search

fugasjunior / arma-server-manager

A web administration tool for managing Arma 3, Arma Reforger and DayZ dedicated servers
GNU General Public License v3.0
52 stars 11 forks source link

logrotate inside the container causes all CPU cores 100% - probable malware #134

Open domagojhack opened 3 months ago

domagojhack commented 3 months ago

Describe the bug After a while containered logrotate in /root/.config/logrotate starts. It is not an standard logrotate file location and the executable seems not to be real logrotate (maybe a miner or some other malware). Servers are affected by the malicious logrotate (high lag spikes due CPU issues).

To Reproduce Steps to reproduce the behavior:

Start the server and the problem will start randomly after few hours of activty.

Expected behavior It should not run. Server should not be affected by logrotate (it should be just an ordinary log rotation utility)

Screenshots Screenshot from 2024-05-30 12-38-36

This is the containered process tree running /root/.config/logrotate

image

First-aid Killed the process's and removed the executable. Still waiting to see if the container will reaquire the executable. After the process termination cores are back to normal and servers are running fine. Zombie process inside container stays active. image

EDIT: After 3 hours the executable reappeared in /root/.config/logrotate and was executed inside container

image

So yeah I am now 100% sure this docker image contains malware.

Environment OS: Ubuntu 22.04

docker-compose.yml Standard docker compose no modifications, only sensitive data change.

.env standard env no modifications.

domagojhack commented 3 months ago

The mallware is back/still here (after a week of scrubbing). So I tested my system and I even created the service to automatically delete the malware process but obviously someone is trying to start his fake .logrotate on my system through this docker image. I checked everything and did all by the book even scrubbing the system and reinstalling caused this. Obviously the "hacker" noticed he got detected and he tried to hide the process by adding the . in front of his executable. I am still working on my own manager. I suspect there is a vulnerability in .jar. I am going to edit my process scrubber but this is so annoying.

image Here is my docker image inspect <image id> output:

[
    {
        "Id": "sha256:58259b70669e8ac6eda8bb7737d3be4ff3b2b9091243594545358af62ba58a2a",
        "RepoTags": [
            "fugasjunior/armaservermanager:latest"
        ],
        "RepoDigests": [
            "fugasjunior/armaservermanager@sha256:b9eef12484ef058414b5fe6c3386d4ae726add5f1b49cd52746cfd9f5545c542"
        ],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2024-05-11T13:28:29.693403984Z",
        "DockerVersion": "",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "root",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "8080/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "USER=steam",
                "HOMEDIR=/home/steam",
                "STEAMCMDDIR=/home/steam/steamcmd",
                "APP_VERSION=1.3.0",
                "LANG=en_US.UTF-8",
                "LANGUAGE=en_US.UTF-8",
                "LC_ALL=en_US.UTF-8",
                "STEAMCMD_PATH=/home/steam/steamcmd/steamcmd.sh",
                "DIRECTORY_SERVERS=/home/steam/armaservermanager/servers",
                "DIRECTORY_MODS=/home/steam/armaservermanager/mods",
                "DIRECTORY_LOGS=/home/steam/armaservermanager/logs"
            ],
            "Cmd": [
                "-Xdebug",
                "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005",
                "-jar",
                "./app.jar"
            ],
            "ArgsEscaped": true,
            "Image": "",
            "Volumes": null,
            "WorkingDir": "/home/steam",
            "Entrypoint": [
                "java"
            ],
            "OnBuild": null,
            "Labels": {
                "maintainer": "walentinlamonos@gmail.com"
            }
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 1392818047,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/c43562d18ac93eec5c9db041aa6014c2c05d21e646fc65fd7e541eac8f275f38/diff:/var/lib/docker/overlay2/4c53e1477a90ff5126929797a480546a20d7472714037ad11063c3e116c7269a/diff:/var/lib/docker/overlay2/9d3be81903116d8591637efa615ef585c50a487c959cc937d0645f73f37f97b5/diff:/var/lib/docker/overlay2/b1af69c2b191f2227710a13d1e7f81d055bb234c2e406f90ef28ef243f2fbe65/diff:/var/lib/docker/overlay2/daf0d88498180c579e3b9463ae891f5dad36c9df30e7d1395827b3dae8c7f595/diff:/var/lib/docker/overlay2/98fcbc3e7743d7c52145bbe8433519b182f70dad5854e06b5a3b9de61b8ad60f/diff:/var/lib/docker/overlay2/cb4a9b9122ab9998a4db65e06a8baee191f7a85beb45d3481e91e2a2f64bea3c/diff",
                "MergedDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/merged",
                "UpperDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/diff",
                "WorkDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:52ec5a4316fadc09a4a51f82b8d7b66ead0d71bea4f75e81e25b4094c4219061",
                "sha256:af6ed5fb01190e5c4bd5d9836e0af23af41f3147c9736bb3cc508d917242eeda",
                "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
                "sha256:52be2390ef0c7581f5e87859524f9897bef10161a0cec038ae12603fcc08149b",
                "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
                "sha256:5393132871bcce67545822153c495f32b056799848ba4c2dcabcc5902e858f0f",
                "sha256:655a4cee3dd73242901425445801fcc9cc9151bfa0f666cce2434559c5355775",
                "sha256:14aa87eca4e32717dfcfae17d3b94c1f8c246237889d2c3d42ebd7b829ec4e7c"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]
CubelightCodes commented 2 months ago

I am certainly no expert, and cannot even say if this is malware or not. But reviewing the Dockerfile, a plausible explanation for a possible breach is the dependency on the base docker image (eclipse-temurin:17-jdk-jammy). The Dockerhub repository indicates several known vulnerabilities of this image. Might it be possible to resort to better maintaned OpenJDKs (https://hub.docker.com/_/openjdk)? @fugasjunior

Just an Idea, no qualified solution

fugasjunior commented 1 month ago

It seems update v1.4.0 helped with the issue by updating the dependencies. I'll keep this issue open for some time if anyone still has the problem even after the update, but for now, it seems solved.