Hacker News new | ask | show | jobs
by wok4899 273 days ago
Omg! I am one of the user! Good find. I maily use for built-in VPN facility, gluetun do not cut out. But now time to re-think. I thought my 2000+ linux iso was causing medium CPU usage. But still lack of GPU, on my unraid server with 50+ docker containers running 24/7 CPU load is 2.31 2.04 2.00 so I wonder mining ever triggered?

Ps. I do have such binary on my machine as well, ps -ef | grep netservlet root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
2 comments
ZetaTauEpsilon 273 days ago
This output indicates the only process matching netservlet is your own grep, no?
link
thephyber 273 days ago
Agree.

The article author searched netservlet for these strings to detect the infection:

> $ strings /tmp/netservlet.elf | egrep -i 'stratum|pool|wallet|http|crypto|mining|eth|btc|pool'

link
ZetaTauEpsilon 273 days ago
Yep. In the author's case it definitely seems they were infected, everything checks out there. I think this commenter however is mistaken when they say they also have the malicious executable discovered by the author. Investigation of my own image (not latest release but within the past few months) shows no evidence of what the author reports
link
anotherlogin448 273 days ago
OP got compromised there's no issue in any hotio container.

Code and CI is all open source.

link
thephyber 273 days ago
My money is on the author had not updated their docker image version/tag in over 2 years.

It looks like the app used weak hard-coded admin credentials back then. Appears to have been fixed in 2023.

link
wok4899 273 days ago
I am running, ghcr.io/hotio/qbittorrent:release-5.1.1
link
Scion9066 273 days ago
qBittorrent put out version 5.1.2 over 2 months ago:

  > Wed Jul 02nd 2025 - qBittorrent v5.1.2 release
  > [...]
  > qBittorrent v5.1.2 was released.
  > SECURITY: It contains security fixes for the WebAPI, Rss and Search modules.
link
wok4899 273 days ago
I never have exposed this container to the world ever, and my server do report the existence of such binary. That is the reason based on CPU usage I suspect that mining never triggered.

> ps -ef | grep netservlet > root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet

link
thephyber 273 days ago
Edit: absolutely make sure you are running the newest version of the image. It patches security issues in the app.

Read this article:

https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...

It mentions the app will use uPnP to expose itself automatically.

Remember that BitTorrent protocol is P2P, so it likely is accessible from the internet.

My suggestion is to wipe the image, update pull/run the newest version, and change the admin credentials after it starts up.

link
iogjoertsnbu 273 days ago
that's just grep showing you your own grep process lol. you can do ps -ef | grep foobarbaroof and get the same thing...
link
wok4899 273 days ago
Damn it!! Yeah, morning bran without coffee! Thank you for pointing it out.

My bad.

link
bfLives 272 days ago
You can use pgrep to avoid this.
link
bakugo 273 days ago
How long have you been running this container?

Can you check the contents of your qBittorrent.conf?

link