Topic: [ANN][AUTO-SWITCH] Profit-switch auto-exchange pool: CleverMining.com - page 152. (Read 554384 times)

cloudrck,

You only cherry picked my post and then called me stupid.  I guess, the hackers are doing man in the middle attacks on the entire interwebs..lol...fukkin idiot. Lot of the pools use same codebase and that lovely PHP crap.

This was a hack plain an simple. Quit trying to cover it up.  The pools affected were popped and no ones routers were compromised or other stupidity that this thread is trying to divert attention to.

No it would not. You serious don't know how this type of stuff works. You're assuming this IP address isn't a breach server. You're assuming he can't simply change IP addresses and/or server location.

DDoS this guy's servers is childish, aside from being illegal

clevermining's servers have been hacked.

The peeps running cleverminings servers apparently are not that tech savvy.  All my miners were being routed to 190.xxx and this is from 5 different subnets from 3 different ISP providers.

lol..amateur hour @clevermining.

The miner connects and gets instructions to where to send shares--apparently a rogue hacker has infiltrated clevermining and had all the miners point to 190.xxx.

Only two things it can be.

1. clevermining did this

2. clevermining was hacked

either way this is not good.  

I will be pointing my miners to a different pool until this is fixed.


UPDATE: when you close miner and reopen it..it points to correct clevermining dns entry.  Therefore, the attackers (if clevermining is not doing this themselves) are logging in and running a script to point N miners to the new IP...lol.


UPDATE 2:  they have been hacked. Here is URL for IP lookup..it is going to Panama...hahahaha.  Make sure you get paid boys!

http://whatismyipaddress.com/ip/190.97.165.179   <--- this is IP where the miners are being pointed to..hahaha.

For a short time. Yesterday there was a totally different IP used where WP and MP users were hijacked. My guess is tomorrow it might be another one.

Why wouldn't that help?

Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.

clevermining's servers have been hacked.

The peeps running cleverminings servers apparently are not that tech savvy.  All my miners were being routed to 190.xxx and this is from 5 different subnets from 3 different ISP providers.

On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.

On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

That doesn't help. People who have been affected needs to contact the owner and host of the IP with the evidence.

For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  

Also, it can be on your router which you use to connect to the network.

There was a really widespread vulnerability discovered a little over month ago which was affecting significant number of home routers: http://www.pcworld.com/article/2097903/asus-linksys-router-exploits-tell-us-home-networking-is-the-vulnerability-story-of-2014.html

It's hard to use to steal coins as all cryptocoin-related traffic is encrypted with the exception of mining. Maybe someone started using this vulnerability to hijack cryptocoin miners?

Anyone heard about this issue among users of non-multi-coin pools?

Yes, I've seen the log with redirect command (the log wasn't from CleverMining, it was on another pool). The redirect command didn't actually come from legitimate pool. The whole process looked like this:

1. Miner got disconnected from the pool (no idea if it was “natural” or caused by the attacker).
2. Miner reconnected to its pool but it didn't really connected to the pool this time, instead something hijacked this connection.
3. Just after miner authenticated at the pool (a fake one), it got the redirect command to reconnect to a different IP address.
4. Miner followed the command and connected to malicious pool.

The redirect command wasn't coming from the legitimate pool. Also, what's important - it wasn't injected into an existing connection between miner and legitimate pool. After disconnect miner tried to reconnect to legitimate pool but this reconnection was hijacked and the miner was redirected to malicious pool.

You are right that this is a form of Man In The Middle attack, but I think that MITM attack originates at user's place. Either on their mining rig or on some other host in the same local network. And if it's the case, then it's most likely done by some malicious software that the user downloaded.

Why I think that other places of attack (not close to the user) are unlikely? Affected users are geographically distributed all over the world - this is not some regional issue. Affected users were connect to different pools which are using different hosting providers - this is not an attack at the pool level. At the same time number of affected users is very tiny, which also points to a place of attack close to the user.

This is why I am suspecting some malicious software installed by the user.

For example, a new version of CGWatcher was released on Mar 21st, and the hijacking first started to happening at other multi-pools on Mar 22nd. A new version of a popular software is always a good moment to distribute maliciously modified version. I am not talking about CGWatcher authors, but someone else might modify the software and distribute modified version by submitting their own link to Reddit or some other mining related community.

I am also not telling that modified CGWatcher is responsible. This is just an example of a theoretical scenario how the attack might be performed. If you're affected, please think of what software did you download, when, where from, etc - basing on the example scenario above.