Docker: unknown container and image - system breach?

  • How can I check the origin of this container?
  • Who installed it?

You can inspect it to see the definition of the container. But who submitted it is unknown since the docker socket doesn't track who connected (I don't think there's much of a way to do that beyond configuring TLS).

  • How can I check when it was active?

13 days ago, created and exited, probably shortly after creation.

  • Does it originate from a trustworthy source (eg Docker-Hub)?

The original image is no longer tagged on your host. I wouldn't say Docker Hub is implicitly trustworthy either, similar to how anyone can create a GitHub repo and upload anything.

  • Is this kind of hacking possible / common?

If you were hacked 13 days ago, you'd likely be running a cryptocurrency miner or have your drive encrypted by now.

As for the container name, suspicious_johnson is an automatically generated name. Suspicious is the adjective, and Johnson refers to:

// Katherine Coleman Goble Johnson - American physicist and mathematician contributed to the NASA. https://en.wikipedia.org/wiki/Katherine_Johnson

Ref: https://github.com/moby/moby/blob/master/pkg/namesgenerator/names-generator.go

The container is what you would see from running docker run ... pacman ... on the cli (where the image name and other args aren't known from this output, but more detail may be visible in the inspect).