0

I ve run a server since a few days and I have now 3 docker containers appearing in my docker ps -a that i ve never run or created :

CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
b44143529951 app-matangi_frontend_matangi "/bin/sh -c /start" 23 minutes ago Restarting (1) 50 seconds ago frontend_matangi
7dd9e687d1cf app-matangi_backend_matangi "/start" 23 minutes ago Up 23 minutes 0.0.0.0:8001->8000/tcp, :::8001->8000/tcp backend_matangi
8edcf9d9cb33 96000f229929 "/bin/sh -c 'apk upd…" 11 hours ago Exited (1) 11 hours ago strange_jepsen
26d37ed89a81 7b244af55dd9 "/bin/sh -c 'apk upd…" 11 hours ago Exited (1) 11 hours ago wonderful_cannon
927cbfdc4445 7b244af55dd9 "/bin/sh -c 'apk upd…" 11 hours ago Exited (1) 11 hours ago dreamy_visvesvaraya

The unwanted containers are dreamy_visvesvaraya,wonderful_cannon and strange_jepsen.

How can i check if my server was hacked and check the ssh or network access to my server.

I have tried to check the logs with journalctl but nothing appear in the logs at the creation times of the containers (found with docker inspect).

I have tried docker logs container_name on these 3 but had the error:

Error response from daemon: configured logging driver does not support reading

Thank you

When i run docker ps -a --no-trunc, i have :

8edcf9d9cb33f08e4a065870b6adffce06bf5c4420a07b2683a06787045aac74   sha256:96000f22992951774f2c795bfc0f2b8d1cb7a1e1f55789c32d029eccca4e39bf   "/bin/sh -c 'apk update &&     apk add nano &&     apk add certbot &&     mkdir -p /var/lib/letsencrypt &&     mkdir -p /var/lib/letsencrypt/.well-known &&     chgrp www-data /var/lib/letsencrypt &&     chmod g+s /var/lib/letsencrypt &&     mkdir -p /etc/nginx/snippets &&     touch /etc/nginx/snippets/letsencrypt.conf && \ttouch /etc/nginx/snippets/ssl.conf &&     echo 'location ^~/.well-known/acme-challenge/ {'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'allow all;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'root /var/lib/letsencrypt/;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'default_type \"text/plain\";'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'try_files $uri =404;'>> /etc/nginx/snippets/letsencrypt.conf && \techo '}'>> /etc/nginx/snippets/letsencrypt.conf && \tcertbot certonly --agree-tos --email matangi.dev@gmail.com --webroot -w /var/lib/letsencrypt/ -d matangi.dev && \techo \"server{\">>/etc/nginx/conf.d/nginx.conf && \techo \"listen 443 ssl http2;\">>/etc/nginx/conf.d/nginx.conf && \techo \"server_name matangi.dev;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate /etc/letsencrypt/live/matangi.dev/fullchain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate_key /etc/letsencrypt/live/matangi.dev/privkey.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_trusted_certificate /etc/letsencrypt/live/matangi.dev/chain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/letsencrypt.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/ssl.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"}\">>/etc/nginx/conf.d/nginx.conf'"   15 hours ago   Exited (1) 15 hours ago                                                     strange_jepsen
26d37ed89a815af8c39acb728c1d8003e1856b2351d0302c147c803d096dc449   sha256:7b244af55dd9e48841d311ea7eff7178bb92a546db7dd7078fc65c81668f3a3f   "/bin/sh -c 'apk update &&     apk add nano &&     apk add certbot &&     mkdir -p /var/lib/letsencrypt &&     mkdir -p /var/lib/letsencrypt/.well-known &&     chgrp www-data /var/lib/letsencrypt &&     chmod g+s /var/lib/letsencrypt &&     mkdir -p /etc/nginx/snippets &&     touch /etc/nginx/snippets/letsencrypt.conf &&     echo 'location ^~/.well-known/acme-challenge/ {'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'allow all;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'root /var/lib/letsencrypt/;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'default_type \"text/plain\";'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'try_files $uri =404;'>> /etc/nginx/snippets/letsencrypt.conf && \techo '}'>> /etc/nginx/snippets/letsencrypt.conf && \tcertbot certonly --agree-tos --email matangi.dev@gmail.com --webroot -w /var/lib/letsencrypt/ -d matangi.dev && \techo \"server{\">>/etc/nginx/conf.d/nginx.conf && \techo \"listen 443 ssl http2;\">>/etc/nginx/conf.d/nginx.conf && \techo \"server_name matangi.dev;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate /etc/letsencrypt/live/matangi.dev/fullchain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate_key /etc/letsencrypt/live/matangi.dev/privkey.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_trusted_certificate /etc/letsencrypt/live/matangi.dev/chain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/letsencrypt.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/ssl.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"}\">>/etc/nginx/conf.d/nginx.conf'"                                           16 hours ago   Exited (1) 16 hours ago                                                     wonderful_cannon
927cbfdc44453caf84c5a11ab0e377bb3ca499734ae0678156bff0bc6085adf3   sha256:7b244af55dd9e48841d311ea7eff7178bb92a546db7dd7078fc65c81668f3a3f   "/bin/sh -c 'apk update &&     apk add nano &&     apk add certbot &&     mkdir -p /var/lib/letsencrypt &&     mkdir -p /var/lib/letsencrypt/.well-known &&     chgrp www-data /var/lib/letsencrypt &&     chmod g+s /var/lib/letsencrypt &&     mkdir -p /etc/nginx/snippets &&     touch /etc/nginx/snippets/letsencrypt.conf &&     echo 'location ^~/.well-known/acme-challenge/ {'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'allow all;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'root /var/lib/letsencrypt/;'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'default_type \"text/plain\";'>> /etc/nginx/snippets/letsencrypt.conf && \techo 'try_files $uri =404;'>> /etc/nginx/snippets/letsencrypt.conf && \techo '}'>> /etc/nginx/snippets/letsencrypt.conf && \tcertbot certonly --agree-tos --email matangi.dev@gmail.com --webroot -w /var/lib/letsencrypt/ -d matangi.dev && \techo \"server{\">>/etc/nginx/conf.d/nginx.conf && \techo \"listen 443 ssl http2;\">>/etc/nginx/conf.d/nginx.conf && \techo \"server_name matangi.dev;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate /etc/letsencrypt/live/matangi.dev/fullchain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_certificate_key /etc/letsencrypt/live/matangi.dev/privkey.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"ssl_trusted_certificate /etc/letsencrypt/live/matangi.dev/chain.pem;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/letsencrypt.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"include snippets/ssl.conf;\">>/etc/nginx/conf.d/nginx.conf && \techo \"}\">>/etc/nginx/conf.d/nginx.conf'"                                           16 hours ago   Exited (1) 16 hours ago                                                     dreamy_visvesvaraya

It's very strange as the command that seems to have been run corresponds to my script used for my frontend container. However on my frontend the logs are not disabled. Also the names of these containers is strange, i don't know where it comes from and the time they were launched correspond to when i was away from the computer.

And when i run docker history :

docker history 96000f229929
IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT
96000f229929   15 hours ago    /bin/sh -c #(nop) COPY dir:44183f63c2c69de79…   3.64MB    
6aafbb279483   15 hours ago    /bin/sh -c #(nop) COPY file:b2066221881a32f4…   1.35kB    
26f95d8bb7a1   6 days ago      /bin/sh -c rm /etc/nginx/conf.d/default.conf    0B        
6f715d38cfe0   22 months ago   /bin/sh -c #(nop)  CMD ["nginx" "-g" "daemon…   0B        
<missing>      22 months ago   /bin/sh -c #(nop)  STOPSIGNAL SIGTERM           0B        
<missing>      22 months ago   /bin/sh -c #(nop)  EXPOSE 80                    0B        
<missing>      22 months ago   /bin/sh -c #(nop)  ENTRYPOINT ["/docker-entr…   0B        
<missing>      22 months ago   /bin/sh -c #(nop) COPY file:0fd5fca330dcd6a7…   1.04kB    
<missing>      22 months ago   /bin/sh -c #(nop) COPY file:1d0a4127e78a26c1…   1.96kB    
<missing>      22 months ago   /bin/sh -c #(nop) COPY file:e7e183879c35719c…   1.2kB     
<missing>      22 months ago   /bin/sh -c set -x     && addgroup -g 101 -S …   16.5MB    
<missing>      22 months ago   /bin/sh -c #(nop)  ENV PKG_RELEASE=1            0B        
<missing>      22 months ago   /bin/sh -c #(nop)  ENV NJS_VERSION=0.4.3        0B        
<missing>      22 months ago   /bin/sh -c #(nop)  ENV NGINX_VERSION=1.19.2     0B        
<missing>      22 months ago   /bin/sh -c #(nop)  LABEL maintainer=NGINX Do…   0B        
<missing>      2 years ago     /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B        
<missing>      2 years ago     /bin/sh -c #(nop) ADD file:c92c248239f8c7b9b…   5.57MB 

docker history 7b244af55dd9
IMAGE          CREATED         CREATED BY                                      SIZE      COMMENT
7b244af55dd9   16 hours ago    /bin/sh -c #(nop) COPY dir:44183f63c2c69de79…   3.64MB    
d45311aa8d76   16 hours ago    /bin/sh -c #(nop) COPY file:c7b35d3a6931488a…   1.27kB    
26f95d8bb7a1   6 days ago      /bin/sh -c rm /etc/nginx/conf.d/default.conf    0B        
6f715d38cfe0   22 months ago   /bin/sh -c #(nop)  CMD ["nginx" "-g" "daemon…   0B        
<missing>      22 months ago   /bin/sh -c #(nop)  STOPSIGNAL SIGTERM           0B        
<missing>      22 months ago   /bin/sh -c #(nop)  EXPOSE 80                    0B        
<missing>      22 months ago   /bin/sh -c #(nop)  ENTRYPOINT ["/docker-entr…   0B        
<missing>      22 months ago   /bin/sh -c #(nop) COPY file:0fd5fca330dcd6a7…   1.04kB    
<missing>      22 months ago   /bin/sh -c #(nop) COPY file:1d0a4127e78a26c1…   1.96kB    
<missing>      22 months ago   /bin/sh -c #(nop) COPY file:e7e183879c35719c…   1.2kB     
<missing>      22 months ago   /bin/sh -c set -x     && addgroup -g 101 -S …   16.5MB    
<missing>      22 months ago   /bin/sh -c #(nop)  ENV PKG_RELEASE=1            0B        
<missing>      22 months ago   /bin/sh -c #(nop)  ENV NJS_VERSION=0.4.3        0B        
<missing>      22 months ago   /bin/sh -c #(nop)  ENV NGINX_VERSION=1.19.2     0B        
<missing>      22 months ago   /bin/sh -c #(nop)  LABEL maintainer=NGINX Do…   0B        
<missing>      2 years ago     /bin/sh -c #(nop)  CMD ["/bin/sh"]              0B        
<missing>      2 years ago     /bin/sh -c #(nop) ADD file:c92c248239f8c7b9b…   5.57MB

Do you have any suggestions on how to check who accessed the server when the containers were launched?

New containers appeared less than an hour ago and I was in front of my computer, so it's not someone who used my computer and my deploy script with other container names...I guess someone was able to take control of the server.

I have checked the logs in /var/log in particular auth.log but I see many connection attempts but mainly failed ones. in particular around the time the containers were launched.

When i run sudo cat /var/log/auth.log | grep Accepted, i only have lines

devserver sshd[606302]: Accepted publickey for user from ip port 62203 ssh2: RSA SHA256:blob

Where user is my user defined with a ssh key access only.

I have ufw configured for firewall

I didn't deactivate root login with ssh key and i didn't deactivate root login with password. However I would like to be able to find traces of these logins if they happened...

How can I investigate to see where my security is at fault?

Hemanth Kumar
  • 253
  • 5
kr1pkr1p
  • 1
  • 2
  • Thanks a lot, it's a great link for general methodology. however tit insists on finding how the attacker broke in and i dont know where to begin to investigate..I could use aws codeguru to check my django code or react code but i would like to make sure the attacker didnt use a root password login or my ssh key to access the server. – kr1pkr1p Jun 20 '22 at 17:33
  • https://docs.rackspace.com/support/how-to/investigate-compromised-servers/ to check some commands – kr1pkr1p Jun 21 '22 at 06:39
  • Are you sure these weren't launched by some crontab entry to renew certs? – Peter Zhabin Jun 21 '22 at 09:15
  • how can i check which user/process/command launched them? I have not configured any cron and the certs i had tried to configure were all in containers – kr1pkr1p Jun 21 '22 at 11:25

0 Answers0