Closed dennischancs closed 3 years ago
lukasmasuch
commented
4 years ago @dennischancs The mainscript.sh is definitely not from us. Do you have any additional information on this script and your deployment? How did you deploy the workspace? What is the content of the mainscript.sh? I checked multiple of our workspace deployments, but wasn't able to find any mention of xmrig or the mainscript.sh.
DerekChia
commented
4 years ago I encountered this script when I left my instance exposed to the Internet. @dennischancs i suggest you add in authentication to prevent such things from happening.
Edit: To see if you are infected, get to Terminal and issue the history command. This will show the history of commands the intruder executed in your environment. To resolve this, shutdown your docker container and recreate one with authentication turned on. Remember to put in a strong password.
dennischancs
commented
4 years ago I encountered this script when I left my instance exposed to the Internet. @dennischancs i suggest you add in authentication to prevent such things from happening.
Edit: To see if you are infected, get to Terminal and issue the
historycommand. This will show the history of commands the intruder executed in your environment. To resolve this, shutdown your docker container and recreate one with authentication turned on. Remember to put in a strong password.
Thank you very much. This never happened again.
dennischancs
commented
4 years ago @dennischancs The
mainscript.shis definitely not from us. Do you have any additional information on this script and your deployment? How did you deploy the workspace? What is the content of themainscript.sh? I checked multiple of our workspace deployments, but wasn't able to find any mention of xmrig or the mainscript.sh.
I deleted the container right then and there without bothering to read the contents.
/bin/bash ./mainscript.sh script that sneakily download xmrig v5.11.1 in the background as root. Did the same thing happen to you?