“During April, we observed deployment of a suspect image from a public repository on many different clusters. The image is ddsfdfsaadfs/dfsdf:99. By inspecting the image’s layers, we can see that this image runs an XMRIG miner:” Source
Welcome to the cloud …
- Check the running containers: The easiest way to spot an XMRIG miner in a Kubernetes cluster is by checking the running containers. Use the kubectl get pods command to get a list of all the running pods in the cluster. Then, use kubectl logs command to check the logs of each container in the pod for any mention of XMRIG or Monero mining.
- Check resource usage: XMRIG miner consumes a lot of system resources such as CPU and memory. You can use kubectl top command to check the resource usage of each pod in the cluster. If you notice a pod consuming unusually high resources, it might be running an XMRIG miner.
- Check network traffic: XMRIG miner communicates with mining pools over the internet. You can use tools like Wireshark or tcpdump to capture network traffic and analyze it for any connections to known mining pool servers.
- Check for unauthorized access: XMRIG miner can be deployed in a Kubernetes cluster without proper authorization. Check for any unauthorized deployments or changes to the Kubernetes configuration that might indicate an XMRIG