I got hacked: My Hetzner server started mining Monero
2 days ago
- #server-security
- #docker
- #cryptojacking
- Server hacked and used for Monero mining via a compromised Umami analytics container.
- Malware exploited a Next.js/Puppeteer RCE vulnerability (CVE-2025-66478) in Umami.
- Processes ran as non-root user (UID 1001) within the container, preventing host system compromise.
- Container isolation prevented malware from escaping to the host or other containers.
- Incident resolved by removing the compromised container and enabling a firewall.
- Lessons learned include the importance of knowing dependencies, proper container configuration, and defense in depth.
- Future actions include auditing third-party containers, SSH hardening, and setting up proper monitoring.