fugasjunior
logrotate inside the container causes all CPU cores 100% - probable malware
Describe the bug After a while containered logrotate in /root/.config/logrotate starts. It is not an standard logrotate file location and the executable seems not to be real logrotate (maybe a miner or some other malware). Servers are affected by the malicious logrotate (high lag spikes due CPU issues).
To Reproduce Steps to reproduce the behavior:
Start the server and the problem will start randomly after few hours of activty.
Expected behavior It should not run. Server should not be affected by logrotate (it should be just an ordinary log rotation utility)
Screenshots
This is the containered process tree running /root/.config/logrotate
First-aid
Killed the process's and removed the executable. Still waiting to see if the container will reaquire the executable. After the process termination cores are back to normal and servers are running fine. Zombie process inside container stays active.
EDIT: After 3 hours the executable reappeared in /root/.config/logrotate and was executed inside container
So yeah I am now 100% sure this docker image contains malware.
Environment OS: Ubuntu 22.04
docker-compose.yml Standard docker compose no modifications, only sensitive data change.
.env standard env no modifications.
The mallware is back/still here (after a week of scrubbing). So I tested my system and I even created the service to automatically delete the malware process but obviously someone is trying to start his fake .logrotate on my system through this docker image. I checked everything and did all by the book even scrubbing the system and reinstalling caused this. Obviously the "hacker" noticed he got detected and he tried to hide the process by adding the . in front of his executable. I am still working on my own manager. I suspect there is a vulnerability in .jar. I am going to edit my process scrubber but this is so annoying.
Here is my
docker image inspect <image id> output:
[
{
"Id": "sha256:58259b70669e8ac6eda8bb7737d3be4ff3b2b9091243594545358af62ba58a2a",
"RepoTags": [
"fugasjunior/armaservermanager:latest"
],
"RepoDigests": [
"fugasjunior/armaservermanager@sha256:b9eef12484ef058414b5fe6c3386d4ae726add5f1b49cd52746cfd9f5545c542"
],
"Parent": "",
"Comment": "buildkit.dockerfile.v0",
"Created": "2024-05-11T13:28:29.693403984Z",
"DockerVersion": "",
"Author": "",
"Config": {
"Hostname": "",
"Domainname": "",
"User": "root",
"AttachStdin": false,
"AttachStdout": false,
"AttachStderr": false,
"ExposedPorts": {
"8080/tcp": {}
},
"Tty": false,
"OpenStdin": false,
"StdinOnce": false,
"Env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"USER=steam",
"HOMEDIR=/home/steam",
"STEAMCMDDIR=/home/steam/steamcmd",
"APP_VERSION=1.3.0",
"LANG=en_US.UTF-8",
"LANGUAGE=en_US.UTF-8",
"LC_ALL=en_US.UTF-8",
"STEAMCMD_PATH=/home/steam/steamcmd/steamcmd.sh",
"DIRECTORY_SERVERS=/home/steam/armaservermanager/servers",
"DIRECTORY_MODS=/home/steam/armaservermanager/mods",
"DIRECTORY_LOGS=/home/steam/armaservermanager/logs"
],
"Cmd": [
"-Xdebug",
"-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005",
"-jar",
"./app.jar"
],
"ArgsEscaped": true,
"Image": "",
"Volumes": null,
"WorkingDir": "/home/steam",
"Entrypoint": [
"java"
],
"OnBuild": null,
"Labels": {
"maintainer": "[email protected]"
}
},
"Architecture": "amd64",
"Os": "linux",
"Size": 1392818047,
"GraphDriver": {
"Data": {
"LowerDir": "/var/lib/docker/overlay2/c43562d18ac93eec5c9db041aa6014c2c05d21e646fc65fd7e541eac8f275f38/diff:/var/lib/docker/overlay2/4c53e1477a90ff5126929797a480546a20d7472714037ad11063c3e116c7269a/diff:/var/lib/docker/overlay2/9d3be81903116d8591637efa615ef585c50a487c959cc937d0645f73f37f97b5/diff:/var/lib/docker/overlay2/b1af69c2b191f2227710a13d1e7f81d055bb234c2e406f90ef28ef243f2fbe65/diff:/var/lib/docker/overlay2/daf0d88498180c579e3b9463ae891f5dad36c9df30e7d1395827b3dae8c7f595/diff:/var/lib/docker/overlay2/98fcbc3e7743d7c52145bbe8433519b182f70dad5854e06b5a3b9de61b8ad60f/diff:/var/lib/docker/overlay2/cb4a9b9122ab9998a4db65e06a8baee191f7a85beb45d3481e91e2a2f64bea3c/diff",
"MergedDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/merged",
"UpperDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/diff",
"WorkDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/work"
},
"Name": "overlay2"
},
"RootFS": {
"Type": "layers",
"Layers": [
"sha256:52ec5a4316fadc09a4a51f82b8d7b66ead0d71bea4f75e81e25b4094c4219061",
"sha256:af6ed5fb01190e5c4bd5d9836e0af23af41f3147c9736bb3cc508d917242eeda",
"sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
"sha256:52be2390ef0c7581f5e87859524f9897bef10161a0cec038ae12603fcc08149b",
"sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
"sha256:5393132871bcce67545822153c495f32b056799848ba4c2dcabcc5902e858f0f",
"sha256:655a4cee3dd73242901425445801fcc9cc9151bfa0f666cce2434559c5355775",
"sha256:14aa87eca4e32717dfcfae17d3b94c1f8c246237889d2c3d42ebd7b829ec4e7c"
]
},
"Metadata": {
"LastTagTime": "0001-01-01T00:00:00Z"
}
}
]
I am certainly no expert, and cannot even say if this is malware or not. But reviewing the Dockerfile, a plausible explanation for a possible breach is the dependency on the base docker image (eclipse-temurin:17-jdk-jammy). The Dockerhub repository indicates several known vulnerabilities of this image. Might it be possible to resort to better maintaned OpenJDKs (https://hub.docker.com/_/openjdk)? @fugasjunior
Just an Idea, no qualified solution
It seems update v1.4.0 helped with the issue by updating the dependencies. I'll keep this issue open for some time if anyone still has the problem even after the update, but for now, it seems solved.
Have literally the same issue. What the update are you talking about? And is it still helping?
Hey! Exact same issue anyone got its origin or fix?
It's 99.9% malware named perfctl. There are some topics how to remove it, but none of them was useful for me. I decided to recreate VM.