zlacker

[return to "I got hacked: My Hetzner server started mining Monero"]
1. V__+N4[view] [source] 2025-12-17 21:39:21
>>jakels+(OP)
> The Reddit post I’d seen earlier? That guy got completely owned because his container was running as root. The malware could: [...]

Is that the case, though? My understanding was, that even if I run a docker container as root and the container is 100% compromised, there still would need to be a vulnerability in docker for it to “attack” the host, or am I missing something?

◧◩
2. TheRea+h8[view] [source] 2025-12-17 21:54:20
>>V__+N4
Docker containers with root have rootish rights on the host machine too because the userid will just be 0 for both. So if you have, say, a bind mount that you play fast and loose with, the docker user can create 0777 files outside the docker container, and now we're almost done. Even worse if "just to make it work" someone runs the container with --privileged and then makes the terminal mistake of exposing that container to the internet.
◧◩◪
3. V__+z9[view] [source] 2025-12-17 22:01:25
>>TheRea+h8
Can you explain this a bit further? Wouldn't that 0777 file outside docker be still executed inside the container and not on the host?
◧◩◪◨
4. necove+wh[view] [source] 2025-12-17 22:49:06
>>V__+z9
I believe they meant you could create an executable that is accessible outside the container (maybe even as setuid root one), and depending on the path settings, it might be possible to get the user to run it on the host.

Imagine naming this executable "ls" or "echo" and someone having "." in their path (which is why you shouldn't): as long as you do "ls" in this directory, you've ran compromised code.

There are obviously other ways to get that executable to be run on the host, this just a simple example.

[go to top]