetzner server started mining Monero
Comments
a) containers don't contain
b) if you want to limit your hosting environment to only the language/program you expect to run you should provision with unikernels which enforce it
Still confused what I am supposed to do to avoid all this.
Was dad notified of the security breach? If not he may want to consider switching hosting providers. Dad deserves a proper LLM-free post mortem.
tl:dr: He got hacked but the damage was only restricted to one docker container runn ing Umami (that is built on top of NextJS). Thankfully, he was running the docker container as a non privileged non-root user which saved him big time considering the fact that the attack surface was limited only within the container and could not access the entire host/filesystem.
Is there ever a reason someone should run a docker container as root ?
Well written blog post. Well done, I've learned something new.
I also run Umami, but patched once the CVE patch was released. Also, I only expose the tracking js endpoint and /api/send via Caddy publically (though, /api/send might be enough to exploit the vul). To actually interact with Umami UI I use Twingate (similar to Tailscale) to tunnel into the VPC locally.
Whew, load average of 0 here.
You're lucky that Hetzner didn't delete your server and terminate your account.
I still can't believe that there are so many people out here popping boxen and all they do is solve drug sudokus with the hardware. Hacks are so lame now.
so what's the point of containers here? seems only to make things less transparent and more complex to manage.
js scripts running on frameworks running inside containers
PS so I see the host ended up staying uncompromised
It makes me irrationally angry that cryptos have given a clear monetary value to raw CPU time, and a very strong incentive to create botnets.
Just use Hetzner managed servers? Very high specs, they manage everything, and you can install a lot of languages, apps etc.
> ls -la /tmp/.XIN-unix/javae
Unless ran as root this could return file not found because of missing permissions, and not just because the file doesn't actually exist, right?
> “I don’t use X” doesn’t mean your dependencies don’t use X
That is beyond obvious, and I don't understand how anyone would feel safe from reading about a CVE on a widely used technology when they run dozens of containers on their server. I have docker containers and as soon as I read the article I went and checked because I have no idea what technology most are built with.
> No more Umami. I’m salty. The CVE was disclosed, they patched it, but I’m not running Next.js-based analytics anymore.
Nonsensical reaction.
Never expose your server IP directly to the internet, vps or baremetal.
This article is very interesting at first but I once again get disappointed after reading clear signs of AI like "Why this matters" and "The moment of truth", and then the whole thing gets tainted with signs all over the place.