The article hasn’t proven that the infection is in the GHCR Docker image, let alone the newest version. It only says that they had the image installed, then (unknown time later) noticed the infection.
According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.
If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.
Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.
Nope. How else are they supposed to make comments if they didn't have an account here yet? I had to create this account just to answer you—is that suspicious too?
Their comments are extremely high confidence (failing to recognize that accidents and supply chain attacks do sometimes happen) and because they are new and posting frequently in the same thread, their account shows the signs of a bot/disinfo campaign (which does happen on HN).
You can back up a debunking with receipts or reputation. Ideally, both.
You and anotherlogin448 have neither, but also show incredible aggression towards anyone pointing that out.
Your confidence might actually be warranted, but there's no reason for any one of us to take you on your word, and neither of you have given anything else.
Unfortunately this doesn’t prove absence of infection.
Cryptominers have become adept at hiding their symptoms when users are looking/interactive.
Just use the best security hygiene — always use the newest version of the app, ensure the admin credentials aren’t low entropy/hard-coded, and hopefully that the admin panel isn’t internet accessible.
It's been supported by qBittorrent since 4.4.0 released in January 2022 when built with libtorrent 2.0. The official docker images still use libtorrent 1.2 though as that is the default.
Probably not a dealbreaker for most but it might be hindering Bittorrent v2 adoption.
For clarity: The post is about a server running a 3rd party docker image of qbittorrent.
But there’s no evidence presented that it was hotio’s docker image on GCHR which was compromised, and there is reason to believe it might be an older, vulnerable version of qbittorrent in the docker image which was compromised.
Finally made an account on hackernews for this after years of reading. I just checked my Unraid server, I'm running five docker containers from Hotio - Prowlarr, Sonarr, Radarr, Overseerr, and Tautulli.
If I remember correctly, I originally chose Hotio's configs due to there being a few extra settings missing from the standard images in the Unraid store. This was all to avoid learning anything about docker at the time, but since then I've gained a few skills so I'd say it's time for me to set up the containers myself.
Thanks for posting this, I really only read HN so I would have missed this if it were anywhere else.
With the SSH/NPM supply chain attack, we all live in fear now. It just need one very smart person to deploy such hack. I'm not saying hotio did something, all I am saying that with new information, we all should check our deployment. Along with OP I'm affected, where I never have exposed the docker to world ever.
So we should not deny the possibility of something off here.
Monero is literally the only crypto that does what it says on the tin. Anonymous, decentralized, minable on commodity hardware. It basically solves internet micropayments.
If you run a website, instead of ads you could provide users with well-behaved "support this site by enabling cryptominer while browsing" toggle that defaults to off.
But no, that'd be "weird". Or in less gullible terms, it spooked some spooks (I mean in the Stirnerian sense, not the one the reader might be thinking of).
And, well, there you have it. 16 years after Satoshi people patting themselves on the shoulder, considering it a resounding success how BTC has become toothless enough for PayPal to adopt, ffs.
And as usual nobody putting 2 and 2 together till some hackers from some hellhole did.
And presumably some other big picture thinkers saw it, too, the ones in the opposite of a hellhole who poured literal billions to turn a global plea for financial liberty into the largest FUD cloud since the Halloween papers.
Omg! I am one of the user! Good find. I maily use for built-in VPN facility, gluetun do not cut out. But now time to re-think. I thought my 2000+ linux iso was causing medium CPU usage. But still lack of GPU, on my unraid server with 50+ docker containers running 24/7 CPU load is 2.31 2.04 2.00 so I wonder mining ever triggered?
Ps. I do have such binary on my machine as well,
ps -ef | grep netservlet
root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
Yep. In the author's case it definitely seems they were infected, everything checks out there. I think this commenter however is mistaken when they say they also have the malicious executable discovered by the author. Investigation of my own image (not latest release but within the past few months) shows no evidence of what the author reports
I never have exposed this container to the world ever, and my server do report the existence of such binary. That is the reason based on CPU usage I suspect that mining never triggered.
According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.
If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.
Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.