zlacker

[return to "I got hacked: My Hetzner server started mining Monero"]
1. V__+N4[view] [source] 2025-12-17 21:39:21
>>jakels+(OP)
> The Reddit post I’d seen earlier? That guy got completely owned because his container was running as root. The malware could: [...]

Is that the case, though? My understanding was, that even if I run a docker container as root and the container is 100% compromised, there still would need to be a vulnerability in docker for it to “attack” the host, or am I missing something?

◧◩
2. d4mi3n+R9[view] [source] 2025-12-17 22:03:49
>>V__+N4
While this is true, the general security stance on this is: Docker is not a security boundary. You should not treat it like one. It will only give you _process level_ isolation. If you want something with better security guarantees, you can use a full VM (KVM/QEMU), something like gVisor[1] to limit the attack surface of a containerized process, or something like Firecracker[2] which is designed for multi-tenancy.

The core of the problem here is that process isolation doesn't save you from whole classes of attack vectors or misconfigurations that open you up to nasty surprises. Docker is great, just don't think of it as a sandbox to run untrusted code.

1. https://gvisor.dev/

2. https://firecracker-microvm.github.io/

◧◩◪
3. hsbaua+bj[view] [source] 2025-12-17 22:59:02
>>d4mi3n+R9
Virtual machines are treated as a security boundary despite the fact that with enough R&D they are not. Hosting minecraft servers in virtual machines is fine, but not a great idea if they’re cohosted on a machine that has billions of dollars in crypto or military secrets.

Docker is pretty much the same but supposedly more flimsy.

Both have non-obvious configuration weaknesses that can lead to escapes.

◧◩◪◨
4. kevinr+pA2[view] [source] 2025-12-18 17:12:07
>>hsbaua+bj
> Virtual machines are treated as a security boundary despite the fact that with enough R&D they are not. Hosting minecraft servers in virtual machines is fine, but not a great idea if they’re cohosted on a machine that has billions of dollars in crypto or military secrets.

While I generally agree with the technical argument, I fail to see the threat model here. Is it that some external threat would have prior knowledge that an important target is in close proximity to a less hardened one? It doesn't seem viable to me for nation states to spend the expensive R&D to compromise hobbyist-adjacent services in a hope that they can discover more valuable data on the host hypervisor.

Once such expensive malware is deployed, there's a huge risk that all the R&D money is spent on potentially just reconnaissance.

◧◩◪◨⬒
5. hsbaua+8O3[view] [source] 2025-12-18 23:23:34
>>kevinr+pA2
Yes. Docker too.
[go to top]