Topic: [ANN][AUTO-SWITCH] Profit-switch auto-exchange pool: CleverMining.com - page 151. (Read 554401 times)

My bad then... Just relating where I've seen it before.

DEADBEEF and CAFEBABE are both popular hexspeak magic numbers used in hundreds of different pieces of software (http://en.wikipedia.org/wiki/Hexspeak). This is totally irrelevant and totally valid here. It's used as padding for subscription ID in the stratum server used by this pool.

This is a log of how this redirect looked like. This is not from CleverMining but from an user connecting to another coin-switching pool, but it shows how the redirect is done:


I numbered lines to be able to refer to them. What you see above is miner initiating its dialogue with the pool, so these are commands sent just after connecting to the pool. In this case miner must have been disconnected and then reconnected (trying to reconnect either to the same pool or to backup pool) - and this reconnected connection was hijacked somehow.

Messages coming from the pool (lines 2, 3, 4, 6, 7) are definitely NOT from CleverMining. They are also not from the pool which the above user was connected to, because:

Line 2: both CleverMining and the other pool use different subscription id format than sent by pool in line 2.
Line 3: both CleverMining and the other pool use 512 default difficulty and this pool sent 1024.
Line 2 & 3: both CleverMining and the other pool send lines in reverse order - send difficulty first, then send initial notify with subscription id
Line 4: both CleverMining and the other pool use different order of arguments when sending commands to miners (first id, then method, then params; here is first params, then method, then id).
Line 7: this is actual redirect request send by the fake pool.

The whole above communication is not a communication between miner and the pool which it intended to connect to. This fake pool clearly uses a different stratum software because its output is very different from what are using both CleverMining and the pool which the log should suppose to come from. (everything in the above log is consistent with how python stratum-mining server works, which we don't use).

So what happened here is:

1. Miner got disconnected from its legitimate pool.
2. It tried to reconnect, but was connected to a fake pool instead.
3. This fake pool immediately ordered it to reconnect to a different IP, effectively redirecting it to another pool.
4. The miner connected to 190.x address and started mining on a malicious pool.

The mystery is why user was connected to a fake pool after being disconnected from legitimate pool.

This is probably some kind of MITM attack as the user was connected to a fake pool after disconnection. The question is where this MITM attack was performed.

Stop flooding the forum with retarded responses.

Obviously it seems like it could be important.

Has a BTC address, the offending IP and port, and the correct and offending mining difficulty.

The deadbeefcafebabe thing is related to Apache Jackrabbit content repository. The MITM vector may have been using it for the redirect injection.

well it seems the servers are down for CM?

everytime cm switches servers it seams as if teamviewer disconnects and then reconnects

its your routers...lmao...

Terk,

Any clue what this is? The page was deleted today, but Google has a cache'd version of it currently... for the time-being.

http://webcache.googleusercontent.com/search?q=cache:wM5KnG5iVR0J:pastebin.com/zsWnEAsN+&cd=11&hl=en&ct=clnk&gl=us&client=firefox-a


deadbeefcafebabe seems to related to some Apache or Adobe stuff... a bit odd.

Right, but going after banks would be much harder with higher chances and consequences for being caught. Hijacking mining services are unique, they are very new and a lot less tried and tested than banking systems. With mining services, they can reap large monetary gain with little chance of federal law enforcement. BTW, you also assume the ones responsible aren't also attacking the other services.

As far as the common factor in all the scenarios would be the routers, as all of them out of the box suck security wise. Usually running an old outdated Linux kernel. But how would the attacker pick random IP addresses for such an attack?

BTW this quoting system sucks

Can you write more about it?

What exactly do you suggest me to run because I don't understand? Redirects to 190.xxx were not coming from our pool so I have no way to check how many users got this.

are you guys all using teamviewer? it disconnects and goes to this 190.x server

ltc.ghash.io
mine.coinshift.com


1 of my 6 rigs redirected to 190.X, another stopped mining at ny.clevermining.com and went to backup pool: ltc.ghash.io

no backup pools on my miners....

Also, did you run that script and get the info on how many were affected?  That is pretty easy to do and would be helpful to understand how many were affected.

But since it can be any network connected device that was infected and remotely controlled the mining machines, there could be a common OS between all infected networks.  I agree that it seems unlikely, but occam's razor here.  The rest of the options seem more unlikely.

In regards to DNS hijacking - if you can do that, you're probably going to go after email systems, banking or credit card, or actual websites including hosted wallets.  It's like being given a space based laser and using it to open your can of tuna :-)

Just a question to everyone who was affected: what backup mining pool(s) do you have configured in your miners?

The last dozen pages on Wafflepool thread have more info.

In my opinion it varies too greatly to be malware. Various OS's, software and routers. It's possible that if they use similar software for it to be exploited, but I'm unaware of whether they use custom or off-the shelf solutions. But MITM attacks have been very popular lately.
As far as I know, CM and WP are the two largest profit switching pools. So who are bigger fish that I'm unaware of?

QUICK FIX:

This doesn't require running any test code that was written in 10 mins.

1. Block offending IP in iptables or win firewall

2. nslookup your clevermining pool server and add that IP to your miner in your firewall and only allow the miner to connect to that IP remotely via outbound connection in the firewall.

I have tested this and it is working.



TERK,

run a script on your mining database and tell us how many miners were/are point to that 190.xxx ip 

Not trying to insinuate anything, but just suggesting...  I apologize if any of these ideas have already been covered, just trying to help.


Is it possible that clevermining was hacked, or at least one of the servers was, but the hack is smart enough to only siphon off a small amount of hash?  Otherwise it would be immediately noticeable when it was implemented.

Granted it appears that other pools were affected as well.  Is it possible that they're using similar backend software that may have been compromised?

Otherwise we appear to have a paradoxical situation.

- it isn't the pool because multiple pools are affected
- it isn't cgwatcher because those without it are affected
- it isn't the miner because people's miners that haven't been touched in weeks or longer are affected (unless it's a virus on the network)
- DNS hijacking seems unlikely, as that's a pretty massive thing to implement, and if you have that ability you're probably going after bigger fish.

I think malware does seem most likely, as if cgminer is open to remote control there is no authentication.  Any computer or device anywhere on the network could scan for and redirect miners.  This way even miners that haven't been touched in a year could still be affected.

Do we have a thread with full details on everyone who has been affected?  All software installed and versions, OS, patches, windows updates on/off, last time any configuration was modified, router, ISP, location, etc?

Do we have any way to reproduce this?  Does anyone with logging enabled have a record of the request?  Is it happening frequently enough to run a network monitor?  Do we know what coin is being maliciously mined?