1

Unless someone proves otherwise, after installing ShinyProxy from ShinyProxy.io software, which is a well documented piece of software, the machine started a docker image that runs XMRig that takes 100% CPU usage and might be for bitcoin mining. Below some print-screens. If anyone with similar problem, please let us know.

enter image description here

Joni Hoppen
  • 658
  • 5
  • 23
  • You could check the hash of the file you downloaded against the corresponding release on github I guess: https://github.com/openanalytics/shinyproxy/releases ? SO is probably not a good place to get help if there has been a genuine security breach. – Marius Aug 29 '17 at 03:13
  • Which version (what link) did you download from https://www.shinyproxy.io/downloads/ ? – hrbrmstr Aug 29 '17 at 10:00
  • Actually, I filed an issue https://github.com/openanalytics/shinyproxy/issues/19 since it belongs there. Please add comments there with as much info as possible about what you downloaded and the system it was installed on. – hrbrmstr Aug 29 '17 at 10:14
  • @Marius - Thanks for the comment, I am in doubt on what would be the best practice to report security issues. – Joni Hoppen Aug 30 '17 at 17:04

1 Answers1

4

first thing is to ensure that the docker daemon API is not reachable from the outside world. Lots of scans are being performed all days long to track down open docker daemon api service and launch docker instance from there. Second, as this issue does not relate to a software issue but a suspected breach, I suggest we close this topic and start a thread via mail. You can reach OA security support at itsupport.at.openanalytics.eu

Could you send us a md5sum of the jar file deployed to the above mentioned e-mail?

oasupport
  • 91
  • 1
  • The screenshot above indeed seems to demonstrate the Docker API is accessible on 0.0.0.0:2375 which can be used to launch arbitrary Docker containers - just double-checked all relevant references to 0.0.0.0 in the https://shinyproxy.io docs have been removed. – Tobias Verbeke Aug 29 '17 at 14:58
  • Guys, thanks. Can you guys tell me how do I close the issue here on SO? – Joni Hoppen Aug 30 '17 at 17:20
  • To make things worse https://docs.docker.com/docker-cloud/cloud-swarm/register-swarms/ requires you to open up that port. – Archimedes Trajano Mar 13 '18 at 22:17
  • @ArchimedesTrajano 1) only the shinyproxy service needs to be exposed. 2) the swarm/docker api service should only be accessible from shinyproxy instance or swarm "clients". You can use iptables to fix that on the swarm nodes and master 3) should you swarm/docker api be exposed, use TLS mutual authentication to ensure that only trusted client would be authorize to call the swarm/docker API – oasupport Mar 15 '18 at 08:18
  • I have tls enabled. All I did in the end was remove that exposed port on the router that was required by docker cloud swarm and the xmrig stopped getting installed. – Archimedes Trajano Mar 15 '18 at 13:24