Crypto miner on workspace

[ManthanKeim]

Describe the bug A user on IronHacks has been caught using the workspace for the use of crypto mining.

Email from him: "Hi Manthan,

I found a user using the Ironhacks hub instance to do crypto mining. I don't think you currently have a hack going.

the user: pod/jupyter-facelesssprit 1/1 Running 0 35h

from the node: root 3141852 0.0 0.0 113380 6408 ? Sl May01 0:03 /usr/bin/containerd-shim-runc-v2 -namespace moby -id c4659dfd5a2dfed9155ec79256a1d1058f15c1fe5e0c40b4604d738e0ab38e1d -address /run/containerd/containerd.sock 1000 3141873 0.0 0.0 2784 92 ? Ss May01 0:02 _ tini -g -- jupyterhub-singleuser 1000 3141891 0.0 0.0 518596 137204 ? Sl May01 0:34 _ /opt/conda/bin/python3.10 /opt/conda/bin/jupyterhub-singleuser 1000 3145211 0.3 0.0 753912 61488 ? Ssl May01 8:18 _ /opt/conda/bin/python -m ipykernellauncher -f /home/jovyan/.local/share/jupyter/runtime/kernel-aba3e1cd-c6ba-46e2-9862-f7878152c1bd.json 1000 3145716 0.0 0.0 1491580 28760 pts/0 Ssl+ May01 0:03 _ ./nanominer -algo Verushash -coin VRSC -wallet RR6wY2iCMCGxJpJZRduF4Gmbn3Lmpcn7ke -pool1 eu.luckpool.net:3956 -cpuThreads 128 1000 3145825 399 0.0 95548952 358132 pts/0 Sl+ May01 8503:37 \ ./nanominer -algo Verushash -coin VRSC -wallet RR6wY2iCMCGxJpJZRduF4Gmbn3Lmpcn7ke -pool1 eu.luckpool.net:3956 -cpuThreads 128 restarts_count 0

I ended this users' session and as a precautionary measure I have disabled the hub's endpoint.

I will gather some forensics and send to the Purdue security team. We should get together later this week to discuss the hub's authentication and access control. Are you available Thursday or Friday?

Thanks, -Erik"

Further Analysis from Manthan:

The above user has been found using the hub at the same time when the command was run, so we're 99% sure that they're the one using it for crypto mining.