I recently purchased some Antminer S9's from eBay with bitmain firmware on them, I started seeing some abnormals in hash reporting vs actual hash rate at the pool.
I have seen numerous threads with people with the same problem but no resolve.
What I found:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:22:36.264415 IP (tos 0x0, ttl 64, id 9890, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.45.36302 > 192.169.6.241.48748: Flags [S], cksum 0xb9fd (correct), seq 2314096459, win 29200, options [mss 1460,sackOK,TS val 8285329 ecr 0,nop,wscale 5], length 0
0x0000: 4500 003c 26a2 4000 4006 8aaa c0a8 012d E..<&.@
[email protected] 0x0010: c0a9 06f1 8dce be6c 89ee 4f4b 0000 0000 .......l..OK....
0x0020: a002 7210 b9fd 0000 0204 05b4 0402 080a ..r.............
0x0030: 007e 6c91 0000 0000 0103 0305 .~l.........
11:22:37.245654 IP (tos 0x0, ttl 64, id 4740, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x6562 (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285566 ecr 0,nop,wscale 5], length 0
0x0000: 4500 003c 1284 4000 4006 9ec5 c0a8 0130 E..<..@
[email protected] 0x0010: c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000 .......l........
0x0020: a002 7210 6562 0000 0204 05b4 0402 080a ..r.eb..........
0x0030: 007e 6d7e 0000 0000 0103 0305 .~m~........
11:22:38.244593 IP (tos 0x0, ttl 64, id 4741, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x64fe (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285666 ecr 0,nop,wscale 5], length 0
0x0000: 4500 003c 1285 4000 4006 9ec4 c0a8 0130 E..<..@
[email protected] 0x0010: c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000 .......l........
0x0020: a002 7210 64fe 0000 0204 05b4 0402 080a ..r.d...........
0x0030: 007e 6de2 0000 0000 0103 0305 .~m.........
11:22:40.244595 IP (tos 0x0, ttl 64, id 4742, offset 0, flags [DF], proto TCP (6), length 60)
192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x6436 (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285866 ecr 0,nop,wscale 5], length 0
0x0000: 4500 003c 1286 4000 4006 9ec3 c0a8 0130 E..<..@
[email protected] 0x0010: c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000 .......l........
0x0020: a002 7210 6436 0000 0204 05b4 0402 080a ..r.d6..........
0x0030: 007e 6eaa 0000 0000 0103 0305 .~n.........
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel
This is a ANTBLEED VIRUS CLONE!
What this does:
The infected ant miner will boot up and connect to 192.169.6.241 on port: 48748 once connected: the miner will receive remote hashing and pool switching, AKA dev fee (BOT NETWORK)
"192.169.6.241" IS NOT YOUR LOCAL NETWORK... This is a hosted company hosting for the virus
The Virus will then change any SSH password on the local device and then begin a network subnet scan and try to install itself on other miners
You can tell in several ways this virus is on your network of miners,
1. that the WEBUI for the miner will show its status page VERY SLOW! this is due to the 100% CPU load and the MODIFIED bminer software that is on it.
2. Your miner with show HW errors on all chains, this is due to the modified bminer overclocking the miner to get better hash rate for the attacker!
Check your miner or router for ESTABLISHED CONNECTION to: 192.169.6.241 - If its there you have the virus
Solutions:
1. BLOCK ALL TRAFFIC to 192.169.6.0/24 on your network, and if you cannot block subnets, BLOCK 192.169.6.241 all protocols
2. Pull your miners off your network
3. CHANGE PASSWORDS on all your miners, don't leave default password
4. SD Card your miner and install latest firmware from your miner manufacture.
Where did the virus come from? Unknown I only purchased 3 Antminer S9's off eBay and had them on the test bench when I noticed it. It appeared to be running latest bitmain firmware from May/2019
LP