New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[zoolu2/*] Mining malware from "marumira" under different account #1809
Comments
https://www.shodan.io/search?query=docker+%22zoolu2%22+port%3A2375 Ran across this yesterday. Seems like zoolu2 images could be still actively exploiting systems. Saw a result come in on a machine in Poland today that wasn't there last night. Are these images still from zoolu2 still propagating in your honeypot? I'm not seeing anything on shodan for that other image. |
Thanks, |
Okay looks like a couple of them are going out and querying shodan looking for port 2375. It's almost exactly asking the link that I sent earlier. |
So....I found something ping me on twitter @Suprn8 and I'll give you the rest. I don't want to tip this guy off. |
Sorry, didn't see the emails. About the outbound traffic, there is some through tor, so I don't exactly know where it's going. It also seems to use multiple Shodan accounts instead of just one like in the previous image. Also, the mining endpoint is to Nicehash (same account name), so a report should stop the mining. |
yeah I found the onion link at least for the Auto image. Dm me on twitter and I'll share what I've got. |
https://twitter.com/Suprn8/status/1129877707897081856 Got confirmation from shodan that those accounts are deactivated they won't propogate anymore |
I've disabled |
He's back. The user is Pavlov32. The image is pavlov32/auto it has the exact same code minus a 0 byte file named pavlov (i assume to get passed some file hash tests) I am contacting John Matherly again to get the accounts disabled. |
I've disabled this account also |
and again, user is zoolu2 image is zoolu2/jauto. exactly the same code. and it even links to pavlov32. |
All images on the zoolu2 Docker Hub account are either the exact same or extremely similar to the one pointed out in issue #1807 (XMR miner, automatic spreading through Shodan, etc.), except some now use multiple Shodan accounts instead of just one.
The text was updated successfully, but these errors were encountered: