Crypto Miner in hotio/qbittorrent

https://apogliaghi.com/2025/09/crypto-miner-in-hotio/qbittorrent/

76•tatoalo•1h ago

Comments

dalmo3•58m ago

It's a docker image, NOT qbittorrent.

thephyber•12m ago

For clarity: The post is about a server running a 3rd party docker image of qbittorrent.

But there’s no evidence presented that it was hotio’s docker image on GCHR which was compromised, and there is reason to believe it might be an older, vulnerable version of qbittorrent in the docker image which was compromised.

The vulnerability: (credit crtasm)

https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...

aquova•47m ago

hotio maintains a lot of Docker images. I suspect that if this is the case, there are a lot of people who would be affected

https://hotio.dev/containers/base/

IlikeKitties•36m ago

Alot around the ARR stack which makes it likely to be used by many less knowledgeable users. Nice Grift.

b-air•34m ago

Finally made an account on hackernews for this after years of reading. I just checked my Unraid server, I'm running five docker containers from Hotio - Prowlarr, Sonarr, Radarr, Overseerr, and Tautulli. If I remember correctly, I originally chose Hotio's configs due to there being a few extra settings missing from the standard images in the Unraid store. This was all to avoid learning anything about docker at the time, but since then I've gained a few skills so I'd say it's time for me to set up the containers myself. Thanks for posting this, I really only read HN so I would have missed this if it were anywhere else.

anotherlogin448•22m ago

There's no actual issue.

OP's system got compromised.

anotherlogin448•21m ago

And that also goes to show how hilariously wrong OP is.

His system was compromised - hotio's containers are all clean

ktosobcy•38m ago

Why use it when there is an official one: `https://github.com/qbittorrent/docker-qbittorrent-nox` ? o_O

Scion9066•34m ago

Lack of a tagged stable/release version with libtorrent 2.0 for one.

jgilias•36m ago

Well. An unpaid volunteer found a way how to get paid!

crtasm•35m ago

If the web UI is exposed that could explain how it got infected:

https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...

tatoalo•29m ago

In my case, web UI was behind qbittorrent auth + authelia, haven't seen suspected logs that would trace it back to that, really interesting though!

anotherlogin448•20m ago

It's 100% your system that caused the issue not hotio's container and there is no miner that exists

Perhaps take a class in sarcasm?

baobun•34m ago

Supposedly this image.

https://github.com/hotio/qbittorrent/pkgs/container/qbittorr...

Based on https://github.com/hotio/base

Should be tracable via GitHub Actions logs for anyone signed on - if it is indeed supply-chain and not a qbittorrent exploit or something else.

anotherlogin448•18m ago

Indeed. OP's investigation proves nothing other their device / system was compromised and provides 0 evidence the container itself is the issue.

wok4899•29m ago

Omg! I am one of the user! Good find. I maily use for built-in VPN facility, gluetun do not cut out. But now time to re-think. I thought my 2000+ linux iso was causing medium CPU usage. But still lack of GPU, on my unraid server with 50+ docker containers running 24/7 CPU load is 2.31 2.04 2.00 so I wonder mining ever triggered?

Ps. I do have such binary on my machine as well, ps -ef | grep netservlet root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet

anotherlogin448•22m ago

OP got compromised there's no issue in any hotio container.

Code and CI is all open source.

thephyber•17m ago

My money is on the author had not updated their docker image version/tag in over 2 years.

It looks like the app used weak hard-coded admin credentials back then. Appears to have been fixed in 2023.

wok4899•11m ago

I am running, ghcr.io/hotio/qbittorrent:release-5.1.1

wok4899•13m ago

I never have exposed this container to the world ever, and my server do report the existence of such binary. That is the reason based on CPU usage I suspect that mining never triggered.

> ps -ef | grep netservlet > root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet

2OEH8eoCRo0•28m ago

Why do people use these stupid third-party container images?

anotherlogin448•23m ago

And yet everything is open source and easily auditable. Most likely OP got pwnd and clearly is unable to understand sarcasm.

You all really think that hotio snuck a crypto miner in somehow with all clearly open source code - and not a single person but OP noticed for years?

wok4899•5m ago

With the SSH/NPM supply chain attack, we all live in fear now. It just need one very smart person to deploy such hack. I'm not saying hotio did something, all I am saying that with new information, we all should check our deployment. Along with OP I'm affected, where I never have exposed the docker to world ever.

So we should not deny the possibility of something off here.

thephyber•21m ago

The article hasn’t proven that the infection is in the Docker image, let alone the newest version. It only suggests that they had the image installed, then (unknown time later) noticed the infection.

According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.

If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.

anotherlogin448•19m ago

The comment was 100% in jest / sarcasm.

OP's system got compromised at some point; the images are clean.

Hell if he didn't want to post his clickbait he easily could have verified with a clean image on a known clean system

bakugo•3m ago

Brand new account, 7 different comments on this post, all aggressively trying to discredit it.

A bit suspicious, don't you think?

ponchel•12m ago

Currently, on my own system, the docker container of qBitTorrent definitely doesn't seem to use more resources than it should.

Bach Cello Suites

Show HN: Kvatch – query APIs, CSVs, Google Sheets, and databases as one source

How A Billionaire's Plan to Reach Another Star Fell Apart

US Secret Service dismantles imminent telecommunications threat NY tristate area

UK Startup Unveils First Quantum Computer Built with Standard Silicon Chips

Silicon Valley hiring in turmoil after new H-1B fees, move spurs offshoring talk

Mesh: I tried Htmx, then ditched it

Comet

Oura ring maker raising $875M Series E, bringing valuation to $11B, report says

Deaths Rose in Emergency Rooms After Hospitals Were Acquired by Private Equity

Lark 1.3.0 – Introduces text-slices, Earley fix, and various small improvements

Elon Musk's Father Accused of Child Sexual Abuse

Insights from the UN Open Source Conf: Reclaiming the Internet's Foundations

Ask HN: What type of CRM re u using?

Crowdsource Myth-Busting, Facts, and Wild Debates with the Community

The Good, the Bad, and the Iffy: is there such a thing as an ethical designer?

Did I Just Make Quantum Dots?

Show HN: Why clone GBs when you need KBs? Surgical GitHub downloads

Discovering Observers – Part 3

Amazon faces off against FTC over 'deceptive' Prime program

Power Law Worlds and AI?

Exemplars in OpenTelemetry

How the World Became x86-64 Inside

Qdrant: High-Performance Vector Database and Vector Search Engine in Rust

Who knows what actors lurk in the hearts of movies? The LLM knows

Salesforce, Accel backs India's first vibe solutioning startup Rocket, $15M seed

OpenAI does WebRTC in the new GPT-realtime

Show HN: Signage Sync

Ruby on Rails Conferences Are Discriminatory, and Unintelligent

Trump's $100k Visa Fee Puts Many Tech Startups in a Bind