Docker tomcat8-jre8 hacked?

Question

I hosted a web-app on jelastic (dogado) as a docker container (the official docker container link). After 2 weeks I get an email:

Dear Jelastic customer, there was a process of the command "/usr/local/tomcat/3333" which was sending massive packets to different targets this morning. The symptoms look like the docker instance has a security hole and was used in an DDoS attack or part of a botnet.

The top command showed this process:

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
334 root 20 0 104900 968 456 S 99.2 0.1 280:51.95 3333

root@node0815-somename:/# ls -al /proc/334
...
lrwxrwxrwx 1 root root 0 Jul 26 08:16 cwd -> /usr/local/tomcat
lrwxrwxrwx 1 root root 0 Jul 26 08:16 exe -> /usr/local/tomcat/3333

We have killed the process and changed the permissions of the file:

root@node0815-somename:/# kill 334
root@node0815-somename:/# chmod 000 /usr/local/tomcat/3333

Please investigate or use a more security hardenend docker template.

Has anyone encountered the same or a similar problem before? Is it possible that the container was hacked?

Answer 1

The guys which provide the container gave me a hint...

I remove only the ROOT war.

RUN rm -rf /usr/local/tomcat/webapps/ROOT

I forget completely that the tomcat delivers example apps. So I have to delete the security holes:

RUN rm -rf /usr/local/tomcat/webapps/

Answer 2

Do you use any protection tools? We don't except the scenario when your container can be hacked if there are no protection.

We strongly recommend using IPtables and Fail2Ban to protect your containers from hack attacks (You have root access to your Docker container using SSH, so you are able to install and configure these packages), especially if you have attached public IP to your containers.

Also, you have access to all container logs (via Dashboard or SSH), so you are able to analyze logs and take preventive actions.

Have a nice day.