I run an airflow instance which python process scheduler, which is used to trigger different python ML process which has no relation to crypto mining. This is the process which is running this dockerized process https://github.com/puckel/docker-airflow I still have no idea if it's a false positive from google's side or if someone actually got access to my instance and crypto-mined.
I received this E-mail from Google
Dear Developer,
We've detected that your Google Cloud Project xxxxx (id: xxxxx) is engaging in cryptocurrency mining, resulting in the suspension of all project resources displaying this behavior.
So I contacted support and got it reinstated and deleted and recreated the instance and it kept happening again and again. One funny thing is, after 2 hours of creating the instance (4 CPU, 10 GB RAM), the CPU usage goes up to 100% and I have no idea how it's happening. This is just a development server so my redis server wasn't password protected. Could it have caused the vulnerability?
To see the exact code that was running on the instance, you can look at another issue I posted: https://github.com/puckel/docker-airflow/issues/507
I got in touch with the trust and safety team and they gave the following information.
The flag that was raised and some discussion details from the GCP trust and safety team:
"The resources associated with your project are being suspended for cryptocurrency mining in violation of our Terms of Service.
abuse_start_timestamp: "2020-02-17 16:17"
abuse_stop_timestamp: "2020-02-17 16:25"
source_ips: "34.87.94.235"
destination_ips: "107.173.160.165"
urls: "107.173.160.165"
total_core_hours: 101.0
vm_resource_id_zone_name: "2080774995510078591:asia-southeast1-b"
vm_hostname_zone_name: "airflow:asia-southeast1-b"
remote_port_list: "5555"
"Is your project really meant to terminate to HIFormance or ColoCrossing in California, USA? That is the destination IP and URL (107.173.160.165) of the project per the log given. This is the result when I did multiple IP lookups."
" Port 5555 is what you would call a well known port. Sadly, this is associated to threats and trojans. More and more, it looks like the instance may have been hijacked. However, rather than play the guessing game, I would like to wait for the information from our Trust & Safety team."
I'm very new to security, so apologies if my questions are too stupid but
How can someone gain access to my instance to crypto mine on it?
Is CPU usage going 100% a sign of crypto mining?
Can an unprotected redis server be responsible for it?
I use SSH to log in to the VM, that couldn't be the reason, would it? if it was my other instances would also be affected.
Would changing the IAM be helpful?
Could malicious python/js libraries be executing in the background crypto mining?
I quite lost on what to do since my instance has been reinstated but I never got an explanation for how it was happening. Any help would be appreciated.