search

anaconda / docker-images

Repository of Docker images created by Anaconda
https://hub.docker.com/u/continuumio/
834 stars 282 forks source link

The image of continuumio/anaconda3 has been hacked? #47

Closed markqiu closed 6 years ago

markqiu commented 7 years ago

I found strange minergate-cli process running in background and cosuming a lot of cpu, after I run docker of continuumio/anaconda3.

process infos are as follows: 26119 pts/0 Sl 29:24 ./opt/minergate-cli/minergate-cli -user asdfmnyy@hmamail.com -fcn+xmr 26126 pts/0 Sl 0:00 ./opt/minergate-cli/minergate-cli -user asdfmnyy@hmamail.com -fcn+xmr 0 2

find / -name minergate-cli

/var/lib/docker/devicemapper/mnt/40a3b8140d398645055cab495a8449711ab011e47bced5c0ae3a81f93e0867cf/rootfs/root/.local/share/minergate-cli /var/lib/docker/devicemapper/mnt/40a3b8140d398645055cab495a8449711ab011e47bced5c0ae3a81f93e0867cf/rootfs/root/.ttmp/usr/bin/minergate-cli /var/lib/docker/devicemapper/mnt/40a3b8140d398645055cab495a8449711ab011e47bced5c0ae3a81f93e0867cf/rootfs/root/.ttmp/opt/minergate-cli /var/lib/docker/devicemapper/mnt/40a3b8140d398645055cab495a8449711ab011e47bced5c0ae3a81f93e0867cf/rootfs/root/.ttmp/opt/minergate-cli/minergate-cli

docker ps

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 40a3b8140d39 continuumio/anaconda3 "/usr/bin/tini -- /b 5 hours ago Up 2 hours 0.0.0.0:8888->8888/tcp notebook

what happened?

markqiu commented 7 years ago

I removed all above file and directories, but it appeared again. Help!

msarahan commented 7 years ago

I just started a clean image of continuumio/anaconda, and the /opt folder contains only one subfolder: conda.

Can you tell us more about what steps you're doing after initially running the image? Something is certainly infecting your container. It could be a malicious package.

markqiu commented 7 years ago

docker run --name notebook -it -d -p 8888:8888 --link influxdb:influxdb --link ssdb:ssdb -v /mnt/data/dask:/opt/dask -v /mnt/data/cust_data/:/opt/data/cust_data -v /mnt/data/notebooks:/opt/notebooks -v /mnt/data/tmp:/tmp continuumio/anaconda3 /bin/bash -c "/opt/conda/bin/conda install jupyter -y --quiet && /opt/conda/bin/jupyter notebook --notebook-dir=/opt/notebooks --ip='*' --port=8888 --no-browser" Above is my command. I will remove the old container, and try a new one to check if the malicious process is still there.

msarahan commented 7 years ago

Sorry, this looks clean on my side:

 msarahan@0109-msarahan-2  ~  docker run -d -p 8888:8888 continuumio/anaconda3 /bin/bash -c "/opt/conda/bin/conda install jupyter -y --quiet && /opt/conda/bin/jupyter notebook --notebook-dir=/opt/notebooks --ip='*' --port=8888 --no-browser"
ad0feff016ad8c696b60684d263d726837a53e44b3da8a489207279650fd005d
 msarahan@0109-msarahan-2  ~  docker ps
CONTAINER ID        IMAGE                   COMMAND                  CREATED             STATUS              PORTS                    NAMES
ad0feff016ad        continuumio/anaconda3   "/usr/bin/tini -- /bi"   3 seconds ago       Up 2 seconds        0.0.0.0:8888->8888/tcp   fervent_poitras
 msarahan@0109-msarahan-2  ~  docker exec ad0feff016ad ls /opt
conda
 msarahan@0109-msarahan-2  ~  docker top ad0feff016ad
PID                 USER                TIME                COMMAND
3868                root                0:00                /usr/bin/tini -- /bin/bash -c /opt/conda/bin/conda install jupyter -y --quiet && /opt/conda/bin/jupyter notebook --notebook-dir=/opt/notebooks --ip='*' --port=8888 --no-browser
3886                root                0:00                /bin/bash -c /opt/conda/bin/conda install jupyter -y --quiet && /opt/conda/bin/jupyter notebook --notebook-dir=/opt/notebooks --ip='*' --port=8888 --no-browser
3887                root                0:01                {conda} /opt/conda/bin/python /opt/conda/bin/conda install jupyter -y --quiet

I omitted your many mounts and links, because I can't possibly hope to reproduce them.

Finally, I don't understand why you are specifying both -it and -d - these are each for mutually exclusive purposes: https://docs.docker.com/engine/reference/run/

parente commented 7 years ago

@markqiu, are you starting your docker container on a local machine or a public network (e.g., a cloud VM?) If a public network, are you securing the notebook server with a password somehow?

markqiu commented 7 years ago

I started it in a public network without password protect.

parente commented 7 years ago

I suspect someone has accessed your notebook server and run commands to install minergate.

Starting in Jupyter Notebook 4.3, the server starts up requiring a randomly generated access token that is logged to stdout. I recommend starting a brand new container instance from your image and either updating to notebook 4.3 or setting a password on your existing notebook following the docs here: http://jupyter-notebook.readthedocs.io/en/latest/public_server.html#securing-a-notebook-server

If you see the minergate process re-appear after verifying you have a clean container with a token or password secured notebook, report back.