Did the pool shutdown this virus mining user account?
We don't have user accounts. 
Topic: I think I'm being attacked by unauthorized mining. Please help me identify it. (Read 1697 times)
September 18, 2011, 12:14:23 PM
September 18, 2011, 11:02:34 AM
The files were just deleted and they don't appear to come back. Any other serious investigation will probably need someone to investigate the files.
September 17, 2011, 03:20:08 PM
What OS do you have?
September 17, 2011, 02:41:07 PM
ok, you could kill the process rename the .exe to .old and see if it comes back after a reboot, you're on windows 64 bit from that are you running xp,vista or 7?
September 17, 2011, 02:11:31 PM
Good luck to you buddy
September 17, 2011, 11:07:17 AM
Feel free to try to shutdown the botnet. I suggest reporting it to your local authorities. In most jurisdictions, computer intrusion is a crime and the operator can go to jail. Please feel free to pass on my email to any authorities with an offer to provide assistance in any way I can.
As for blocking it at Eligius (which I operate), there is not much I can do. I could certainly block the address, but the botnet operator could easily change to another unidentified one. I figure it's better to leave the identified botnet address functional than to have it unidentified. Plus, banning a botnet would be like asking for another DDoS-- I have enough of those to deal with already without inviting them.
As for blocking it at Eligius (which I operate), there is not much I can do. I could certainly block the address, but the botnet operator could easily change to another unidentified one. I figure it's better to leave the identified botnet address functional than to have it unidentified. Plus, banning a botnet would be like asking for another DDoS-- I have enough of those to deal with already without inviting them.
September 17, 2011, 09:29:19 AM
I identified it with the help of user Red_Wolf_2 in IRC channel of Eligius.
It appears to be a "bitcoin-miner 0.20 Copyright (c) 2011 Ufasoft" in ./bin/iexplore.exe
and something that does not return anything in ./src/iexplore.exe
the 2nd one is probably a launcher. maybe running dormant.
I have a zip file with them if anyone is interested. Send me an email etc.
That user in that IRC channel already has it.
--
Ah, yahoo email identified an unpassworded zip with them as a virus but both avira and antimalwarebytes anti-malware does not detect them.
--
They required some ninja moves in cmd to make the folders and files visible for copying.
--
I removed those files, and dirs, and I suppose it won't come back. If it does come back, tough, I guess they might have a "parent creator" (rare).
--
If I'm gone and can't find me for those files, that user I mentioned may have it. Last I heard he identified the ./src file as being in .Net.
September 17, 2011, 09:14:45 AM
I don't think the real Internet Explorer resides in a folder called "bin". The whole iexplore.exe binary is probably the miner named to look like IE.
We won't necessarily know how to kill it off. The normal legitimate miner doesn't behave like a virus but it is open source, so virus writers are able to include it in their payloads and modify what it does. The whole restarting after you kill it is something definitely added in.
We won't necessarily know how to kill it off. The normal legitimate miner doesn't behave like a virus but it is open source, so virus writers are able to include it in their payloads and modify what it does. The whole restarting after you kill it is something definitely added in.
September 17, 2011, 09:10:22 AM
Congratulations, you got a virus...
September 17, 2011, 09:05:34 AM
I don't know a lot about this kind of thing myself, but unless eligius promotes bot-net use, you should be able to contact the pool owner and tell him to ban the miner from his pool.
P.S. This is just a temporary fix until you can't figure out how to get rid of it. This fix will only render the miner useless until some changes the setting so it can mine again.
P.S. This is just a temporary fix until you can't figure out how to get rid of it. This fix will only render the miner useless until some changes the setting so it can mine again.
September 17, 2011, 08:47:16 AM
I get on process explorer, once in a while, even after I kill it, almost 100% CPU time by an iexplore.exe process. Process explorer identifies it (fully) as ""C:\Program Files (x86)\Internet Explorer\bin\iexplore.exe" -a 1 -o http://mining.eligius.st:80 -u 1JLE6hkA8QbD64G8ZknbH6HT9orWQ7dKB3 -p pass"
I will not pretend I know what bitcoin is exactly. I just learned a brief about it 10 minutes ago. I have never used or tried to use bitcoin before finding out this process.
Please help to identify what is going on or at least remove it from re-running itself. Apparently my antiviruses don't find it.
You definitely have been hit by a bitcoin virus, botnet, or worm. There is a chance that the following tool from Kaspersky Labs might help:I will not pretend I know what bitcoin is exactly. I just learned a brief about it 10 minutes ago. I have never used or tried to use bitcoin before finding out this process.
Please help to identify what is going on or at least remove it from re-running itself. Apparently my antiviruses don't find it.
http://support.kaspersky.com/viruses/solutions?qid=208280684
September 17, 2011, 08:03:01 AM
I get on process explorer, once in a while, even after I kill it, almost 100% CPU time by an iexplore.exe process. Process explorer identifies it (fully) as ""C:\Program Files (x86)\Internet Explorer\bin\iexplore.exe" -a 1 -o http://mining.eligius.st:80 -u 1JLE6hkA8QbD64G8ZknbH6HT9orWQ7dKB3 -p pass"
I will not pretend I know what bitcoin is exactly. I just learned a brief about it 10 minutes ago. I have never used or tried to use bitcoin before finding out this process.
Please help to identify what is going on or at least remove it from re-running itself. Apparently my antiviruses don't find it.
I will not pretend I know what bitcoin is exactly. I just learned a brief about it 10 minutes ago. I have never used or tried to use bitcoin before finding out this process.
Please help to identify what is going on or at least remove it from re-running itself. Apparently my antiviruses don't find it.
Jump to: