[🐛 Bug]: Malware in last bulds

[diamondevilteam]

What happened?

Malware in last bulds

Command used to start Selenium Grid with Docker (or Kubernetes)

version: "3"
services:
  chrome:
    image: selenium/node-chrome:4.25.0-20240922
    shm_size: 2gb
    depends_on:
      - selenium-hub
    environment:
      - SE_EVENT_BUS_HOST=selenium-hub
      - SE_EVENT_BUS_PUBLISH_PORT=4442
      - SE_EVENT_BUS_SUBSCRIBE_PORT=4443
      - SE_NODE_MAX_SESSIONS=100000
      - SE_NODE_OVERRIDE_MAX_SESSIONS=true
      - SE_NODE_SESSION_TIMEOUT=999999999
      - SE_SESSION_REQUEST_TIMEOUT=170
      


  selenium-hub:
    image: selenium/hub:4.25.0-20240922
    container_name: selenium-hub
    ports:
      - "4442:4442"
      - "4443:4443"
      - "4444:4444"

Relevant log output

I already wrote to you that you have had a malicious program in the assembly for a long time. This is a miner that rises hidden and loads the server. Malicious files do not appear immediately. Then they start loading the server perfctl. It's built into the new builds!

/var/lib/docker/overlay2/41a1a0e4b67934f078c1271b8b08cf9e8092476bfc8066fbde28fa6c4db48270/merged/tmp/.perf.c/xvfb-run
https://www.virustotal.com/gui/file/22e4a57ac560ebe1eff8957906589f4dd5934ee555ebcc0f7ba613b07fad2c13


/var/lib/docker/overlay2/41a1a0e4b67934f078c1271b8b08cf9e8092476bfc8066fbde28fa6c4db48270/merged/tmp/.perf.c/perfctl
https://www.virustotal.com/gui/file/e16fb2a22fce5241565784b5a8518ed2becc9948d4c398093edbb70a946f9331

Operating System

Ubuntu

Docker Selenium version (image tag)

4.25.0-20240922

Selenium Grid chart version (chart version)

No response

[github-actions]

@diamondevilteam, thank you for creating this issue. We will troubleshoot it as soon as we can.

---

Info for maintainers

Triage this issue by using labels.

If information is missing, add a helpful comment and then I-issue-template label.

If the issue is a question, add the I-question label.

If the issue is valid but there is no time to troubleshoot it, consider adding the help wanted label.

If the issue requires changes or fixes from an external project (e.g., ChromeDriver, GeckoDriver, MSEdgeDriver, W3C), add the applicable G-* label, and it will provide the correct link and auto-close the issue.

After troubleshooting the issue, please add the R-awaiting answer label.

Thank you!

[VietND96]

Is this detected in the origin images pulled from Docker Hub? Or is it detected after the container was running for a while in the system?
If it is the second situation, it could be attacked similarly this https://www.wiz.io/blog/seleniumgreed-cryptomining-exploit-attack-flow-remediation-steps

[diamondevilteam]

после того, как контейнер некоторое время работал в системе?

after the container has been running in the system for some time. but all ports are closed to the outside in firewall

[VietND96]

Refer to the blog post, the attack directly via request to Hub port 4444. In the request, browser options insert the executable path to /usr/bin/python3 and the script added to browser args.
Can you try something below to secure the Grid:

• Enable basic auth in Hub
• Expose the Hub port to another port that is not default 4444
• Firewall config to filter known traffic to Hub

[VietND96]

I am closing the ticket, since there is no actionable in origin images, this relates to secure the Grid in runtime.

[github-actions]

💬 Please ask questions at:

• 📫 The Selenium user group
• 📮 StackOverflow
• 🗣 Our IRC/Slack/Matrix channels where the community can help you as well

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.