Did I just get Hacked? Thanks Docker?

TLDR: My EC2 instance got hacked, I think it is related to the Docker Hub hack. I left some clue and what I did to tighten security.

A few years ago, I finally upgraded from Godaddy to AWS EC2. In fact everything has now been moved away from Godaddy (thank goodness). Route 53, isn’t completely user friendly, but it works fine.

Regardless, I notice that I was getting a bunch of Jetpack notices that my website was down. This was not characteristic of AWS. So ssh’ed into the server and checked the “top” function. I should have taken a screen shot, but my server was being maxed out 99% with numerous “dockerd”. (docker daemon) This load was making my server crash / clogged computing power, etc.

This was a little unnerving, but I do remember installing docker and then abandoning the project. Anyways, what was definitely clear is that dockerd was trashing my server.

Not exactly sure what was accomplished by taking over my server. The instance is a t1.nano, so it doesn’t offer much in the way of crypto mining. My site doesn’t get enough hits, so I doubt it was advertising malware. My only thought is that they might have used it for some kind of SEO / traffic bounce scheme?

Then I found this article, so I’m now guessing it was part of the issue?

Here is what I did immediately tighten up security. If anybody has any more suggestions, please place them in the comments.

Here is just some of the code I found on the server, if anybody is interested.

and in /etc/docker I found the following.



I will be reporting this to the FBI, as soon they are done with the Muller report and or fall out.