I have a VPS that hosts only docker containers and proxy manager. Recently I received an alert from my service provider and they told me that my VPS is doing password brutality to some platforms (e.g. Facebook, Twitter).
I immediately checked the login logs and found that no one else had accessed my server before (I logged in using SSL+2FA).
Therefore, I think one of the docker containers was hacked and some scripts were injected to perform the attack. But I have a lot of 3rd party images like Wordpress and Plex. i can't identify if any of the files were changed/injected.
Also, some containers are serving media streams, so I can't use Net I/O to define if the service is compromised.
Is there an easier way to know which docker is doing the attack? For example, is there a tool that can monitor all container traffic, such as Wireshark or Charles, or generate request logs?
My service doesn't need to call the API from the attacked platform, so if a container is requesting that platform, I can determine that container is hacked and check why.
