Author

Topic: antminer s9k Infected firmware (Read 518 times)

legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
September 14, 2019, 07:44:32 PM
#16
How can you tell your miner has been compromised other than observing that your miner configuration changes to something foreign? 

Nothing else except for the obvious pool results, if your miner is compromised then your daily/weekly average hashrate will be less than that reported on the miner, there are of course other things that might cause this issue to happen such as bad internet connection, overclocking that causes hardware errors and so, but aside from that i am not aware of any other method.

well you can also monitor your network traffic and look for any unknown packet transfer, but if happens that you and the hacker use the same pool, then that would be useless.

as for the firmware, you should never use any firmware that does not come from the manufacturer, open-source firmware such Braiins might be of an exception.
jr. member
Activity: 43
Merit: 28
September 14, 2019, 06:43:47 PM
#15
How can you tell your miner has been compromised other than observing that your miner configuration changes to something foreign? 

I/E Is there firmware that we need to avoid?  Or is the control board firmware not even reported?

Thanks.
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
September 14, 2019, 06:23:57 PM
#14
I have seen this virus before, I don't recall the exact wallet address but I am sure that the second pool was Nicehash (Japan)  , I have fixed this issue , although I don't know the cause, but here is what I did to fix it once and for all.


1-Get a new laptop/pc which has never been on the same LAN ( doesn't have to be brad new, it has to be new to the LAN)
2-Disconnect every miner, keep 1 miner only ( you need to fix them one at the time)
3-Reset the miner using the IP report button method ( make sure you do it right)
4-Immediately and right after the miner's IP shows up, change the password with a very complex one

now this step needs a bit of preparation, in order to do it the right way, I suggest the following

a-Alter your DHCP setting on the router to allow only 1 IP address, so that you always know the IP the miner is going to take
b-Type the URL in advanced http://192.168.X.X/administration.html   (depending on the IP your miner is going to use)
c-Right after the miner turns on , refresh the page, as soon as it shows up, change the password)

5-Flash the latest firmware afterwards.


**Make sure you follow these steps , it should work , if everything goes fine, you need to learn how to protect your miners in the future.
legendary
Activity: 2030
Merit: 1573
CLEAN non GPL infringing code made in Rust lang
September 10, 2019, 09:35:56 AM
#13
yes
after resetting the miners i choose strong password and also i can configure them to work for me but as i said in specific time the configuration change automatically unfortunately !

i think the only way that i can overcome this problem is re-flash the miners from SD-card but i can't find the image file for S9k model Sad

Lol Bitmain is a joke, they don't have ANY S9 image for this method. They literally instruct people to use the T9+ image, and THEN after you get that installed, you get to use its web ui to "update into" the S9 image (because the T9+ firmware won't mine at all on the S9).

Given the fortune costumers bring to Bitmain, its downright insulting they don't bother to provide the images for each model directly.

But i have no idea about the S9k, if that method still applies to it as it depends on the controller..


Moral of the story: Never use default passwords. But without ssh access, changing the root password there might be tricky... You'll have to learn the method the malware is using. I wonder if your "hacked" miners have ssh enabled, can you nmap one to see what ports has open?
newbie
Activity: 12
Merit: 0
September 09, 2019, 07:19:36 PM
#12
i thought all new firmware from bitmain will closed its SSH port?
With this, miner still possible to be hacked?
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
September 08, 2019, 03:13:31 PM
#11
i followed the instruction, unfortunately this file don't flash S9k model Sad(  actually miner don't read the sd-card with this image file. Red and green light constantly keep turning on and never blinking ...

It looks like Bitmain already release a new guide to flash this model. According to this article below, you need to contact their support to get the image for this model.

Check this link:
- S17/S17Pro/S9 SE/S9k/Z11 control board program recovery (SD card flashing with customized PW)

So I think you need to wait for their response about the image for s9k but if you are in hurry you can call them to this number +65-3138-9024 if you are living outside Chinese country but if you living on Chinese country you can contact them directly to this number 400-890-8855 (Monday-Saturday 8:00-21:00)
newbie
Activity: 5
Merit: 0
September 08, 2019, 02:17:56 PM
#10
i followed the instruction, unfortunately this file doesn't flash S9k model Sad(  actually miners don't read the sd-card with this image file. Red and green light constantly keep turning on and never blinking ...
legendary
Activity: 3472
Merit: 3217
Playbet.io - Crypto Casino and Sportsbook
September 08, 2019, 01:38:17 PM
#9
i think the only way that i can overcome this problem is re-flash the miners from SD-card but i can't find the image file for S9k model Sad

The link already posted above you need to use this one "t9+-SD Tools.zip" after you flash with the t9+ image you can flash it again with s9k firmware but through WebGUI as an update.
Then don't forget to change your administrator's password.

Summary:
t9+-SD tools.zip>WebGui>S9k firmware>change admin pass.

The guide can be found here S9 series (S9, S9i, S9j, S9 Hydro) Control Board Program Recovery

If the above guide didn't work and you still have the virus you need to follow this step by step guide from bitmain below:

- Viruses, malware and remote attacks on Antminers – How to prevent and remove them?
newbie
Activity: 5
Merit: 0
September 08, 2019, 12:03:24 PM
#8
Did you add a second router with a second firewall?

No, i didn't. I have only one mikrotik router, a switch and ADSL modem

Did you time how long it takes for a switch to occur?

it depends when i perform reset factory. in fact miners start mining for hacker at 21:50 pm (local time). so, if i reset the miners in morning, they will work correctly. as the time reach 21:50 pm the configuration change automatically. after 21:50 pm resetting the miners change nothing! the configuration is not for me!
I think the hacker could install custom firmware on my miners and resetting the firmware doesn't change anything. even installing web based official firmware is not helpful

thanks for your attention

i sent an email to bitmain and ask them to send the image file to recovery the control board; maybe they could help me
legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
September 08, 2019, 11:27:53 AM
#7
yes
after resetting the miners i choose strong password and also i can configure them to work for me but as i said in specific time the configuration change automatically unfortunately !

i think the only way that i can overcome this problem is re-flash the miners from SD-card but i can't find the image file for S9k model Sad

Did you add a second router with a second firewall?

Did you time how long it takes for a switch to occur?

If the switch is in 10 minutes it is worse then if the switch is in 10 hours.

If the switch takes 10 hours you can hard boot every 9 hours. Simply power down for five minutes then power up.

Until you get an image for the gear it may be what you need to do.

You can do the double router trick it works sometimes.
newbie
Activity: 5
Merit: 0
September 08, 2019, 11:17:19 AM
#6
yes
after resetting the miners i choose strong password and also i can configure them to work for me but as i said in specific time the configuration change automatically unfortunately !

i think the only way that i can overcome this problem is re-flash the miners from SD-card but i can't find the image file for S9k model Sad
legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
September 08, 2019, 11:09:42 AM
#5
Yeah maybe.

can you get it to go back to your pools after a re-set?

Put in a long password.
change from
root
root

to something like this

root-AAaSD12
root-Fuckyouscamer12345

put in a second router

modem to ............ put in a long password to this router
router to
switch to
your old gear
and 1 line to

use a long password to with a firewall
new router  to switch        to bad gear  which all have long passwords.

the  hacker may be accessing the gear via internet.

finding the 4 units behind 2 firewalls with long passwords may stop him.
newbie
Activity: 5
Merit: 0
September 08, 2019, 11:01:24 AM
#4

tnx for your reply
https://service.bitmain.com/support/download?product=Flashing%20SD%20card%20with%20image
in this link there is no related file for antminer s9k !!! which one is appropriate for me Huh

https://support.bitmain.com/hc/en-us/articles/360019493654-S9-series-S9-S9i-S9j-S9-Hydro-Control-Board-Program-Recovery
i have checked this link as well and i want to say that s9k is a little different from S9 series
9k has different control board (model ctrl-c43) and have only one jumper on the board

any one can help me?
legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
September 08, 2019, 10:54:08 AM
#3
I punched in the address on the image an get 0 coins.



https://www.blockchain.com/btc/address/3BjMWfED7RJvtBPPikJpweDT6A9xRW952x
newbie
Activity: 5
Merit: 0
September 08, 2019, 10:44:01 AM
#1
Hi
 
i have 4 miners which models are s9k....

recently i noticed in specific times the configuration change automatically and as result the miners don't work for me!
i tried to install bitmain official firmware (web-based) and did factory reset as well but non of them weren't helpful
actually i need image file of control board recovery to re-flash from SD-card, however i couldn't find anywhere even in bitmain website!
By the way, i tried bitmain anti-virus tool but it didn't solve the problem

anyone can help me to overcome this problem Huh

in the bellow image  i share the image of hacker configuration

http://s2.picofile.com/file/8371825676/configuration.jpeg
Jump to: