[anotherlogin448]

OP got compromised there's no issue in any hotio container.

Code and CI is all open source.

[thephyber]

My money is on the author had not updated their docker image version/tag in over 2 years.

It looks like the app used weak hard-coded admin credentials back then. Appears to have been fixed in 2023.

[wok4899]

I am running, ghcr.io/hotio/qbittorrent:release-5.1.1

[Scion9066]

qBittorrent put out version 5.1.2 over 2 months ago:

  > Wed Jul 02nd 2025 - qBittorrent v5.1.2 release
  > [...]
  > qBittorrent v5.1.2 was released.
  > SECURITY: It contains security fixes for the WebAPI, Rss and Search modules.

[wok4899]

I never have exposed this container to the world ever, and my server do report the existence of such binary. That is the reason based on CPU usage I suspect that mining never triggered.

> ps -ef | grep netservlet > root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet

[thephyber]

Edit: absolutely make sure you are running the newest version of the image. It patches security issues in the app.

Read this article:

https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...

It mentions the app will use uPnP to expose itself automatically.

Remember that BitTorrent protocol is P2P, so it likely is accessible from the internet.

My suggestion is to wipe the image, update pull/run the newest version, and change the admin credentials after it starts up.

[iogjoertsnbu]

that's just grep showing you your own grep process lol. you can do ps -ef | grep foobarbaroof and get the same thing...

[wok4899]

Damn it!! Yeah, morning bran without coffee! Thank you for pointing it out.

My bad.

[bfLives]

You can use pgrep to avoid this.

[bakugo]

How long have you been running this container?

Can you check the contents of your qBittorrent.conf?