The article hasn’t proven that the infection is in the GHCR Docker image, let alone the newest version. It only says that they had the image installed, then (unknown time later) noticed the infection.
According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.
If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.
Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.
For clarity: The post is about a server running a 3rd party docker image of qbittorrent.
But there’s no evidence presented that it was hotio’s docker image on GCHR which was compromised, and there is reason to believe it might be an older, vulnerable version of qbittorrent in the docker image which was compromised.
Finally made an account on hackernews for this after years of reading. I just checked my Unraid server, I'm running five docker containers from Hotio - Prowlarr, Sonarr, Radarr, Overseerr, and Tautulli.
If I remember correctly, I originally chose Hotio's configs due to there being a few extra settings missing from the standard images in the Unraid store. This was all to avoid learning anything about docker at the time, but since then I've gained a few skills so I'd say it's time for me to set up the containers myself.
Thanks for posting this, I really only read HN so I would have missed this if it were anywhere else.
With the SSH/NPM supply chain attack, we all live in fear now. It just need one very smart person to deploy such hack. I'm not saying hotio did something, all I am saying that with new information, we all should check our deployment. Along with OP I'm affected, where I never have exposed the docker to world ever.
So we should not deny the possibility of something off here.
Monero is literally the only crypto that does what it says on the tin. Anonymous, decentralized, minable on commodity hardware. It basically solves internet micropayments.
If you run a website, instead of ads you could provide users with well-behaved "support this site by enabling cryptominer while browsing" toggle that defaults to off.
But no, that'd be "weird". Or in less gullible terms, it spooked some spooks (I mean in the Stirnerian sense, not the one the reader might be thinking of).
And, well, there you have it. 16 years after Satoshi people patting themselves on the shoulder, considering it a resounding success how BTC has become toothless enough for PayPal to adopt, ffs.
And as usual nobody putting 2 and 2 together till some hackers from some hellhole did.
And presumably some other big picture thinkers saw it, too, the ones in the opposite of a hellhole who poured literal billions to turn a global plea for financial liberty into the largest FUD cloud since the Halloween papers.
Omg! I am one of the user! Good find. I maily use for built-in VPN facility, gluetun do not cut out. But now time to re-think. I thought my 2000+ linux iso was causing medium CPU usage. But still lack of GPU, on my unraid server with 50+ docker containers running 24/7 CPU load is 2.31 2.04 2.00 so I wonder mining ever triggered?
Ps. I do have such binary on my machine as well,
ps -ef | grep netservlet
root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
thephyber|5 months ago
According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.
If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.
Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.
anotherlogin448|5 months ago
OP's system got compromised at some point; the images are clean.
Hell if he didn't want to post his clickbait he easily could have verified with a clean image on a known clean system
ponchel|5 months ago
ktosobcy|5 months ago
Scion9066|5 months ago
dalmo3|5 months ago
thephyber|5 months ago
But there’s no evidence presented that it was hotio’s docker image on GCHR which was compromised, and there is reason to believe it might be an older, vulnerable version of qbittorrent in the docker image which was compromised.
The vulnerability: (credit crtasm)
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
unknown|5 months ago
[deleted]
aquova|5 months ago
https://hotio.dev/containers/base/
b-air|5 months ago
IlikeKitties|5 months ago
edit: it seems consensus in the thread that OP was pwned and the docker images are clean. Please accept my apologies hotio.
anotherlogin448|5 months ago
His system was compromised - hotio's containers are all clean
baobun|5 months ago
https://github.com/hotio/qbittorrent/pkgs/container/qbittorr...
Based on https://github.com/hotio/base
Should be tracable via GitHub Actions logs for anyone signed on - if it is indeed supply-chain and not a qbittorrent exploit or something else.
anotherlogin448|5 months ago
2OEH8eoCRo0|5 months ago
crtasm|5 months ago
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
tatoalo|5 months ago
anotherlogin448|5 months ago
You all really think that hotio snuck a crypto miner in somehow with all clearly open source code - and not a single person but OP noticed for years?
wok4899|5 months ago
So we should not deny the possibility of something off here.
jgilias|5 months ago
/s
balamatom|5 months ago
Monero is literally the only crypto that does what it says on the tin. Anonymous, decentralized, minable on commodity hardware. It basically solves internet micropayments.
If you run a website, instead of ads you could provide users with well-behaved "support this site by enabling cryptominer while browsing" toggle that defaults to off.
But no, that'd be "weird". Or in less gullible terms, it spooked some spooks (I mean in the Stirnerian sense, not the one the reader might be thinking of).
And, well, there you have it. 16 years after Satoshi people patting themselves on the shoulder, considering it a resounding success how BTC has become toothless enough for PayPal to adopt, ffs.
And as usual nobody putting 2 and 2 together till some hackers from some hellhole did.
And presumably some other big picture thinkers saw it, too, the ones in the opposite of a hellhole who poured literal billions to turn a global plea for financial liberty into the largest FUD cloud since the Halloween papers.
wok4899|5 months ago
Ps. I do have such binary on my machine as well, ps -ef | grep netservlet root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
ZetaTauEpsilon|5 months ago
anotherlogin448|5 months ago
Code and CI is all open source.