Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

The article hasn’t proven that the infection is in the GHCR Docker image, let alone the newest version. It only says that they had the image installed, then (unknown time later) noticed the infection.

According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.

If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.

Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.



The comment was 100% in jest / sarcasm.

OP's system got compromised at some point; the images are clean.

Hell if he didn't want to post his clickbait he easily could have verified with a clean image on a known clean system


Brand new account, 7 different comments on this post, all aggressively trying to discredit it.

A bit suspicious, don't you think?


Nope. How else are they supposed to make comments if they didn't have an account here yet? I had to create this account just to answer you—is that suspicious too?


It’s a fair observation.

Their comments are extremely high confidence (failing to recognize that accidents and supply chain attacks do sometimes happen) and because they are new and posting frequently in the same thread, their account shows the signs of a bot/disinfo campaign (which does happen on HN).


It's a completely useless observation. Doesn't add anything productive to the topic.


It's not useless, a new account commenting what amounts to "There's nothing wrong, stop looking", multiple times, is the opposite of assuring.


no one said stop looking; simply that OP was wildly misinformed and he proved nothing of any value


You can back up a debunking with receipts or reputation. Ideally, both.

You and anotherlogin448 have neither, but also show incredible aggression towards anyone pointing that out.

Your confidence might actually be warranted, but there's no reason for any one of us to take you on your word, and neither of you have given anything else.


> I had to create this account just to answer you—is that suspicious too?

No, but if you were to make 6 more comments under the same post all saying the same thing in an overly confident and aggressive tone, it would be.


And yet, I probably would have done that if he hadn't done it first. Your incitement to suspicion is highly biased and also an ad hominem diversion.


Currently, on my own system, the docker container of qBitTorrent definitely doesn't seem to use more resources than it should.


Unfortunately this doesn’t prove absence of infection.

Cryptominers have become adept at hiding their symptoms when users are looking/interactive.

Just use the best security hygiene — always use the newest version of the app, ensure the admin credentials aren’t low entropy/hard-coded, and hopefully that the admin panel isn’t internet accessible.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: