<!doctype html><htmllang=endir=auto><head><metacharset=utf-8><metahttp-equiv=x-ua-compatiblecontent="IE=edge"><metaname=viewportcontent="width=device-width,initial-scale=1,shrink-to-fit=no"><metaname=robotscontent="index, follow"><title>Drone CI and Crypto Honeypots 💰🍯📚 | Jake Hillion</title><metaname=keywordscontent="Home Lab,Proxmox,Drone,Gitea,Continuous Integration"><metaname=descriptioncontent="OnegloomyTuesdayevening,ISSHedintomyCIserverandranhtopasIhadhundredsoftimesbefore.Themachineispinnedrunningmyjobs,butwait…Somethingiswrong.
htop showing bad things I certainly wasn’t running any jobs involving Tensorflow, and I’m not in the habit of mining cryptocurrencies on my CI server.
This post will cover the series of events that lead to this happening, what happened, and the learnings I’ve taken away from it."><metaname=authorcontent="Jake Hillion"><linkrel=canonicalhref=https://blog.hillion.co.uk/posts/drone-hack/><linkcrossorigin=anonymoushref=/assets/css/stylesheet.min.48a18943c2fc15c38a372b8dde1f5e5dc0bc64fa6cb90f5a817d2f8c76b7f3ae.cssintegrity="sha256-SKGJQ8L8FcOKNyuN3h9eXcC8ZPpsuQ9agX0vjHa3864="rel="preload stylesheet"as=style><scriptdefercrossorigin=anonymoussrc=/assets/js/highlight.min.b95bacdc39e37a332a9f883b1e78be4abc1fdca2bc1f2641f55e3cd3dabd4d61.jsintegrity="sha256-uVus3DnjejMqn4g7Hni+Srwf3KK8HyZB9V4809q9TWE="onload=hljs.initHighlightingOnLoad()></script>
<script>vardoNotTrack=!1;if(!doNotTrack){window.dataLayer=window.dataLayer||[];functiongtag(){dataLayer.push(arguments)}gtag("js",newDate),gtag("config","G-4CXXF49E7M",{anonymize_ip:!1})}</script><metaproperty="og:title"content="Drone CI and Crypto Honeypots 💰🍯📚"><metaproperty="og:description"content="OnegloomyTuesdayevening,ISSHedintomyCIserverandranhtopasIhadhundredsoftimesbefore.Themachineispinnedrunningmyjobs,butwait…Somethingiswrong.
htop showing bad things I certainly wasn’t running any jobs involving Tensorflow, and I’m not in the habit of mining cryptocurrencies on my CI server.
This post will cover the series of events that lead to this happening, what happened, and the learnings I’ve taken away from it."><metaproperty="og:type"content="article"><metaproperty="og:url"content="https://blog.hillion.co.uk/posts/drone-hack/"><metaproperty="article:section"content="posts"><metaproperty="article:published_time"content="2022-03-07T18:00:00+00:00"><metaproperty="article:modified_time"content="2022-03-07T18:00:00+00:00"><metaproperty="og:site_name"content="Jake Hillion"><metaname=twitter:cardcontent="summary"><metaname=twitter:titlecontent="Drone CI and Crypto Honeypots 💰🍯📚"><metaname=twitter:descriptioncontent="OnegloomyTuesdayevening,ISSHedintomyCIserverandranhtopasIhadhundredsoftimesbefore.Themachineispinnedrunningmyjobs,butwait…Somethingiswrong.
htop showing bad things I certainly wasn’t running any jobs involving Tensorflow, and I’m not in the habit of mining cryptocurrencies on my CI server.
This post will cover the series of events that lead to this happening, what happened, and the learnings I’ve taken away from it."><scripttype=application/ld+json>{"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Posts","item":"https://blog.hillion.co.uk/posts/"},{"@type":"ListItem","position":2,"name":"Drone CI and Crypto Honeypots 💰🍯📚","item":"https://blog.hillion.co.uk/posts/drone-hack/"}]}</script><scripttype=application/ld+json>{"@context":"https://schema.org","@type":"BlogPosting","headline":"DroneCIandCryptoHoneypots💰🍯📚","name":"DroneCIandCryptoHoneypots💰🍯📚","description":"OnegloomyTuesdayevening,ISSHedintomyCIserverandranhtopasIhadhundredsoftimesbefore.Themachineispinnedrunningmyjobs,butwait\u0026hellip;Somethingiswrong.\nhtopshowingbadthingsIcertainlywasn\u0026rsquo;trunninganyjobsinvolvingTensorflow,andI\u0026rsquo;mnotinthehabitofminingcryptocurrenciesonmyCIserver.\nThispostwillcovertheseriesofeventsthatleadtothishappening,whathappened,andthelearningsI\u0026rsquo;vetakenawayfromit.","keywords":["HomeLab","Proxmox","Drone","Gitea","ContinuousIntegration"],"articleBody":"OnegloomyTuesdayevening,ISSHedintomyCIserverandranhtopasIhadhundredsoftimesbefore.Themachineispinnedrunningmyjobs,butwait…Somethingiswrong.\nhtopshowingbadthingsIcertainlywasn’trunninganyjobsinvolvingTensorflow,andI’mnotinthehabitofminingcryptocurrenciesonmyCIserver.\nThispostwillcovertheseriesofeventsthatleadtothishappening,whathappened,andthelearningsI’vetakenawayfromit.\nAseriesofunfortunateevents⛈Thefirstblow?I’vebeenpostingweeklyupdatesonthisblogwhichincludeavarietyoflinkstomyself-hostedGiteaserver.AsthisblogiscrawledbyGoogle,myGiteasitegotcrawledtoo.ThatmeansthatallofmycodeisnowindexedbyGoogle.Cool!WhatitalsomeansisthatpeoplesearchingforGiteaserverstoexploitcannoweasilyfindminetoo.\nSecondly,myself-hostedGiteainstancewassetuptoallowanyonewithavalidemailaddresstoregister.Thatis,they’dregisterandreceiveanaddressvalidationemail,andcompletingthatvalidationcreatesafullaccount.Inthepastthishasn’tbeenanissue,andhasallowedfriends/colleaguestocreatetheirownaccountswithoutmyintervention.However,soonafterbeingindexedbyGoogle,somebodytookadvantage.\nFinally,myself-hostedCIserverauthenticatesviamyGiteaserver.Therefore,anyonewithanaccountonmyGiteaservercanstartrunningCIjobs.Thisisofcourseusefulforthesamereasonsasabove,butcombinedmeansthatanyonewithavalidemailaddresswasallowedtousemyCIserver.\nCryptohoneypots💰🍯WhileIoriginallyfeltlikemyspacehadbeeninvaded,Irealisedaftersomethoughtthatverylittledamagehadbeendone.AtthecostofabitofCPUtime,I’dbeengivenafirmwakeupcallaboutholesinthesecurityofmysystems,ratherthanhavinganattackerpokearoundforsomethingmorejuicy.\nThissituationimmediatelyremindedmeoftheMiragebitcoinpinata.TheMirageteamwerehappytogiveawaysomeBitcoininexchangeforlearningabouttheflawsintheirsystem.Stillintheworldofcrypto,IgaveawaysomeCPUtimetolearnaboutgapsinmysecurity.\nThelearnings📚WhatwentwrongTootrustingoftheInternet.UntilTuesday,anyonewithavalidemailaddresscouldregisteronmyGiteaserver-intentionally!Thisisnowlockeddowntoafewfriendlydomains.\nForgettingunintendedusecases.Whileundeniablyapowerfultool,CIservershaveliterallythepurposeofremotecodeexecution.Containerisationprotectsthehost,butnotthenetworkitlivesin.\nInternalfirewallsareimportant.Myexternalfirewallsareprettystrong,butprotectionagainstinternalthreatswasveryweak.Banningmyvirtualmachinesfromprivatenetworkaccess,exceptw
<spanclass=logo-switches><buttonid=theme-toggleaccesskey=ttitle="(Alt + T)"><svgid="moon"xmlns="http://www.w3.org/2000/svg"width="24"height="24"viewBox="0 0 24 24"fill="none"stroke="currentcolor"stroke-width="2"stroke-linecap="round"stroke-linejoin="round"><pathd="M21 12.79A9 9 0 1111.21 3 7 7 0 0021 12.79z"/></svg><svgid="sun"xmlns="http://www.w3.org/2000/svg"width="24"height="24"viewBox="0 0 24 24"fill="none"stroke="currentcolor"stroke-width="2"stroke-linecap="round"stroke-linejoin="round"><circlecx="12"cy="12"r="5"/><linex1="12"y1="1"x2="12"y2="3"/><linex1="12"y1="21"x2="12"y2="23"/><linex1="4.22"y1="4.22"x2="5.64"y2="5.64"/><linex1="18.36"y1="18.36"x2="19.78"y2="19.78"/><linex1="1"y1="12"x2="3"y2="12"/><linex1="21"y1="12"x2="23"y2="12"/><linex1="4.22"y1="19.78"x2="5.64"y2="18.36"/><linex1="18.36"y1="5.64"x2="19.78"y2="4.22"/></svg></button></span></div><ulid=menu><li><ahref=https://blog.hillion.co.uk/categories/title=categories><span>categories</span></a></li><li><ahref=https://blog.hillion.co.uk/tags/title=tags><span>tags</span></a></li></ul></nav></header><mainclass=main><articleclass=post-single><headerclass=post-header><divclass=breadcrumbs><ahref=https://blog.hillion.co.uk/>Home</a> » <ahref=https://blog.hillion.co.uk/posts/>Posts</a></div><h1class=post-title>Drone CI and Crypto Honeypots 💰🍯📚</h1><divclass=post-meta><spantitle='2022-03-07 18:00:00 +0000 UTC'>March 7, 2022</span> · 4 min · Jake Hillion</div></header><divclass=post-content><p>One gloomy Tuesday evening, I SSHed into my CI server and ran <code>htop</code> as I had hundreds of times before. The machine is pinned running my jobs, but wait… Something is wrong.</p><figure><imgloading=lazysrc=images/large_htop.png><figcaption>htop showing bad things</figcaption></figure><p>I certainly wasn’t running any jobs involving Tensorflow, and I’m not in the habit of mining cryptocurrencies on my CI server.</p><p>This post will cover the series of events that lead to this happening, what happened, and the learnings I’ve taken away from it.</p><h2id=a-series-of-unfortunate-events->A series of unfortunate events ⛈<ahiddenclass=anchoraria-hidden=truehref=#a-series-of-unfortunate-events->#</a></h2><p>The first blow? I’ve been posting <ahref=/posts/weekly-2022-02-28/>weekly updates</a> on this blog which include a variety of links to my <ahref=https://gitea.hillion.co.uk>self-hosted Gitea server</a>. As this blog is crawled by Google, my Gitea site got crawled too. That means that all of my code is now indexed by Google. Cool! What it also means is that people searching for Gitea servers to exploit can now easily find mine too.</p><p>Secondly, my self-hosted Gitea instance was setup to allow anyone with a valid email address to register. That is, they’d register and receive an address validation email, and completing that validation creates a full account. In the past this hasn’t been an issue, and has allowed friends/colleagues to create their own accounts without my intervention. However, soon after being indexed by Google, somebody took advantage.</p><p>Finally, my self-hosted CI server authenticates via my Gitea server. Therefore, anyone with an account on my Gitea server can start running CI jobs. This is of course useful for the same reasons as above, but combined means that anyone with a valid email address was allowed to use my CI server.</p><h2id=crypto-honeypots->Crypto honeypots 💰🍯<ahiddenclass=anchoraria-hidden=truehref=#crypto-honeypots->#</a></h2><p>While I originally felt like my space had been invaded, I realised after some thought that very little damage had been done. At the cost of a bit of CPU time, I’d been given a firm wake up call about holes in the security of my systems, rather than having an attacker poke around for something more juicy.</p><p>This situation immediately reminded me of the <ahref=https://mirage.io/blog/bitcoin-pinata-results>Mirage bitcoin pi
<ahref=https://git.io/hugopapermodrel=noopenertarget=_blank>PaperMod</a></span></footer><ahref=#toparia-label="go to top"title="Go to Top (Alt + G)"class=top-linkid=top-linkaccesskey=g><svgxmlns="http://www.w3.org/2000/svg"viewBox="0 0 12 6"fill="currentcolor"><pathd="M12 6H0l6-6z"/></svg></a><script>letmenu=document.getElementById("menu");menu&&(menu.scrollLeft=localStorage.getItem("menu-scroll-position"),menu.onscroll=function(){localStorage.setItem("menu-scroll-position",menu.scrollLeft)}),document.querySelectorAll('a[href^="#"]').forEach(e=>{e.addEventListener("click",function(e){e.preventDefault();vart=this.getAttribute("href").substr(1);window.matchMedia("(prefers-reduced-motion: reduce)").matches?document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView():document.querySelector(`[id='${decodeURIComponent(t)}']`).scrollIntoView({behavior:"smooth"}),t==="top"?history.replaceState(null,null," "):history.pushState(null,null,`#${t}`)})})</script><script>varmybutton=document.getElementById("top-link");window.onscroll=function(){document.body.scrollTop>800||document.documentElement.scrollTop>800?(mybutton.style.visibility="visible",mybutton.style.opacity="1"):(mybutton.style.visibility="hidden",mybutton.style.opacity="0")}</script><script>document.getElementById("theme-toggle").addEventListener("click",()=>{document.body.className.includes("dark")?(document.body.classList.remove("dark"),localStorage.setItem("pref-theme","light")):(document.body.classList.add("dark"),localStorage.setItem("pref-theme","dark"))})</script></body></html>