logrotate inside the container causes all CPU cores 100% - probable malware

[domagojhack]

Describe the bug
After a while containered logrotate in /root/.config/logrotate starts. It is not an standard logrotate file location and the executable seems not to be real logrotate (maybe a miner or some other malware). Servers are affected by the malicious logrotate (high lag spikes due CPU issues).

To Reproduce
Steps to reproduce the behavior:

Start the server and the problem will start randomly after few hours of activty.

Expected behavior
It should not run. Server should not be affected by logrotate (it should be just an ordinary log rotation utility)

Screenshots

This is the containered process tree running /root/.config/logrotate

First-aid
Killed the process's and removed the executable. Still waiting to see if the container will reaquire the executable. After the process termination cores are back to normal and servers are running fine. Zombie process inside container stays active.

EDIT:
After 3 hours the executable reappeared in /root/.config/logrotate and was executed inside container

So yeah I am now 100% sure this docker image contains malware.

Environment
OS: Ubuntu 22.04

docker-compose.yml
Standard docker compose no modifications, only sensitive data change.

.env
standard env no modifications.

[domagojhack]

The mallware is back/still here (after a week of scrubbing). So I tested my system and I even created the service to automatically delete the malware process but obviously someone is trying to start his fake .logrotate on my system through this docker image. I checked everything and did all by the book even scrubbing the system and reinstalling caused this. Obviously the "hacker" noticed he got detected and he tried to hide the process by adding the . in front of his executable. I am still working on my own manager. I suspect there is a vulnerability in .jar. I am going to edit my process scrubber but this is so annoying.

Here is my docker image inspect <image id> output:

[
    {
        "Id": "sha256:58259b70669e8ac6eda8bb7737d3be4ff3b2b9091243594545358af62ba58a2a",
        "RepoTags": [
            "fugasjunior/armaservermanager:latest"
        ],
        "RepoDigests": [
            "fugasjunior/armaservermanager@sha256:b9eef12484ef058414b5fe6c3386d4ae726add5f1b49cd52746cfd9f5545c542"
        ],
        "Parent": "",
        "Comment": "buildkit.dockerfile.v0",
        "Created": "2024-05-11T13:28:29.693403984Z",
        "DockerVersion": "",
        "Author": "",
        "Config": {
            "Hostname": "",
            "Domainname": "",
            "User": "root",
            "AttachStdin": false,
            "AttachStdout": false,
            "AttachStderr": false,
            "ExposedPorts": {
                "8080/tcp": {}
            },
            "Tty": false,
            "OpenStdin": false,
            "StdinOnce": false,
            "Env": [
                "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
                "USER=steam",
                "HOMEDIR=/home/steam",
                "STEAMCMDDIR=/home/steam/steamcmd",
                "APP_VERSION=1.3.0",
                "LANG=en_US.UTF-8",
                "LANGUAGE=en_US.UTF-8",
                "LC_ALL=en_US.UTF-8",
                "STEAMCMD_PATH=/home/steam/steamcmd/steamcmd.sh",
                "DIRECTORY_SERVERS=/home/steam/armaservermanager/servers",
                "DIRECTORY_MODS=/home/steam/armaservermanager/mods",
                "DIRECTORY_LOGS=/home/steam/armaservermanager/logs"
            ],
            "Cmd": [
                "-Xdebug",
                "-agentlib:jdwp=transport=dt_socket,server=y,suspend=n,address=*:5005",
                "-jar",
                "./app.jar"
            ],
            "ArgsEscaped": true,
            "Image": "",
            "Volumes": null,
            "WorkingDir": "/home/steam",
            "Entrypoint": [
                "java"
            ],
            "OnBuild": null,
            "Labels": {
                "maintainer": "[email protected]"
            }
        },
        "Architecture": "amd64",
        "Os": "linux",
        "Size": 1392818047,
        "GraphDriver": {
            "Data": {
                "LowerDir": "/var/lib/docker/overlay2/c43562d18ac93eec5c9db041aa6014c2c05d21e646fc65fd7e541eac8f275f38/diff:/var/lib/docker/overlay2/4c53e1477a90ff5126929797a480546a20d7472714037ad11063c3e116c7269a/diff:/var/lib/docker/overlay2/9d3be81903116d8591637efa615ef585c50a487c959cc937d0645f73f37f97b5/diff:/var/lib/docker/overlay2/b1af69c2b191f2227710a13d1e7f81d055bb234c2e406f90ef28ef243f2fbe65/diff:/var/lib/docker/overlay2/daf0d88498180c579e3b9463ae891f5dad36c9df30e7d1395827b3dae8c7f595/diff:/var/lib/docker/overlay2/98fcbc3e7743d7c52145bbe8433519b182f70dad5854e06b5a3b9de61b8ad60f/diff:/var/lib/docker/overlay2/cb4a9b9122ab9998a4db65e06a8baee191f7a85beb45d3481e91e2a2f64bea3c/diff",
                "MergedDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/merged",
                "UpperDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/diff",
                "WorkDir": "/var/lib/docker/overlay2/1de1b522ba55552c4caa1155aa57113fea45c82c005ff1bc8154273d97524124/work"
            },
            "Name": "overlay2"
        },
        "RootFS": {
            "Type": "layers",
            "Layers": [
                "sha256:52ec5a4316fadc09a4a51f82b8d7b66ead0d71bea4f75e81e25b4094c4219061",
                "sha256:af6ed5fb01190e5c4bd5d9836e0af23af41f3147c9736bb3cc508d917242eeda",
                "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
                "sha256:52be2390ef0c7581f5e87859524f9897bef10161a0cec038ae12603fcc08149b",
                "sha256:5f70bf18a086007016e948b04aed3b82103a36bea41755b6cddfaf10ace3c6ef",
                "sha256:5393132871bcce67545822153c495f32b056799848ba4c2dcabcc5902e858f0f",
                "sha256:655a4cee3dd73242901425445801fcc9cc9151bfa0f666cce2434559c5355775",
                "sha256:14aa87eca4e32717dfcfae17d3b94c1f8c246237889d2c3d42ebd7b829ec4e7c"
            ]
        },
        "Metadata": {
            "LastTagTime": "0001-01-01T00:00:00Z"
        }
    }
]

[CubelightCodes]

I am certainly no expert, and cannot even say if this is malware or not. But reviewing the Dockerfile, a plausible explanation for a possible breach is the dependency on the base docker image (eclipse-temurin:17-jdk-jammy). The Dockerhub repository indicates several known vulnerabilities of this image. Might it be possible to resort to better maintaned OpenJDKs (https://hub.docker.com/_/openjdk)? @fugasjunior

Just an Idea, no qualified solution

[fugasjunior]

It seems update v1.4.0 helped with the issue by updating the dependencies. I'll keep this issue open for some time if anyone still has the problem even after the update, but for now, it seems solved.

[SotnikovMaksim]

Have literally the same issue. What the update are you talking about? And is it still helping?