LWN: Comments on "Backdoored images downloaded 5 million times finally removed from Docker Hub (ars technica)"

Backdoored images downloaded 5 million times finally removed from Docker Hub(ars technica)

valberg — Mon, 18 Jun 2018 12:45:11 +0000

> But then, the malicious images on Dockerhub are not the real problem. With Docker API access you can just point the Docker daemon at your own image registry powered by a CDN of IoT devices or whatever.

The articles could be more precise. You're right that the images are not the real problem but they are part of the attack. Deleting the account and hence those images would have temporarily stopped the attacks. To be fair, it would have turned into a whack-a-mole as the images could have been uploaded to another account on DockerHub but doing nothing is certainly not the right move to increase or gain trust.

Backdoored images downloaded 5 million times finally removed from Docker Hub(ars technica)

lsl — Fri, 15 Jun 2018 20:27:07 +0000

Ok, so apparently the mode of attack is scanning the net for hosts that expose the unauthenticated Docker admin socket to the public internet.

> This got deployed on one of our servers which a faulty firewall setting (Docker API port was exposed accidentally). This means the "creators" of the image are actively scanning the Internet for exposed Docker APIs in order to run this image on them.
https://github.com/docker/hub-feedback/issues/1121

But then, the malicious images on Dockerhub are not the real problem. With Docker API access you can just point the Docker daemon at your own image registry powered by a CDN of IoT devices or whatever.

Backdoored images downloaded 5 million times finally removed from Docker Hub(ars technica)

lsl — Fri, 15 Jun 2018 20:15:42 +0000

What I don't understand is why anyone would start to use the attacker's images in the first place.
I think I should create a git repo hosted at https://github.com/torvalds123321/linux4.git and wait for people to pull their kernel sources from there.