Dear Awesome Cardano Staking Pool Operators,
My name is Jun, I am a Korean pool operator of HAPPY.
The reason I am posting this to here is to share my mistakes and prevent similar incident happening to you guys.
Just consider that I am just a graduate student in Korea, not a security expert, and I think most of you are not expert neither.
I made a huge mistake, and make a security breach to my Core node.
First, Let me share my security settings.
My SSH config: Password disabled, only accessible with my private ssh key.
My Port setting: Originally Open to 2222(ssh port), 3001(Core node), 3002~3005 (my ITN node)
My private key setting: Originally stored in cold usb storage as a zipped format with password (using zip -er)
My Core and Relay Setup: Core is in my home, bare metal, 5 Relays are in AWS with protected by each ssh keys and UFW.
I think the above settings were okay, but I made mistake from here.
I personally experimenting the docker, to dockerize my node for easy diploy and setup.
During the experimentation, I opened port 2375. and link that to my docker socket. (MISTAKE)
The docker user group have sudo previllege.
As I didn’t imagine I can be hacked with docker (I am just learning docker) I just liked docker socket to external port and opened it, So I can access my docker engine from outside easily.
I know this is very stupid mistake now, But I didn’t even imagine about this possiblility. (Yes you can blame me).
Yesterday, My pool pledge is suddenly drop to 740k, the original amount I set before I add my ITN rewards.
I thought that might be caused by a very long lived tx, because I usually set TTL to 10000.
So I uploaded my cold key without doubt. and unlock the zipfile (SECOND MISTAKE, never upload key file to machine when your pool is changed not by youself.)
And I increased pledge my 1M again.
1 hour later, The pledge dropped to 740k again. Then I notice that something is seriously wrong.
Then right after that, My all pledge transferred to the hacker’s wallet. (TX: https://explorer.cardano.org/en/transaction?id=ef8ac1c667084018315cd080001a3d62d513afa51f1bcf1847684760afac2747)
During the investigation, I found out what my mistakes, and I found an alien docker image “zbrtgwlxz:latest” is in my docker image list.
(!!! MAKE SURE that you don’t have this alien image if you are using docker !!!)
And that image was a hacking tool. (Threat Alert: Attacker Building Malicious Images Directly on Your Host)
I am so regretful for what I missed, and for my mistake, But I need to share exactly what happened to me and prevent similar incident.
Thank you for reading this, and Be safe.