21691aa042
Security Incident #2 Emergency Response (Jan 9, 2026): - Documented second compromise with NEW crypto miners (softirq, vrarhpb) - Root cause: Docker image auto-restarted after server reboot - Emergency mitigation completed (processes killed, container/images removed, load normalized) - Created comprehensive rebuild task document: TASK_REBUILD_DAARION_WEB.md - Updated INFRASTRUCTURE.md v2.3.0 with Incident #2 timeline and lessons learned - Updated infrastructure_quick_ref.ipynb v2.2.0 with security status Critical Changes: - daarion-web container permanently disabled until secure rebuild - Docker images DELETED (not just container stopped) - Enhanced firewall rules (SSH rate limiting, port scan blocking) - Retry test registered with Hetzner - System load normalized: 30+ → 4.19 - Zombie processes cleaned: 1499 → 5 Files Created/Updated: 1. TASK_REBUILD_DAARION_WEB.md - Detailed rebuild instructions for Cursor agent 2. INFRASTRUCTURE.md - Added Incident #2 to Security section 3. docs/infrastructure_quick_ref.ipynb - Updated security status and version Lessons Learned: - ALWAYS delete Docker images, not just containers - Auto-restart policies are dangerous for compromised containers - Complete removal = container + image + restart policy change Status: Emergency mitigation complete, statement submission pending (deadline: 2026-01-09 12:54 UTC) Hetzner Incident ID: 10F3971:2A (AbuseID) Co-Authored-By: Warp <agent@warp.dev>
31 KiB
31 KiB