Pages:
Author

Topic: Multiple YiiMP pools hacked, this is what we know so far.. - page 6. (Read 15725 times)

full member
Activity: 186
Merit: 100
granatgas-pool.info
i have found to but in different ip 141.101.69.188

Code:
2017/09/08 17:22:25 [error] 14380#14380: *20037 FastCGI sent in stderr: "PHP message: PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290
PHP message: PHP Notice:  Use of undefined constant mysqli_connect - assumed 'mysqli_connect' in /var/web/lds.php on line 293" while reading response header from upstream, client: 141.101.69.188, server: granatgas-pool.info, request: "GET /lds.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host: "granatgas-pool.info"
full member
Activity: 192
Merit: 101
So, a lot of YiiMP pools got hacked, mine included.

So of course I try to understand what has happened. Looking at the nginx server logs I find this:

Code:
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

As you can see, nginx returns a 200 HTTP code, which means that the file has been found.
I just checked, the file is not on the server.. This leads me to believe that someone found a way to upload a php file that either is:
 a php shell (unlikely)
 a script getting RPC credentials from the YiiMP database to connect to coin daemons directly (most likely IMO).

later, the script was told to delete itself by passing the d parameter I assume.

grepping the server log for all entries from the 51.15.40.233 IP yields these results:

Code:
51.15.40.233 - - [08/Sep/2017:21:31:07 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/current_results HTTP/1.1" 200 972 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

Checking the IP it turns out that it is a Tor exit node. I am still not sure how that file got on my server in the first place.

Checking the nginx error log, this is shown:

Code:
2017/09/08 21:31:27 [error] 18760#18760: *5664081 FastCGI sent in stderr: "PHP message: PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290
PHP message: PHP Notice:  Use of undefined constant mysqli_connect - assumed 'mysqli_connect' in /var/web/lds.php on line 293" while reading response header from upstream, client: 51.15.40.233, server: _, request: "GET /lds.php HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.0-fpm.sock:", host: "kawaiipool.party"

Obviously I would be very interested from other YiiMP based pools if they find something similar in their logs, so I will be sending a link to this thread to some other YiiMP based pool owners.
If we are lucky, maybe the hacker forgot to delete lds.php from one of the pools and we can get a better understanding of what happened.


Edit: It seems the hacker used the dumpprivkey RPC command on wallets, so if you are running a mining pool you should assume the hacker has access to all mined funds - change addresses at once, just to be sure. Of course, until we find out how the hacker got in, you should disable mining anyway as a safety measure.
Pages:
Jump to: