Did I just get Hacked? Thanks Docker?

TLDR: My EC2 instance got hacked, I think it is related to the Docker Hub hack. I left some clue and what I did to tighten security.

A few years ago, I finally upgraded from Godaddy to AWS EC2. In fact everything has now been moved away from Godaddy (thank goodness). Route 53, isn’t completely user friendly, but it works fine.

Regardless, I notice that I was getting a bunch of Jetpack notices that my website was down. This was not characteristic of AWS. So ssh’ed into the server and checked the “top” function. I should have taken a screen shot, but my server was being maxed out 99% with numerous “dockerd”. (docker daemon) This load was making my server crash / clogged computing power, etc.

This was a little unnerving, but I do remember installing docker and then abandoning the project. Anyways, what was definitely clear is that dockerd was trashing my server.

Not exactly sure what was accomplished by taking over my server. The instance is a t1.nano, so it doesn’t offer much in the way of crypto mining. My site doesn’t get enough hits, so I doubt it was advertising malware. My only thought is that they might have used it for some kind of SEO / traffic bounce scheme?

Then I found this article, so I’m now guessing it was part of the issue?

Here is what I did immediately tighten up security. If anybody has any more suggestions, please place them in the comments.

Here is just some of the code I found on the server, if anybody is interested.

root:/var/www/html/stocks# docker rmi $(docker images -q)
Untagged: postgres:10-alpine
Untagged: [email protected]:3d9c62b0b614fb7e21afa752b4e84ff83cbbde5b84ea0b533799cc4c44ea3789
Deleted: sha256:787004db496a65b949515e809683667ed7c4b566fd27b3dc6ed46b322575f278
Deleted: sha256:2e6c28a94b8898ff48ed5c425150a7074dcfa2b461bee071836846055ebc398e
Deleted: sha256:7568dcf4070e53f38076d2ea02a5691a30323e3ce897c57e12d2c5c7d60a1cae
Deleted: sha256:f31fd8e4dd027a25da196eeb7e119e5e570203b92f14cc6fbfa662a1c3fbc881
Deleted: sha256:de54b53c627c545176a86b66f1f88f688291e2db4aff5184714f8b802b5ac071
Deleted: sha256:fa489a85d1cce60b84491f3566eaf484a93753108e77a4e3aac52fa8157f36d0
Deleted: sha256:5af665f72deff595b9bb0afeea5a944e7e63c0b40d05371f2ff1f23d14cdccb3
Deleted: sha256:de258e6e7b50a26bc997ffb2161daaf1f07485c8ef9623318b3aeb16e31d1019
Deleted: sha256:af2a306c8e66e784cefaca9cbef5d63893892ac0717cf8df9de3cf24405059cd
Deleted: sha256:df64d3292fd6194b7865d7326af5255db6d81e9df29f48adde61a918fbd8c332

and in /etc/docker I found the following.

/etc/docker

{"crv":"P-256","d":"e_7N92oVLU-ZnRPVKYvfVYpHbK2IfXWk4ftPVWLeqgQ","kid":"HDIK:LFQO:OYHE:NLHJ:DJ46:AWUM:BCCR:K2MZ:UXVD:NLBC:4KGQ:DMQ5","kty":"EC","x":"JJ2UCLb4ODabtzh_NAiKBYja9hRmn8USXcVQZE2mk7g","y":"eQVXO0ouR-XFFxLvojXM2p1qEiAReUoaC3wuKogC_Uo"}

I will be reporting this to the FBI, as soon they are done with the Muller report and or fall out.