How My Home Server Was Hacked

Hey 👋,

Last year I decided to reuse an old MacBook (early 20211) as a home server.

I installed a Linux distro (Ubuntu server) and added a couple of hard drives via USB.

The main purpose of it was to use it as some torrent box. After a quick investigation I installed qbittorrent-nox.

📝 qbittorrent-nox is a version of qBittorrent without X interface.

The same day, when I was about to go to sleep I heard some strange noise in my office. I entered the room and the source of the noise was the fan from the MacBook. Odd.

I checked the processes and there was some journald process consuming all the CPU.

After a couple of searches it seemed like this could happen if you got a lot of error logs.

I had just installed everything so I assumed there would be some error. I shut down the machine and went to sleep.

The next day I turned it on and the same happened. CPU was high.

I will omit the multiple rabbit holes I went through, but after a couple of hours I found out that my machine was in fact hacked.

In a nutshell: journald process was not the real journald but a binary faking to be some system process.

After some investigation the binary resulted to be a crypto miner.

Once I realized what was going on I quickly found some references to a bug in the qBittorrent web UI that was being exploited to mine crytos.

The root cause was a combination of two:

1. I did not change the default user/password for the web UI. My fault.
2. By default, qBittorrent comes with UPnP enabled; which opens the Web UI port to the internet. What crazy made this decision?

As you can imagine, this was shocking to me.

I would have never thought that this could happen and I somehow assumed all these things were closed by default.

Actions I took:

• Disabled UPnP in my router (so this doesn’t happen any more with any other program).
• Disabled UPnP in qBittorrent.
• Changed the user and password for the Web UI.

But I was still paranoid the malware had done something else I missed. And since the machine was just setup, I just formatted and reinstalled everything just in case.

And this is the story of how I got a Linux machine hacked for the first time in my life.