I use community version of Drone (latest) and run drone & drone-runner in docker on my own server.
It work many years ok, until this month.
When I saw this picture at Grafana - I was surprised.
I use Github authentication to the admin side and don’t understand where is hole to my server?
Same problem here. What I have found is that there was a user in my user management page on https://drone.xxxx.com/settings/users which had the Role user (so no Admin at least). I inspected some of the files in the container - they included base64 encoded commands, which seem to resemble some kind of bitcoin miner (don’t know for sure, but the URLs in the commands seem to be crypto related).
Here is the original repository of the miner I found in case someone wants to check it out: https://github.com/sirdapa/deepcc
For now, I will definitely turn off Drone CI. Seems like there is some huge security issue with it.
If your Drone instance is not behind a firewall (and is available at a public address) you should use one of the following settings to limit access:
Limit registration by user or organization:
https://docs.drone.io/server/user/registration/
Disable self-registration (only an admin can create a user account when you do this)
https://docs.drone.io/server/reference/drone-registration-closed/
I catch this miner owner in my drone users (sirdapa)
Thanks, Brad! This helps
