Closed hahaCrazy closed 7 months ago
No, it doesn't. That appears to be trexminer masquerading as python3.
It could be any number of things, but it didn't come from this repo. It may be best to delete the VM and start over, and perhaps don't run stuff as root.
No, it doesn't. That appears to be trexminer masquerading as python3.
It could be any number of things, but it didn't come from this repo. It may be best to delete the VM and start over, and perhaps don't run stuff as root.
I tried it under web user still doesn't work. One suspicious plugin found so far is https://github.com/Iyashinouta/sd-colab-commands-browser. I do not have that plugin installed. Now that I have uninstalled it, I'm not sure if it's this plugin or not
Hi @hahaCrazy Do you have any update of suspicious process these days?
I have similar suituation before and today. Some unknow suspicious process try to add that extension(maybe start mining or zombie process later on) but lucky I disabled plugin installation thru command line args while sd start everytime.
I believe that is not this repo problem but maybe some vulnerability or some extension which installed to:
Maybe remove --enable-insecure-extension-access
and/or add --gradio-auth
/--api-auth
If its port is open or you're using --share
, then anyone can access it from the internet, and install extensions if --enable-insecure-extension-access
is enabled. If they install that particular extension, they can then run arbitrary commands.
This could be someone scanning for exposed webui instances they can exploit.
I had the same, and was able to track it down to these two extensions being installed:
https://codeberg.org/frwegt234/stable-diffusion-webui-advanced/ https://codeberg.org/frwegt234/stable-diffusion-webui-less-advanced/
It looks like they used to be part of the extensions list, but have been removed. Luckily i was running SD in a Docker container, so no harm was done.
I've sent a message to Codeberg's Abuse team to get them removed.
@missionfloyd Yes, lucky i have not add the --enable-insecure-extension-access in the first place, so they can't install extension for mining.
I always started sd with --share, but my ip address is change every few days, and the port is random(5digits) just generate when sd runs and the sd only run not more then 24 hours. That's mean port number will change at least 24 hours. There just a very little windows allow them to scan the port from my usually changing IP to come in but that they can still comes every week (actually my router buildin firewall do not have report for port scanned). So I can sure there has some code in A1111 or extensions sending out the IP address and port to someone and allow them come in directly.
@jangrewe I have not install that 2 extensions, I only have A1111 built-in extensions and extensions in https://raw.githubusercontent.com/AUTOMATIC1111/stable-diffusion-webui-extensions/master/index.json, so the impostor should only inside in these things.
@xdejiko Like i said, i seems as if they used to be part of that list, because that's also my only source for extensions. Either that, or somebody else's extension did some shenanigans and pulled them in.
I had the same experience.
python3 --no-watchdog -a kapow -o stratum+tcp://rvn.2miners.com:6060 -u RYUFr68iNETisCKPpGsnaNKfYEP96b8JTKo.530ab962bd5d_w --proxy 91.220.163.82:7273
This kept creeping up.
It was hard to spot at first because in ps
or nvtop
output, the latter part of the command was intentionally obstructed with white space.
python3
--no-watchdog -a kapow -o stratum+tcp://rvn.2miners.com:6060 -u RYUFr68iNETisCKPpGsnaNKfYEP96b8JTKo.530ab962bd5d_w --proxy 91.220.163.82:7273
PID TTY TIME CMD
1321 ? 00:00:07 miner
Is it possible to track this dude down and make him pay for the crime...? The proxy tracks to Russia
I was lucky that I was running this on a non-root container... I don't know what other codes the attacker could have executed.
My infiltration route also involves https://github.com/Iyashinouta/sd-colab-commands-browser
. I am sure because I have previous snapshot of my web-ui. In the snapshot the extension doesn't exist, and I didn't install it on my own. (I was stupid to have my service open to the public, only now I know better...)
Oh, that's a great hint, because i also had some Google Colab extension installed (i think it was called commands
) and i was wondering where that came from, as i'm not running in the cloud and would not have had any need for it.
Got a reply from Codeberg, they removed 2 of the 3 repos - i followed up with them to make sure that the last one is also removed.
Update: all removed.
I am currently running stable diffusion on a Docker Container; my OS is Ubuntu 22.04. The WebUI can be accessed through a personal website and the hacker have been installing and executing mining operations with my graphics card.
The following was the program being executed:
/tmp/.dev/miner --algo kawpow --server us.ravencoin.herominers.com --port 1140 --user RU1ntEfzwW2MzZHpcNuwFhALFUdxZXVc32.worker_41 --watchdog_child_process0
I have checked for authorized SSH keys and make sure only mine are there.
How can they access my PC and run root commands even though everything is in a docker container?
I am currently running stable diffusion on a Docker Container; my OS is Ubuntu 22.04. The WebUI can be accessed through a personal website and the hacker have been installing and executing mining operations with my graphics card.
The following was the program being executed:
/tmp/.dev/miner --algo kawpow --server us.ravencoin.herominers.com --port 1140 --user RU1ntEfzwW2MzZHpcNuwFhALFUdxZXVc32.worker_41 --watchdog_child_process0
I have checked for authorized SSH keys and make sure only mine are there.
How can they access my PC and run root commands even though everything is in a docker container?
I'm in the exact same situation as you, even down to the port. My solution now is to remove the plugin sd-colab-commands-browser
as they mentioned before. so far it looks like it solves the problem for now.
Is there an existing issue for this?
What happened?
After some time after starting the sd extranet process on my server, I saw the suspicious process. It should be a mining process. When I force kill the process. It reappeared after a while!
Steps to reproduce the problem
Its process id is 358653, so I found some information about it with the following command:
What should have happened?
Why is this process happening?
Sysinfo
What browsers do you use to access the UI ?
Google Chrome
Console logs
Additional information
No response