My server hacked with

I use community version of Drone (latest) and run drone & drone-runner in docker on my own server.
It work many years ok, until this month.
When I saw this picture at Grafana - I was surprised.

Every drone-xxxx container running running some garbage (i think - its mining).
I haven’t screenshoots of commands inside docker but i can replay this when i start my drone server again and wait some time)

I use Github authentication to the admin side and don’t understand where is hole to my server?

Same problem here. What I have found is that there was a user in my user management page on which had the Role user (so no Admin at least). I inspected some of the files in the container - they included base64 encoded commands, which seem to resemble some kind of bitcoin miner (don’t know for sure, but the URLs in the commands seem to be crypto related).

Here is the original repository of the miner I found in case someone wants to check it out:

For now, I will definitely turn off Drone CI. Seems like there is some huge security issue with it.

1 Like

If your Drone instance is not behind a firewall (and is available at a public address) you should use one of the following settings to limit access:

Limit registration by user or organization:

Disable self-registration (only an admin can create a user account when you do this)

1 Like

:grin: I catch this miner owner in my drone users (sirdapa)

Thanks, Brad! This helps