Hi all,
I’ve been running a LSIO unifi-controller container in Azure for over 6 months without any issue. The docker host is an Ubunu 18.04 default image, with Docker CE installed…
Just over a week ago I got a message from Azure support saying my account had been disabled due to suspicious activity, following which it tool several days to get a response from them to say they’d seen crypto mining activity on my account.
It then took a couple more days to get my account activated, following which I have been working my way through checking each of my VMs.
A scan on the disk containing the unifi-controller volume immediately picked up a couple of infected files:
/volume1/docker/volumes/unifi/.../.x/stak/xmrig: Multios.Coinminer.Miner-6781728-2 FOUND
/volume1/docker/volumes/unifi/.../.x/h64: Unix.Malware.Agent-1395347 FOUND
The … directory was in the root of the /config mapping on the container - my compose file is below for reference:
version: "2.1"
services:
unifi-controller:
image: ghcr.io/linuxserver/unifi-controller
container_name: unifi-controller
environment:
- PUID=1000
- PGID=1000
- MEM_LIMIT=1024M #optional
volumes:
- /volume1/docker/volumes/unifi:/config
- /volume1/docker/volumes/shared:/shared
ports:
- 3478:3478/udp
- 10001:10001/udp
- 8080:8080
- 8443:8443
- 1900:1900/udp #optional
- 8843:8843 #optional
- 8880:8880 #optional
- 6789:6789 #optional
- 5514:5514 #optional
restart: unless-stopped
Basically, in the root of the volume mapped to /config there is a … directory, inside of which is the crypto-miner…
The docker host VM is running just docker CE and the unifi-controller container via the above compose file. It’s configured with public-key only authentication, with the same public key used for other instances, which have not been attacked. I’m definitely not ruling out my error at all, but equally I wanted to share this here in case others have been affected…
I would appreciate any feedback or suggestions on the above - thanks in advance!