Topic: [4+ EH] Slush Pool (slushpool.com); Overt AsicBoost; World First Mining Pool - page 825. (Read 4382671 times)

If it was DDoS - the tw*ts would be attacking the pool not the web site - so you may see the website work but your miners not mining - both are down (for me) so I think it's probably DDoS - but it could just be down to teething problems with amazon EC2 switch...

OFMG 

The pool has been hacked. Fortunately I noticed it fast enough, so I made database snapshot seconds before attackers overtake the database machine. I lost some amount of bitcoins, but I'll be able to recover it from my pocket. For now I'm evaluating what's next to do, because all machines in OVH has been compromised and they cannot be trusted anymore.

Full story:
Today at 3pm UTC I noticed that somebody succesfully resetted the password to OVH manager, the place where servers can be managed, restarted to rescue mode etc. I promptly resetted the password at OVH to something different and I also changed password on my email account and checked that there're no other active connections to my mailbox. I have to say that my mailbox is secured by OTP passwords and I take physical security very seriously, so nobody other had an access to my mailbox. I known that password-reset feature is quite popular attack vector, so I made everything possible to prevent it to happen.

By changing the password at OVH, all other sessions using the old credentials are automatically kicked from the Manager. I also cross-checked that nothing wrong happen to the servers at this time. Unfortunately I didn't find a way how the attackers got access to Manager, so I asked OVH support to provide some additional information and restrict Manager access to my IP range.

That's no surprise that OVH didn't respond to this ticket for hours, but at 11pm UTC I realized that there's another succesful password reset at OVH. This is complete mystery to me, because I'm aboslutely sure that nobody else had access to my mailbox and the email with reset link has been untouched (unread, not deleted). I'd say that attacker won't bother by changing status of the email to "unread", but he'd delete the email instead.

This time I realized that the attacker resetted the machine with the wallet to rescue mode, which means that I lost the control to this machine. I was still succesful by logging into the database and I took the snapshot of database and transferred it to safe location. Few seconds since the migration finished, attackers restarted all remaining machines to rescue mode.

So far it looks like yet another inside job, like Linode two years ago. Or attackers found some shortcut how to gain access to Manager without confirming the request from the email. I don't know what's worse option. I'll investigate this issue in detail later and I hope OVH won't close eyes to this.

I can recover the pool to the normal operation tomorrow.

Edit 01:38 UTC: Stratum servers are running on safe servers at Amazon. Mining works for now. I'll setup new database and webserver on trusted machines in few hours, so the pool will be back in full operation.

Edit 25.04.2013: Bitcoin-central.net which is also hosted at OVH has been hacked today using the same method as described above. It confirms my theory that it was inside job/security issue at OVH and my email wasn't compromised at all.

its down for maintenance,but if was ddos we wouldnt get an error???

Is it? Press F5 refresh - site is down I think

but why the site up???

Could just be a problem with amazon EC2 switch - just checked my ec2 cloud servers - runinng OK - this looks like another (boring achieve nothing) DDoS to me

also here miners dont work...

It's almost as if they think he's somehow got coins stored on his computer or something...?

Can't be a coincidence that when BTC rises in value, Slush gets DDOS - interesting

is this a typical problem for you/others? i just started GPU mining a couple of weeks ago and don't know if i'm getting stale shares or not...but i'm getting paid every other day so how bad can it be? not mining at any sort of impressive rate, but it's working as proof of concept for future build plans 

btw, thx to slush for operating the pool. i see a lot of whining and complaining in this thread, but not too many thank yous. so thanks.

During the last ddos I mined for about ten hours on HHTT's pool, but never got a payout.  Anyone know how long you have to mine with them before you are eligible for a payout?

funny that.... swapped to getwork from Stratum since it's been 4 days and no shares ( usually 3 per day even if i am CPU mining) and ... insta share ( for a whole 0E-8 but it IS a share! ).  Also, have had no stale shares on Stratum ( or any shares ) since the DDos.

[EDIT]
Great, now insta 2 stale shares on get work....

Those f**king DDoS:ers.. What's the point? Is it really that profitable to DDoS out sluch pool?

Website isn't working for me, or stratum.

Care to explain?

Mine are not connecting at all. I know you're working on it though. Just thought you should know.

I will wait patiently.
 

Does it seem to be a secondary problem caused by Ddos?  Have you tried moving behind Cloudflare?  May be way off base, just shooting in the dark.

...well ya did something....miners just started back up...good Job


Edit to Say:....is it Cgminer that is giving really weird #'s or is something amis on your end ...I like the #'s but know they are not Right...hahha

My 300 Mhash is getting 500 Mhash
660 Mhash is saying 1.2 Ghash..I wish its only a 7970...hahha

FAQBot seems to have died in IRC, as well.

Small potatoes when the pool is down, I admit, but still needs to be brought to someone's attention.

I hope you will use a proportional method for the blocks during the error... If it gona be a long one... My workers can't connect to stratum and getwork and I'm on a backup pool... They should come back automatic but I'm not sure how long it takes for them to detect that your pool is back...