I’ve been running a LSIO unifi-controller container in Azure for over 6 months without any issue. The docker host is an Ubunu 18.04 default image, with Docker CE installed…
Just over a week ago I got a message from Azure support saying my account had been disabled due to suspicious activity, following which it tool several days to get a response from them to say they’d seen crypto mining activity on my account.
It then took a couple more days to get my account activated, following which I have been working my way through checking each of my VMs.
A scan on the disk containing the unifi-controller volume immediately picked up a couple of infected files:
/volume1/docker/volumes/unifi/.../.x/stak/xmrig: Multios.Coinminer.Miner-6781728-2 FOUND /volume1/docker/volumes/unifi/.../.x/h64: Unix.Malware.Agent-1395347 FOUND
The … directory was in the root of the /config mapping on the container - my compose file is below for reference:
version: "2.1" services: unifi-controller: image: ghcr.io/linuxserver/unifi-controller container_name: unifi-controller environment: - PUID=1000 - PGID=1000 - MEM_LIMIT=1024M #optional volumes: - /volume1/docker/volumes/unifi:/config - /volume1/docker/volumes/shared:/shared ports: - 3478:3478/udp - 10001:10001/udp - 8080:8080 - 8443:8443 - 1900:1900/udp #optional - 8843:8843 #optional - 8880:8880 #optional - 6789:6789 #optional - 5514:5514 #optional restart: unless-stopped
Basically, in the root of the volume mapped to /config there is a … directory, inside of which is the crypto-miner…
The docker host VM is running just docker CE and the unifi-controller container via the above compose file. It’s configured with public-key only authentication, with the same public key used for other instances, which have not been attacked. I’m definitely not ruling out my error at all, but equally I wanted to share this here in case others have been affected…
I would appreciate any feedback or suggestions on the above - thanks in advance!