Op owes no one anything, he could have changed all your pools to his
Second who the hell opens the ports?
Topic: KnC Miner : Security hacked - UPDATE with TOOL admin remove plz - page 5. (Read 25842 times)
January 02, 2014, 10:11:15 AM
January 02, 2014, 02:37:13 AM
Steve is helping here. He could have easily done this without posting anything and made a good amount of coin. Give the guy a break.
A tip is also welcome :-D
January 02, 2014, 02:11:54 AM
OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
By the look of your results i know how you found them, but it's a very bad tool to use.
It will only bring up about +/- 130 results, 3/4 of then are already dead.
Yup it's bad. Just want to demonstrate the possibility of finding the IPs.
January 02, 2014, 12:54:46 AM
Steve is helping here. He could have easily done this without posting anything and made a good amount of coin. Give the guy a break.
January 02, 2014, 12:44:07 AM
OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
By the look of your results i know how you found them, but it's a very bad tool to use.
It will only bring up about +/- 130 results, 3/4 of then are already dead.
January 02, 2014, 12:01:41 AM
OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
January 01, 2014, 11:00:15 PM
...
Don't use Internet to access your miners directly.
Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them. Protect that page with user login and https.
Port forward your Internet connections to that page.
cgminer already has all this by default - I wrote it - but no idea if KnC enabled it or not.Don't use Internet to access your miners directly.
Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them. Protect that page with user login and https.
Port forward your Internet connections to that page.
I meant a page like your api-example.php. If you have 10 miners (on 10 different IPs) and one rPi watchdog. On that watchdog, have a page that would go
to 10 IPs and fetch API summaries, format and display. Something like
https://bitcointalksearch.org/topic/simple-cgminer-remote-monitoring-script-now-with-email-alerts-222632
rPi gpio ports that can be used to drive relays (via a simple transistor driver) to power cycle the miners (waiting for my relays to try this).
Got the gpio ports working (set them on 3.3V/off 0.4V), but not from the web server (requires access to sysfs). Work in progress...
Something like
http://code.google.com/p/raspberrypi-gpio/downloads/list but it uses mySQL, which is an overkill to do this if you ask me.
January 01, 2014, 04:21:48 PM
...
Don't use Internet to access your miners directly.
Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them. Protect that page with user login and https.
Port forward your Internet connections to that page.
cgminer already has all this by default - I wrote it - but no idea if KnC enabled it or not. Don't use Internet to access your miners directly.
Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them. Protect that page with user login and https.
Port forward your Internet connections to that page.
January 01, 2014, 01:41:17 PM
Wow I cant believe some people are jumping down your throat, I think you have done a great service to these guys by finding and highlighting these risks.
Thank you sir!
January 01, 2014, 11:28:47 AM
Hi all,
So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.
I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].
1: Scan the internet, using a special tool, for the default KnC Miner header response
EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.
So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware.
It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely.
I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade.
To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept].
1: Scan the internet, using a special tool, for the default KnC Miner header response
Code:
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth"
EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack.
Don't use Internet to access your miners directly.
Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them. Protect that page with user login and https.
Port forward your Internet connections to that page.
January 01, 2014, 10:30:36 AM
Wow I cant believe some people are jumping down your throat, I think you have done a great service to these guys by finding and highlighting these risks.
January 01, 2014, 09:49:42 AM
I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue.
In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.
I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...
In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.
I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...
Since KnC does not reply when i attempt to warn them, the best way to bring things to their attention is by involving the users/owners/customers.
The information i posted here, is nothing more than public source information as shown on their own Github page.
Believe me, no critical information is display on this forum. The information provided here is useless to so called 'hackers' trying to abuse miners.
If all details that i supplied to KnC are leaked, all public online miners are hacked within a 2 hour timespan.
I'm not looking to receive credits, badges or rewards by this exploit. I just want to prevent a massive miner attack.
Fair enough, apologize for jumping too quick on it.. A quick glance at your first post indicated enough was available, didn't realize it was missing some things...
January 01, 2014, 09:37:12 AM
I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue.
In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.
I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...
In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.
I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...
Since KnC does not reply when i attempt to warn them, the best way to bring things to their attention is by involving the users/owners/customers.
The information i posted here, is nothing more than public source information as shown on their own Github page.
Believe me, no critical information is display on this forum. The information provided here is useless to so called 'hackers' trying to abuse miners.
If all details that i supplied to KnC are leaked, all public online miners are hacked within a 2 hour timespan.
I'm not looking to receive credits, badges or rewards by this exploit. I just want to prevent a massive miner attack.
January 01, 2014, 09:23:52 AM
Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue.
In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.
I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...
January 01, 2014, 08:18:43 AM
Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
Okay I call myself jaded and suspicious . Thanks for your efforts to warn us.
January 01, 2014, 07:50:54 AM
Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
December 31, 2013, 10:49:09 PM
Thanks to the OP for the warning, hopefully no-one lost due to this. Got to say that it's a fairly obvious target for anyone with skills and the mindset to try this eventually.
Could have been worse, could have been 2 months ago by someone sensible enough not to be greedy and milk a lot of rigs a little each day.
Posting ANY details was a bit "look at me" though, no need for that here, just warn KNC and advise the PW changes needed etc.
As for the rigs mentioned that seem to have lost some hashing, if they are on Slush there was a problem recently where earnings were deducted or some such nonsense which may account for that..which has been remedied now.
Could have been worse, could have been 2 months ago by someone sensible enough not to be greedy and milk a lot of rigs a little each day.
Posting ANY details was a bit "look at me" though, no need for that here, just warn KNC and advise the PW changes needed etc.
As for the rigs mentioned that seem to have lost some hashing, if they are on Slush there was a problem recently where earnings were deducted or some such nonsense which may account for that..which has been remedied now.
December 31, 2013, 08:52:13 PM
Well, it's either the OP or someone following their instructions ...
Have helped a couple of colo clients with hacked KNC kit today.
At least one of the brute-force attacks is coming from
109.201.154.184
Investigation into one hacked miner shows 1J7PH3SSzMLgrGZEkjQbq6Ls5LjQwpkAGq
http://eligius.st/~wizkid057/newstats/userstats.php/1J7PH3SSzMLgrGZEkjQbq6Ls5LjQwpkAGq
being used - and that's had a *huge* hashrate increase today
Have helped a couple of colo clients with hacked KNC kit today.
At least one of the brute-force attacks is coming from
109.201.154.184
Investigation into one hacked miner shows 1J7PH3SSzMLgrGZEkjQbq6Ls5LjQwpkAGq
http://eligius.st/~wizkid057/newstats/userstats.php/1J7PH3SSzMLgrGZEkjQbq6Ls5LjQwpkAGq
being used - and that's had a *huge* hashrate increase today
December 31, 2013, 06:47:14 PM
Wait... the OP is kind enough to inform us of a possible exploit and you're nailing him for it???
I rather this type of information is made public than kept under wraps and have "hackers" exploit it.
I rather this type of information is made public than kept under wraps and have "hackers" exploit it.
My thoughts exactly, thank you OP for doing the honourable thing and giving users a chance to lock down their machines before someone less honest found it.
December 31, 2013, 04:49:33 PM
what do you expect me to think?
That you should have some evidence beyond pure circumstance before slinging around legal threats?
Would you somehow have been better off if OP had been intimidated by legal liabilities into never discovering and posting this information?
P.S. If you don't want people "attacking" your gear through a public IP interface, simply configure it to not fulfill requests so promptly and politely. Is it that difficult?
first off I am not the op. i did not brute force 28 knc machines he did. now when he did the brute force on the 28 machines he did not tell us he had permission to do it. so stop defending him for doing something that is not legal.
did his brute force attack hurt this person?
https://bitcointalksearch.org/topic/m.4140767
maybe I do not know but time wise it matches. was he off line for 3 or 5 hours extra due to the password attack ? do not know. I ask you this. would you want someone coming to the front door of your home and testing your door knob to see if it opens easily ?
so to the op did you have permission to attack the 28 machines? yes or no? my apologies if you informed those miners. before you attacked them
Wait... the OP is kind enough to inform us of a possible exploit and you're nailing him for it???
I rather this type of information is made public than kept under wraps and have "hackers" exploit it.
Besides, if you have a machine directly connected to the internet, you should sort of expect something like this to happen.
I mean if someone had remote access to your machine, locking you out should be the least of your concerns (since you would know something was wrong).
Instead, they could have reflashed your machine with a custom rom who's gui looks exactly like the standard knc one, but is set to mine for them on a part time basis (but also keep your settings as well).
Then you're paying resources to mine for them, all the while thinking your miner was defective/had stale shares. Not knowing its compromised.
It's even worst if they had it randomly mine for them on one of the larger pools (that only requires an address) - say like 2am to 6am, 10am to 12pm, then 2pm to 4pm. While occasionally submitting shares to your pools so it doesn't time out and alert you.
Then again, if this was a troll post, good job.
You got me
Jump to: