back to article If you don't cover your Docker daemon API port you'll have a hell of a time... because cryptocreeps are hunting for it

Some Docker installations are getting hammered by malware skiddies hoping to mine digital cash using other people's CPU time. Infosec outfit Aqua – no, not the Barbie Girl band – said miscreants have spotted that a decent number of Docker deployments are lazily or inadvertently exposing the daemon API port to the public …

  1. Jonathan Richards 1
    Stop

    Why is the d.sh provider still up?

    142.44.191.122 is in the range for a hosting provider in Canada. Why has it not been taken down if it's hosting something as clearly malicious as d.sh?

    1. bombastic bob Silver badge
      Devil

      Re: Why is the d.sh provider still up?

      ack on that - I haven't tried wget'ting that file, but if I were them, I'd swap it for something that shuts DOWN the virus wherever the infection exists... ok maybe that is a *bit* too 'grey hat' but "I heard a rumor" that "someone did a shutdown script" like that for code-red infected machines {me whistles with innocent look} that basically detected where the penetration attempted to come from, and back-hacked them and turned of ISS [code red sat in memory, shutting down ISS would stop the infection temporarily].

      Anyway...

      I was just thinking about this, having had the need to have the network guy open up a non-obvious ssh port into a client's network so I could do things remotely. I was thinking of what security things I would need to add, users and passwords to modify and/or lock out from ssh logins, to an otherwiswe normal ssh daemon, how to do it without locking myself out by accident in the process, and things of THAT nature, then I saw this and "It figures, miscreants are out there TAKING ADVANTAGE of little or no on-site staff capable of mitigating such things".

      my own system only allows specific users to log in from outside the network, which have cryptic user names and even MORE cryptic passwords. So I wanted to do something like THAT. But obviously I could lock myself out of logging in at ALL if I'm not uber careful.

      and, of course, if I do NOT secure it more tightly, some miscreant out there is likely to POUND ON IT with one of those dictionary-based ssh attacks and maybe not get noticed for HOURS... because I had to open it up to an outside IP address as a result of of coronavirus responses by governments.

      1. Anonymous Coward
        Anonymous Coward

        Re: Why is the d.sh provider still up?

        I wasn't privileged to get to use Microsoft ISS. What does that do?

  2. Down not across

    Pinged? Really?

    The Register has pinged Docker for comment on the attacks.

    What is wrong with "contacted" or something along those lines. Guess it is just me, but the current fad of "pinging" really irks me.

    Alright, I'll crawl back under my rock.

    Oh....and get orf my lawn!

    1. Anonymous Coward
      Anonymous Coward

      Re: Pinged? Really?

      Pong!

    2. Irongut Silver badge

      Re: Pinged? Really?

      > the current fad of "pinging"

      IIRC pinging comes from IRC so hardly current.

    3. flatline2000

      Re: Pinged? Really?

      Haha little do the kids know we was using ping on IRC 30 years ago, not so cool now is it, people on duct.tape.hamster said it all day long...... we wazzzz kings

  3. Peter Mount
    Facepalm

    Their own fault opening the socket?

    It must be a cloud thing as most Docker installations have their API sockets as a unix socket, so it appears as a file in the host's filesystem & as such isn't accessible from any network interface.

    Instructions on how to expose the socket on the network is out there but even Docker's documentation states why that's a bad idea.

    So for them to be exposed it's either someones done that manually or someone's provider has exposed the API socket without any appropriate Firewall rules against them

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020