Topic: [ANN][AUTO-SWITCH] Profit-switch auto-exchange pool: CleverMining.com - page 153. (Read 554384 times)

To be straight: I am not claiming that I know what's going on. I throw ideas about what I suspect is most likely.

My best guess is that it's the MITM attack originating very close to the user - considering there is only small number of users affected but they are spread around the world. If the MITM wasn't close to users, then it either would be limited to some geographic location or would be really heavily widespread affecting significant number of users.

I don't tell you that your rig is affected. If the rig had malicious software then it might be easier to just change your miner configs by the attacker and not hijack connection. This can be any other computer in your local network, using the same wifi. It might be the computer which you use (but it also is unlikely as the attacker would probably use it to steal your coins as well). It might be on your smartphone which connects via WiFi to the same router that your rigs (which might be connected by a cable but to the same router).

But of course I might be totally wrong.

I personally don't think this exploit is user based. My guess is some kind of injection during transit.

As a precaution, I have written a few firewall rules that will only allow my mining subnet to communicate to specific IPs.

that will be me, first I see my CleverMining account has 0.00 speed registered and go to check my miners and notice that all my cgminers are pointing to these 190.xxx ip address,
and I don't know for how long they've been redirected.

So I switch to ScryptGuild for now.

Changing pools seems to "fix" the redirect from my experience. I changed to sf.clevermining.com after I noticed the redirect, and it started working perfectly after that point.

I am not using anything besides Kalroth's cgminer 3.7.3 and my hijacking was only taking place while mining on Waffle. I would expect it to continue even after changing to CleverMining. Also, it doesn't seem likely to me that all the affected users were hit by malware on both various Linux distributions, BAMT and Windows. And I haven't touched my mining rig for the last couple of weeks and it only got hijacked today. I've been on CleverMining for the last 26 hours and it hasn't happened again. All of that seems to rule out local malware.

Thanks for the indepth responses Terk.

Yes, I've seen the log with redirect command (the log wasn't from CleverMining, it was on another pool). The redirect command didn't actually come from legitimate pool. The whole process looked like this:

1. Miner got disconnected from the pool (no idea if it was “natural” or caused by the attacker).
2. Miner reconnected to its pool but it didn't really connected to the pool this time, instead something hijacked this connection.
3. Just after miner authenticated at the pool (a fake one), it got the redirect command to reconnect to a different IP address.
4. Miner followed the command and connected to malicious pool.

The redirect command wasn't coming from the legitimate pool. Also, what's important - it wasn't injected into an existing connection between miner and legitimate pool. After disconnect miner tried to reconnect to legitimate pool but this reconnection was hijacked and the miner was redirected to malicious pool.

You are right that this is a form of Man In The Middle attack, but I think that MITM attack originates at user's place. Either on their mining rig or on some other host in the same local network. And if it's the case, then it's most likely done by some malicious software that the user downloaded.

Why I think that other places of attack (not close to the user) are unlikely? Affected users are geographically distributed all over the world - this is not some regional issue. Affected users were connect to different pools which are using different hosting providers - this is not an attack at the pool level. At the same time number of affected users is very tiny, which also points to a place of attack close to the user.

This is why I am suspecting some malicious software installed by the user.

For example, a new version of CGWatcher was released on Mar 21st, and the hijacking first started to happening at other multi-pools on Mar 22nd. A new version of a popular software is always a good moment to distribute maliciously modified version. I am not talking about CGWatcher authors, but someone else might modify the software and distribute modified version by submitting their own link to Reddit or some other mining related community.

I am also not telling that modified CGWatcher is responsible. This is just an example of a theoretical scenario how the attack might be performed. If you're affected, please think of what software did you download, when, where from, etc - basing on the example scenario above.

I am not using CGwatcher or CGremote.

I have 6 Rigs total, and 1 of the 6 rigs was redirected to 190.97.165.179, was using ny.clevermining.com.

SMOS Linux 1.3 with Kalroth.

Kalroth shoud be posting a new version of cgminer that will be immune to this.

I was affected by this problem starting about 5 hrs ago, where my hashrates slowly declined. I am on the NY server. I noticed this and rebooted my clients, hash rates are as per normal again.

I am running CGminer with CGwatcher and CGremote on fresh windows 7 boxes, no other applications run on said boxes.

Would a routed VPN to a say a VPS close to the Clevermining Datacenter mitigate the MITM attack chances of success? I am on the West Coast so i do have a fair number of hops, I am not using the SF server due to the high reject rates I get from it.

It is not a malware on users' computers. Miners are receiving stratum redirect commands. It is most likely a form of MITM attack, but definitely not something on the user end. It is happening among multiple pools with various mining clients and operating systems.

It is not cgwatcher/cgremote related, that user on Waffle has a separate issue.

Kalroth's thoughts:
https://bitcointalksearch.org/topic/m.5864631

Anyone hijacked WITHOUT using CGwatcher or CGremote?

I was told about this hijacking issue at Wafflepool and Multipool yesterday. Today couple of users at CleverMining report something similar. Most likely it's a result of some malicious software which you downloaded and/or use, but I'm also investigating other possibilities.

190.97.165.179 doesn't belong to CleverMining and is unaffiliated with CleverMining. If you see that your miners are connecting to this address, then you've been attacked and your mining profits are taken by someone else - basically you are mining at a malicious pool. If your stats on the CM website shows zero hashrate but your miners are running, check where they are mining at.

So far I counted four CleverMining users reporting this.

Other pool admins contacted me yesterday with this issue and I've been helping brainstorming source of this attack.

It doesn't look like an attack on CleverMining. Everything seems alright on my side and reports of miners hijacked are from only couple users. More users affected are at other pools. From what I know about the attack, it is targeting users, not the pools. Based on number affected users of different pools, I think it might be targeted at users of a specific pool (other than CleverMining, but they are mining here as well or switched here) or users of some other mining-related community (thread/subreddit), especially switch-mining community.

If you are affected, please think of any 3rd party software which you use and which you got from any mining pool thread or any other mining-related website. I am talking some tweaked miner software that someone shared in the mining-related place (tweaked cgminer/sgminer/BAMT/etc). Or some fancy monitoring tool to show you your miner stats. Or any 3rd party apps showing your stats at some pool. I am talking both downloadable/installed apps and webpages related to mining which you frequently visit.

If you are affected, please let me know about any such 3rd party software that you use. This might help finding a common denominator for all affected users and find the source of the attack.

I'm on multipool.us and I just lost 4 hours after all 3 of my miners got hijacked and redirected to 190.97.165.179 

Hijacking is a good idea to lower global hasrates and make GPU mining more profitable. 

Waffle and Multipool have also been hit with what looks like a MITM (Man In The Middle) attack that's been hijacking miners by redirects.  People are talking about it on multiple threads on the forum and on IRC.

I would say it's not on the mining pc ... I run both bamt and win7 mining rigs, and all switched at the same time.

would this be a compromise on the server or on the mining pc?

ya what the f is goin on?? 9Mh missing for 4-5hours... some of my rigs were pointed to 190.97.165.179. ... restarted cgminer now hashing in sf and rate is going up..

This is what's on 190.97.165.197:3333

http://pastebin.com/VRqgpDey

It autoupdates and adds new entries every so often. Seem to me that it's some sort of config that is redirecting the miners.