A Korean Cardano stake pool operator of Happy has lamented that all his staking rewards have been transferred to an unknown person during a security breach on his core node.
The stake pool operator who claimed to be Jun made the revelation on the Cardano official forum accepted he’s to blame for the unfortunate event, however, he believes sharing the information will let other stake pool operators, especially those who are not security experts, learn from his cataclysm.
Jun’s “huge mistake” resulted in the rapture of his core node security. The stack pool operator, in his admonishing statement, also showed the security settings on his node.
However, he said the above settings structure wasn’t the problem, but the whole catastrophe started after he began “experimenting the docker, to dockerize” his node so that deployment and setup could be painless.
While the docker user group is granted a privilege, the major fault happened as Jun opened port 2375 and connected it to his docker socket.
“I just liked [sic] docker socket to external port and opened it”, he said, denoting he only wanted to make accessing docker-engine easy through outside.
The victim’s naiveness and lack of docker knowledge was a major cause, as he didn’t believe that hackers could penetrate him via docker. Jun said he understands that it is such a silly mistake and he’s sure everyone would outrightly blame him.
The wrong step taking by the Korean stake pool operated resulted in his pledged plummeting to the amount he set before adding his ITN rewards – 740,000, but Jun still misunderstood this for the very long-lived transactions as he set the TTL to 10000.
Jun extended his err by uploading his cold key and unlocked the zipfile, here, he violated the rule that states that you should never upload key file to machine if you notice a change in your pool not done by you.
Nevertheless, it became crystal clear to Jun that he has been attacked after he increased his pledged by 1 million again, and one hour later, his pledges freshly dropped to 740k.
The victim found out that all his pledged has been moved by a hacker with a wallet address TX: https://explorer.cardano.org/en/transaction?id=ef8ac1c667084018315cd080001a3d62d513afa51f1bcf1847684760afac2747 17.
A proper dig into the matter made Jun identify that an alien docker image “zbrtgwlxz:latest” was situated in his docker image list. He referenced that the alien image is a hacking tool and should not be found in anyone’s docker.
Jun expressed that he feels really bad for the mistake the made and his loss, but needs to share the information to serve as deterrent to others.