1. Overview

A hijacked process incident indicates that an existing process has been used in ways that are inconsistent with its expected behavior. This type of incident could be a sign that a process has been used to compromise a container.

2. Investigation

The following incident shows that java, which is an expected process in this Struts2 container, has launched a bash shell. This is decidedly unexpected behavior. You can also see that it wrote out a suspicious new file named .java.

hijacked process incident

The first step in an investigation is to determine if this is indeed malicious behavior. Reviewing the audit logs under Monitor > Events > Container Audits shows a pattern of behavior that is troubling. A number of commands are being executed by Java, including a copy of the sensitive /etc/passwd file.

hijacked process audits

The next step in the investigation is to determine how an attacker was able to hijack the process. A likely culprit is a vulnerability in the code deployed to the container. Reviewing the vulnerability scan report for the underlying image shows that it contains a package with a remote code execution vulnerability. This vulnerability is remotely exploitable and exploit code is readily available.

hijacked process vulns

Reviewing the application logs for this container, with docker logs <CONTAINER-NAME>, shows errors consistent with the exploitation of CVE-2017-5638.