Hacked through a Docker hole in iptables

 •  Filed under docker

Blood and thunder, I've been hacked!

> use Warning
switched to db Warning
> show collections
> db.Readme.find()
{ "_id" : ObjectId("59d52f735e716205267adea9"), "BitCoin" : "1Jqw2tHBkUAGY32YzettJiDAwe8A9mUzok", "eMail" : "cru3lty@safe-mail.net", "Exchange" : "https://localbitcoins.com", "Solution" : "Your DataBase is downloaded and backed up on our secured servers. To recover your lost data: Send 0.2 BTC to our BitCoin Address and Contact us by eMail with your MongoDB server IP Address and a Proof of Payment. Any eMail without your MongoDB server IP Address and a Proof of Payment together will be ignored. You are welcome!" }

Dastards. Idiosyncratic capitalization, to boot. Fortunately I keep backups (cron gsutil /data gs://my-backups) and there was actually nothing in this database. But what the heck happened to my iptables rules?

Looks like docker has been starting without the iptables=false flag.

I thought the solution was to echo '{ "iptables": false }' | sudo tee /etc/docker/daemon.json and restart the daemon (sudo service docker restart), to tell docker not to mess with iptables rules, but then Docker containers can't access the internet.

The true path is above, using the DOCKER-USER chain.

ADDENDUM: I'm going to try and prevent this from happening in the future using Uptime Robot, a free service that will let me know if my site goes down or ports unexpectedly become open.