Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[marumira/jido] Mining malware/worm #1807

btx3 opened this issue May 2, 2019 · 2 comments


None yet
3 participants
Copy link

commented May 2, 2019

This image is a worm/botnet/whatever targeting unsecured Docker API instances (port tcp/2375).

It uses Tor to update its mining config and continuously scrapes Shodan for exposed Docker instances (with a hardcoded user/pass which I changed) to infect them as well. It also sets up an SSH server, with a hashed password for the root user (basically a backdoor account).

My honeypot didn't pick it up yet, but I've seen it all over Shodan recently:

It seems to be frequently updated, with the last update (as of writing) being 5 hours ago.


This comment has been minimized.

Copy link

commented May 2, 2019

Thanks for the report. This account marumira has been deactivated.


This comment has been minimized.

Copy link

commented May 16, 2019

please what about this one please?

zoolu2 at docker hub

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.