According to some messages on Hotio’s Discord server from 2023-11-25, qBitTorrent moved from fixed admin credentials to randomized at initialization. I think MrHotio’s message about that crypto miner was likely a joke about people installing the older vulnerable version and the efficiency of unauthorized people installing xrig on servers with default credentials.
If author was pinned to an old version of the docker image and their server had internet-visible IP, they probably got their server infected because of weak security defaults in the app installed on the image.
Edit: Scion9066’s comment shows that dBitTorrent’s previous release version patches multiple security bugs, so vulnerabilities might apply to all versions older than about 1 week, not my guess of 2 years.
OP's system got compromised at some point; the images are clean.
Hell if he didn't want to post his clickbait he easily could have verified with a clean image on a known clean system
A bit suspicious, don't you think?
Cryptominers have become adept at hiding their symptoms when users are looking/interactive.
Just use the best security hygiene — always use the newest version of the app, ensure the admin credentials aren’t low entropy/hard-coded, and hopefully that the admin panel isn’t internet accessible.
But there’s no evidence presented that it was hotio’s docker image on GCHR which was compromised, and there is reason to believe it might be an older, vulnerable version of qbittorrent in the docker image which was compromised.
The vulnerability: (credit crtasm)
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
OP's system got compromised.
edit: it seems consensus in the thread that OP was pwned and the docker images are clean. Please accept my apologies hotio.
His system was compromised - hotio's containers are all clean
https://github.com/hotio/qbittorrent/pkgs/container/qbittorr...
Based on https://github.com/hotio/base
Should be tracable via GitHub Actions logs for anyone signed on - if it is indeed supply-chain and not a qbittorrent exploit or something else.
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
Perhaps take a class in sarcasm?
You all really think that hotio snuck a crypto miner in somehow with all clearly open source code - and not a single person but OP noticed for years?
So we should not deny the possibility of something off here.
/s
Monero is literally the only crypto that does what it says on the tin. Anonymous, decentralized, minable on commodity hardware. It basically solves internet micropayments.
If you run a website, instead of ads you could provide users with well-behaved "support this site by enabling cryptominer while browsing" toggle that defaults to off.
But no, that'd be "weird". Or in less gullible terms, it spooked some spooks (I mean in the Stirnerian sense, not the one the reader might be thinking of).
And, well, there you have it. 16 years after Satoshi people patting themselves on the shoulder, considering it a resounding success how BTC has become toothless enough for PayPal to adopt, ffs.
And as usual nobody putting 2 and 2 together till some hackers from some hellhole did.
And presumably some other big picture thinkers saw it, too, the ones in the opposite of a hellhole who poured literal billions to turn a global plea for financial liberty into the largest FUD cloud since the Halloween papers.
Ps. I do have such binary on my machine as well, ps -ef | grep netservlet root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
The article author searched netservlet for these strings to detect the infection:
> $ strings /tmp/netservlet.elf | egrep -i 'stratum|pool|wallet|http|crypto|mining|eth|btc|pool'
Code and CI is all open source.
It looks like the app used weak hard-coded admin credentials back then. Appears to have been fixed in 2023.
> ps -ef | grep netservlet > root 3708105 3665360 0 08:06 pts/2 00:00:00 grep netservlet
Probably not a dealbreaker for most but it might be hindering Bittorrent v2 adoption.
Looking at the downloads (I'm using brew) it seems that not many people uses libtorrent2… (https://sourceforge.net/projects/qbittorrent/files/qbittorre...)
> Wed Jul 02nd 2025 - qBittorrent v5.1.2 release
> [...]
> qBittorrent v5.1.2 was released.
> SECURITY: It contains security fixes for the WebAPI, Rss and Search modules.Read this article:
https://torrentfreak.com/qbittorrent-web-ui-exploited-to-min...
It mentions the app will use uPnP to expose itself automatically.
Remember that BitTorrent protocol is P2P, so it likely is accessible from the internet.
My suggestion is to wipe the image, update pull/run the newest version, and change the admin credentials after it starts up.
Can you check the contents of your qBittorrent.conf?
Their comments are extremely high confidence (failing to recognize that accidents and supply chain attacks do sometimes happen) and because they are new and posting frequently in the same thread, their account shows the signs of a bot/disinfo campaign (which does happen on HN).
You and anotherlogin448 have neither, but also show incredible aggression towards anyone pointing that out.
Your confidence might actually be warranted, but there's no reason for any one of us to take you on your word, and neither of you have given anything else.
No, but if you were to make 6 more comments under the same post all saying the same thing in an overly confident and aggressive tone, it would be.