I am running Scale ElectricEel-24.10.0.2 and when I look in the app containers I see that traffmonetizer/cli_v2 and repocket/repocket:latest keep getting reinstalled even after I delete them. Are these apps used by Truenas somehow or are they being maliciously installed somehow? Any idea how I could troubleshoot this issue? I’m just not sure where to start looking.
Those don’t come from TrueNAS, and seem rather sketchy… I’d recommend locking down your box immediately and figure out if somebody else has access to it 
I agree. The box is locked down but I’m wondering if another docker container is installing it? Are there relevant log files I can check?
Start checking out /var/log first, check docker in there, look at auth.log. I have no idea what setup you have and what other apps are installed, so that list is where I’d start hunting first. If you are running arbitrary containers, its possible you granted one of them permission to spin up new containers… Tools like Dockage / Portainer do that legitimately.
Are you actively stopping your server from reaching the Internet? If not, it’s not sufficiently locked down in this specific context where you may, or may not, have malware with root privileges.
I am running apps on docker that supply services through port 443 mostly. The SSH and root access is regulated by IP at the PFsense firewall. I am using Dockge and I wonder if it is spawning these two containers?
I’m seeing lots of these entries in syslog:
run-docker-runtime\x2drunc-moby-0a8032b92c7fce985560bcdd023f0dc63369974ea2dc7a1a4f78032d3a476e93-runc.umlsyp.mount: Deactivated successfully.
What ports you have open or allow in your firewall doesn’t matter if you have malware that will open a reverse shell out.
Edit: I’m going to add that the two apps you referred to in your first post are both apps that essentially “resell” your internet. If you didn’t install them, someone else did and is selling your bandwidth and pocketing the money. And that’s just the two apps you noticed. Who knows what else is going on.
My recommendation, nuke that install from orbit, change all your passwords. Unfortunately, the attacker may have a foothold on other devices in your network.
Does anyone know if “containrrr/watchtower” is installed by truenas scale?
Watchtower is not installed by default.
Someone with access to your system made a choice to install it.
Watchtower is an app that helps keep other containers updated.