Hi,
I've used HiveOs for a few weeks now, on and off, as I've been ill lately, but so far I really love everything about the OS except for one thing:
With regular intervals, my rigs suddenly go offline, and rebooting doesn't help, I have to mount a display and check what is going on, and my rigs then appear under other names - "mark3", "mark6" etc. instead of my own rig names.
They also appear to be mining, but not to my own accounts. So I can only assume that I have been hacked, and someone else is taking the profit.
At first I was running Claymore miner, I did a bit of googling and found that there were mentions online of hacking vulnerabilities with that miner, and so I changed to Ethminer, but today it happened again. I managed to get the rig back after forcing "firstrun -f" and entering my own rig credentials again, and I'll see how long that lasts.
After one of the previous incidients, while I was still running Claymore, the rig would just crash immediately after attempting to force "firstrun -f", so the only way to get the rig back online was to flash a new OS on a USB stick, and start over fresh.
I'd really appreciate input from people here about this issue - if anyone else have had similar issues, and if so, what to do to prevent against it.
Advance thanks!
personally I would just redo everything from scratch. format drives, new install, new rig ids, etc.
Thanks WaveRiderx,
That was exactly what I was thinking - and also what I did - on the first few occasions, but it gets really tedious after a while.
So this last time I just tried a quick fix - "firstrun -f". It didn't work on first attempt, the rig came back under the supposed hackers rig name; "mark3", but I tried once more, and then I was succesful in assigning my own RIG ID, and it has now been succesfully running all night without further incident. I suppose a really advanced hacker could have applied key loggers and thus recorded my passwords etc. and that a clean install would have been safer, but it is also more time consuming, and I didn't have much time last night, but didn't want to lose a whole nights mining revenue, so just attempted the quick fix, thinking I can always do a fresh install and start completely from scratch with new RIG IDs, passwords etc., if it looks like they have been compromised. But so far so good with the quick fix (touch wood).
Maybe I am asking too much, but I think it would be really great if this security vulnerability in HiveOS could be fixed by the developer(s).
I just found a note I made after googling about the security vulnerability in Claymore, and will quote it below - unfortunately I have lost the original URL to the original forum post, but it should be easy enough to find using google if interested in researching more:
Security advice regarding claymore miners.
Hello guys again
Some another security advice worth to read !
Recently more and more botnets are sniffing for claymore API port forwarded on routers in whole internet.
Even when claymore api port is in read-only state it seems that bots still can change mining pool and wallet if port for API(ethman) is forwarded outside.
If you are using claymore miners then i advice to replace -mport -3333 by -mport 127.0.0.1:3333
If you dont have -mport specified in your config then i advice to add this as without it - it will act like -mport -3333 by default !
This way claymore API will be available only at localhost (for stats reading that are sent to dashboard) and not on your LAN IP address.
I changed all default configs to that setting so if you are not sure just look at those examples.
Also please remember not to forward 22 port. If you forward 22 port then botnets will find you in mater of hours i guess.
Here are some articles:
https://cryptovest.com/news/major-botnet-resurfaces-to-pounce-on-claymore-mining-rigs/
https://www.reddit.com/r/EtherMining/comments/6yoo47/claymore_hacked/One thing I noticed earlier, which may support my theory, is that after one on my rigs crashed earlier, it appeared to come back after the crash with default settings applied - and it seems like Claymore is the default miner if HiveOS is crashing so hard that it can't find the previous rig settings after the crash.
So; that means that if the rig is coming down hard, and defaulting back to Claymore, it will essentially be left vulnerable to Claymore botnet sniffers and hack attacks after every hard crash. I suspect that is what has happened to me - but I could of course be entirely wrong, as I am a mining and linux noob. But it seems to me like a plausible theory for now. If it is correct then it would be great if the HiveOS developer (DimaFern, isn't it?) could patch HiveOS so that the -mport settings recommended for Claymore are automatically applied. It may be very easy to do this for anyone well versed in command line linux, but for complete linux noobs like myself it is too advanced ATM. And it would have to be done after every hard crash; it would be much more secure if it was built into the OS I think. Maybe it could also could be made changes so that Claymore isn't the default miner after a hard crash where previous settings are lost, if Claymore continues to be a security vulnerability.