Closed markqiu closed 6 years ago
I removed all above file and directories, but it appeared again. Help!
I just started a clean image of continuumio/anaconda, and the /opt folder contains only one subfolder: conda
.
Can you tell us more about what steps you're doing after initially running the image? Something is certainly infecting your container. It could be a malicious package.
docker run --name notebook -it -d -p 8888:8888 --link influxdb:influxdb --link ssdb:ssdb -v /mnt/data/dask:/opt/dask -v /mnt/data/cust_data/:/opt/data/cust_data -v /mnt/data/notebooks:/opt/notebooks -v /mnt/data/tmp:/tmp continuumio/anaconda3 /bin/bash -c "/opt/conda/bin/conda install jupyter -y --quiet && /opt/conda/bin/jupyter notebook --notebook-dir=/opt/notebooks --ip='*' --port=8888 --no-browser"
Above is my command.
I will remove the old container, and try a new one to check if the malicious process is still there.
Sorry, this looks clean on my side:
msarahan@0109-msarahan-2 ~ docker run -d -p 8888:8888 continuumio/anaconda3 /bin/bash -c "/opt/conda/bin/conda install jupyter -y --quiet && /opt/conda/bin/jupyter notebook --notebook-dir=/opt/notebooks --ip='*' --port=8888 --no-browser"
ad0feff016ad8c696b60684d263d726837a53e44b3da8a489207279650fd005d
msarahan@0109-msarahan-2 ~ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
ad0feff016ad continuumio/anaconda3 "/usr/bin/tini -- /bi" 3 seconds ago Up 2 seconds 0.0.0.0:8888->8888/tcp fervent_poitras
msarahan@0109-msarahan-2 ~ docker exec ad0feff016ad ls /opt
conda
msarahan@0109-msarahan-2 ~ docker top ad0feff016ad
PID USER TIME COMMAND
3868 root 0:00 /usr/bin/tini -- /bin/bash -c /opt/conda/bin/conda install jupyter -y --quiet && /opt/conda/bin/jupyter notebook --notebook-dir=/opt/notebooks --ip='*' --port=8888 --no-browser
3886 root 0:00 /bin/bash -c /opt/conda/bin/conda install jupyter -y --quiet && /opt/conda/bin/jupyter notebook --notebook-dir=/opt/notebooks --ip='*' --port=8888 --no-browser
3887 root 0:01 {conda} /opt/conda/bin/python /opt/conda/bin/conda install jupyter -y --quiet
I omitted your many mounts and links, because I can't possibly hope to reproduce them.
Finally, I don't understand why you are specifying both -it
and -d
- these are each for mutually exclusive purposes: https://docs.docker.com/engine/reference/run/
@markqiu, are you starting your docker container on a local machine or a public network (e.g., a cloud VM?) If a public network, are you securing the notebook server with a password somehow?
I started it in a public network without password protect.
I suspect someone has accessed your notebook server and run commands to install minergate.
Starting in Jupyter Notebook 4.3, the server starts up requiring a randomly generated access token that is logged to stdout. I recommend starting a brand new container instance from your image and either updating to notebook 4.3 or setting a password on your existing notebook following the docs here: http://jupyter-notebook.readthedocs.io/en/latest/public_server.html#securing-a-notebook-server
If you see the minergate process re-appear after verifying you have a clean container with a token or password secured notebook, report back.
I found strange minergate-cli process running in background and cosuming a lot of cpu, after I run docker of continuumio/anaconda3.
process infos are as follows: 26119 pts/0 Sl 29:24 ./opt/minergate-cli/minergate-cli -user asdfmnyy@hmamail.com -fcn+xmr 26126 pts/0 Sl 0:00 ./opt/minergate-cli/minergate-cli -user asdfmnyy@hmamail.com -fcn+xmr 0 2
find / -name minergate-cli
/var/lib/docker/devicemapper/mnt/40a3b8140d398645055cab495a8449711ab011e47bced5c0ae3a81f93e0867cf/rootfs/root/.local/share/minergate-cli /var/lib/docker/devicemapper/mnt/40a3b8140d398645055cab495a8449711ab011e47bced5c0ae3a81f93e0867cf/rootfs/root/.ttmp/usr/bin/minergate-cli /var/lib/docker/devicemapper/mnt/40a3b8140d398645055cab495a8449711ab011e47bced5c0ae3a81f93e0867cf/rootfs/root/.ttmp/opt/minergate-cli /var/lib/docker/devicemapper/mnt/40a3b8140d398645055cab495a8449711ab011e47bced5c0ae3a81f93e0867cf/rootfs/root/.ttmp/opt/minergate-cli/minergate-cli
docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 40a3b8140d39 continuumio/anaconda3 "/usr/bin/tini -- /b 5 hours ago Up 2 hours 0.0.0.0:8888->8888/tcp notebook
what happened?