[GeoNode-users] GeoNode containers compromised

Anderson Soares Ferreira anderson.soares at embrapa.br
Thu Sep 19 07:49:37 PDT 2024 

Dear users,

We maintain a Geonode instance that is currently running the version 4.1.3.
The environment  is up and running since July 2023.
About a month ago I noticed an abnormal CPU utilization on the Geonode's
server and after some inspection I discovered that the Django's container
had been compromised and it was being used for crypto currency mining. The
attacker was able to upload the mining utility to the container's tmp
directory and remotely started it.
At that time, I've stopped and recreated the containers and no other event
has happened until this week.
Yesterday the host server started presenting an elevated CPU utilization
again, but this time the compromised container was the geoserver and the
mining utility was uploaded to the tomcat's tmp directory.
I've  been trying to understand the mechanism used to compromise the
containers, but the fact that two different containers were compromised
made things a little more complicated.
I've checked the CVEs related to GeoNode, and from all of them, the most
probable of being explored was CVE-2023-28442,  but our environment was
already patched to it. The HTTP logs from our reverse proxy didn't help
either and I'm out of ideas on how to solve this problem.
Although a system upgrade to a more recent stable version is planned for
the near future, I would prefer to at least mitigate the issue as soon as
possible.
Has anyone experienced a similar issue? How was it solved?

Any clue would be appreciated.

Best regards,

Anderson
----
Anderson Soares Ferreira - anderson.soares at embrapa.br
Núcleo de Tecnologia da Informação - NTI
Embrapa Territorial
Tel.: (19) 3211-6200

-- 
__________________________
Aviso de confidencialidade

Esta mensagem da 
Empresa  Brasileira de Pesquisa  Agropecuaria (Embrapa), empresa publica 
federal  regida pelo disposto  na Lei Federal no. 5.851,  de 7 de dezembro 
de 1972,  e  enviada exclusivamente  a seu destinatario e pode conter 
informacoes  confidenciais, protegidas  por sigilo profissional.  Sua 
utilizacao desautorizada  e ilegal e  sujeita o infrator as penas da lei. 
Se voce  a recebeu indevidamente, queira, por gentileza, reenvia-la ao 
emitente, esclarecendo o equivoco.

Confidentiality note

This message from 
Empresa  Brasileira de Pesquisa  Agropecuaria (Embrapa), a government 
company  established under  Brazilian law (5.851/72), is directed 
exclusively to  its addressee  and may contain confidential data,  
protected under  professional secrecy  rules. Its unauthorized  use is 
illegal and  may subject the transgressor to the law's penalties. If you 
are not the addressee, please send it back, elucidating the failure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20240919/901abce5/attachment.htm>

More information about the geonode-users mailing list