Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
Hijacked XMR Docker Servers

Hijacked Systems

All the following IPs have the docker API exposed and have been hijacked to mine XMR

Docker Image

All appear to have a the following image and command line.

        "Status": "Up 20 hours", 
        "Created": 1536506330, 
        "Image": "tmpdocker/xmr", 
        "Labels": {}, 
        "NetworkSettings": {
            "Networks": {
                "bridge": {
                    "NetworkID": "REDACTED", 
                    "MacAddress": "REDACTED", 
                    "GlobalIPv6PrefixLen": 0, 
                    "Links": null, 
                    "GlobalIPv6Address": "", 
                    "IPv6Gateway": "", 
                    "DriverOpts": null, 
                    "IPAMConfig": null, 
                    "EndpointID": "REDACTED", 
                    "IPPrefixLen": 16, 
                    "IPAddress": "", 
                    "Gateway": "", 
                    "Aliases": null
        "HostConfig": {
            "NetworkMode": "default"
        "ImageID": "sha256:96f015c729696b0fe40d4c12710990be310543c51a77f7e4150edc0a6bd3158e", 
        "State": "running", 
        "Command": "./xmrig -o stratum+tcp:// -u -p x --safe -k", 
        "Names": [
        "Mounts": [], 
        "Id": "c0c4149d65341041d8c4b6577b24669e4bf74dcb0e327d12157ad5564ee2e792", 
        "Ports": []

Miner Pool Details

All appear to have the same protonmail email address used for the miner pool connecting to stratum+tcp:// 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment