Author

Topic: [ANN][AUTO-SWITCH] Profit-switch auto-exchange pool: CleverMining.com - page 152. (Read 554401 times)

newbie
Activity: 52
Merit: 0
cloudrck,

You only cherry picked my post and then called me stupid.  I guess, the hackers are doing man in the middle attacks on the entire interwebs..lol...fukkin idiot. Lot of the pools use same codebase and that lovely PHP crap.

This was a hack plain an simple. Quit trying to cover it up.  The pools affected were popped and no ones routers were compromised or other stupidity that this thread is trying to divert attention to.
You seem to see and believe what you want, because no one called you stupid. So it's no reason to argue with you. You're right man, you figured it out detective.
newbie
Activity: 19
Merit: 0
No it would not. You serious don't know how this type of stuff works. You're assuming this IP address isn't a breach server. You're assuming he can't simply change IP addresses and/or server location.

I know exactly how this stuff works, and just because I posted a solution which isn't perfect (but still helps in this particular situation) doesn't mean that you have to insult me or others.

DDoS this guy's servers is childish, aside from being illegal

Notice the  Cheesy after my comment?





... and additional random stuff at the end to convince the forum that I didn't already post this when it refused my post because I tried to repost after being refused because the thread had been updated.  This forum's auto-filters need some tweaks :-/
hero member
Activity: 616
Merit: 522
clevermining's servers have been hacked.

The peeps running cleverminings servers apparently are not that tech savvy.  All my miners were being routed to 190.xxx and this is from 5 different subnets from 3 different ISP providers.

lol..amateur hour @clevermining.

The miner connects and gets instructions to where to send shares--apparently a rogue hacker has infiltrated clevermining and had all the miners point to 190.xxx.

Only two things it can be.

1. clevermining did this

2. clevermining was hacked

either way this is not good.  

I will be pointing my miners to a different pool until this is fixed.


UPDATE: when you close miner and reopen it..it points to correct clevermining dns entry.  Therefore, the attackers (if clevermining is not doing this themselves) are logging in and running a script to point N miners to the new IP...lol.


UPDATE 2:  they have been hacked. Here is URL for IP lookup..it is going to Panama...hahahaha.  Make sure you get paid boys!

http://whatismyipaddress.com/ip/190.97.165.179   <--- this is IP where the miners are being pointed to..hahaha.

CleverMining has not been hacked. Redirection to 190.xxx doesn't come from the pool - rather something is hijacking your miners and redirects them to a malicious pool. We still have thousands users mining at the pool and we just hit our highest hashrate ever yesterday with 22.5 GH/s average hashrate during the day.

If it was a pool issue, it would affect thousands of users and the pool hashrate would significantly drop instead of rising. The problem affects only small number of users and affects users of several coin-switching pool - it is not limited/related to CleverMining. I am trying to help investigate this issue but at this point there is nothing suggesting that any of the pools were hacked.

hi
sr. member
Activity: 256
Merit: 250
cloudrck,

You only cherry picked my post and then called me stupid.  I guess, the hackers are doing man in the middle attacks on the entire interwebs..lol...fukkin idiot. Lot of the pools use same codebase and that lovely PHP crap.

This was a hack plain an simple. Quit trying to cover it up.  The pools affected were popped and no ones routers were compromised or other stupidity that this thread is trying to divert attention to.
newbie
Activity: 19
Merit: 0
Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.

For a short time. Yesterday there was a totally different IP used where WP and MP users were hijacked. My guess is tomorrow it might be another one.

Valid point!  I had assumed that it was a fixed IP, however either way can't hurt at the moment.
newbie
Activity: 14
Merit: 0
Add an outgoing firewall rule to only allow verified pool IPs for your miner and/or update to the latest Kalroth's cgminer.
newbie
Activity: 27
Merit: 0
I have no idea if this is even related, but its strange given that I see these threads pop up now and I saw a similar issue when I woke up this morning

Im currently mining at coinshift and about 6 hours ago all of my hashrate disappeared from the pool stat page but my 2 rigs were still hashing away like normal. This happened until I woke up and restarted cgminer - everything seems normal now.

The really weird thing, and again, Im not suggesting anything but just telling what Ive observed, my hashrate at ghash went UP. I mined with these guys during their 2x week and havent touched them since. This is weird because on both of my machines ghash (LTC) is at the bottom of my failover pool list and I imagine it would be highly unlikely that there was 0 response from any of my 5-6 pools that were higher up in the list. Maybe its just a weird coincidence but its strange that id be hashing at ghash, on 2 rigs, without having touched the pool in a number of days

If it helps anyone, I'm running windows 7 with sgminer, and my other rig is running SMOS (bee edition) with cgminer-kalroth. I have no other monitoring software besides what smos offers, and the smos machine has nothing else installed on it. Since the day it was put together I haven't installed anything new on to it.

The only thing I have running on my smartphone is the Mining Pool Status app, but I only just got that and haven't added any pools to it yet.
newbie
Activity: 52
Merit: 0
For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  Cheesy
That doesn't help. People who have been affected needs to contact the owner and host of the IP with the evidence.

Why wouldn't that help?

Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.
No it would not. You serious don't know how this type of stuff works. You're assuming this IP address isn't a breach server. You're assuming he can't simply change IP addresses and/or server location.

DDoS this guy's servers is childish, aside from being illegal,, Looking up the IP address, it appears to be hosted by an ISP, you're liable to get your IP filtered, then blocked and/or reported.

Report the IP to the ISP it routes to. I would also report it to ARIN. ARIN does not like their IP space being use for malicious activity, especially with the shortage of IPv4 blocks.

clevermining's servers have been hacked.

The peeps running cleverminings servers apparently are not that tech savvy.  All my miners were being routed to 190.xxx and this is from 5 different subnets from 3 different ISP providers.

You don't know what you are talking about, you should read the posts by Kalroth over at the Wafflepool thread
newbie
Activity: 8
Merit: 0
On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

Don't know how much this help or frustrate you, I'm the only one that mine in the house, all mobile device does not have any mining related program as I am on iOS, mining alt-coin and we are very limited as to what app is available (free app) I just use the the actual web site I am mining at for stats.
hi
sr. member
Activity: 256
Merit: 250
clevermining's servers have been hacked.

The peeps running cleverminings servers apparently are not that tech savvy.  All my miners were being routed to 190.xxx and this is from 5 different subnets from 3 different ISP providers.

lol..amateur hour @clevermining.

The miner connects and gets instructions to where to send shares--apparently a rogue hacker has infiltrated clevermining and had all the miners point to 190.xxx.

Only two things it can be.

1. clevermining did this

2. clevermining was hacked

either way this is not good.  

I will be pointing my miners to a different pool until this is fixed.


UPDATE: when you close miner and reopen it..it points to correct clevermining dns entry.  Therefore, the attackers (if clevermining is not doing this themselves) are logging in and running a script to point N miners to the new IP...lol.


UPDATE 2:  they have been hacked. Here is URL for IP lookup..it is going to Panama...hahahaha.  Make sure you get paid boys!

http://whatismyipaddress.com/ip/190.97.165.179   <--- this is IP where the miners are being pointed to..hahaha.
hero member
Activity: 616
Merit: 522
Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.

For a short time. Yesterday there was a totally different IP used where WP and MP users were hijacked. My guess is tomorrow it might be another one.
newbie
Activity: 14
Merit: 0
On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

Haven't installed or run anything new on other devices for days and anything mining/coin related in weeks. Only use cgminer and two coin wallets, which were installed about a month ago from original websites (and not on smartphone).
newbie
Activity: 19
Merit: 0
For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  Cheesy
That doesn't help. People who have been affected needs to contact the owner and host of the IP with the evidence.

Why wouldn't that help?

Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.
newbie
Activity: 52
Merit: 0
For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  Cheesy
That doesn't help. People who have been affected needs to contact the owner and host of the IP with the evidence.
hero member
Activity: 616
Merit: 522
On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.
newbie
Activity: 19
Merit: 0
For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  Cheesy
newbie
Activity: 14
Merit: 0
Asus with Tomato here, no USB used and anything remote disabled.

Anyway, Kalroth just released a new version with a --no-client-reconnect command that should disable the attack.
newbie
Activity: 8
Merit: 0
Also, it can be on your router which you use to connect to the network.

There was a really widespread vulnerability discovered a little over month ago which was affecting significant number of home routers: http://www.pcworld.com/article/2097903/asus-linksys-router-exploits-tell-us-home-networking-is-the-vulnerability-story-of-2014.html

It's hard to use to steal coins as all cryptocoin-related traffic is encrypted with the exception of mining. Maybe someone started using this vulnerability to hijack cryptocoin miners?

Anyone heard about this issue among users of non-multi-coin pools?

A possibility, but after reading the article, I am on a Linksys EA4500 with remote administration disable since the day the router was up and running. Yet still got hi-jacked :\
hero member
Activity: 616
Merit: 522
Also, it can be on your router which you use to connect to the network.

There was a really widespread vulnerability discovered a little over month ago which was affecting significant number of home routers: http://www.pcworld.com/article/2097903/asus-linksys-router-exploits-tell-us-home-networking-is-the-vulnerability-story-of-2014.html

It's hard to use to steal coins as all cryptocoin-related traffic is encrypted with the exception of mining. Maybe someone started using this vulnerability to hijack cryptocoin miners?

Anyone heard about this issue among users of non-multi-coin pools?
newbie
Activity: 8
Merit: 0
It is not a malware on users' computers. Miners are receiving stratum redirect commands. It is most likely a form of MITM attack, but definitely not something on the user end. It is happening among multiple pools with various mining clients and operating systems.

Yes, I've seen the log with redirect command (the log wasn't from CleverMining, it was on another pool). The redirect command didn't actually come from legitimate pool. The whole process looked like this:

1. Miner got disconnected from the pool (no idea if it was “natural” or caused by the attacker).
2. Miner reconnected to its pool but it didn't really connected to the pool this time, instead something hijacked this connection.
3. Just after miner authenticated at the pool (a fake one), it got the redirect command to reconnect to a different IP address.
4. Miner followed the command and connected to malicious pool.

The redirect command wasn't coming from the legitimate pool. Also, what's important - it wasn't injected into an existing connection between miner and legitimate pool. After disconnect miner tried to reconnect to legitimate pool but this reconnection was hijacked and the miner was redirected to malicious pool.

You are right that this is a form of Man In The Middle attack, but I think that MITM attack originates at user's place. Either on their mining rig or on some other host in the same local network. And if it's the case, then it's most likely done by some malicious software that the user downloaded.

Why I think that other places of attack (not close to the user) are unlikely? Affected users are geographically distributed all over the world - this is not some regional issue. Affected users were connect to different pools which are using different hosting providers - this is not an attack at the pool level. At the same time number of affected users is very tiny, which also points to a place of attack close to the user.

This is why I am suspecting some malicious software installed by the user.

For example, a new version of CGWatcher was released on Mar 21st, and the hijacking first started to happening at other multi-pools on Mar 22nd. A new version of a popular software is always a good moment to distribute maliciously modified version. I am not talking about CGWatcher authors, but someone else might modify the software and distribute modified version by submitting their own link to Reddit or some other mining related community.

I am also not telling that modified CGWatcher is responsible. This is just an example of a theoretical scenario how the attack might be performed. If you're affected, please think of what software did you download, when, where from, etc - basing on the example scenario above.

On my work desktop computer at home which I have installed nothing relating to mining software since Jan 22, so possibility of infection from software installation would be zero on my end. And yet my cudaminer (which was install since Jan 22) is also doing a redirect to that malicious IP.
Jump to: