Topic: My EthOS instances, hacked (Read 500 times)

I had read about that teamviewer account hack a while back.  You can lock down teamviewer so it only accepts incoming connections from specific computers.  That's what I started doing after hearing about that hack.  I know it isn't exactly relevant to this discussion but thought I would throw it out there.

Best way to protect yourself is to have an image of your OS with all your configurations in place.  If this happens again at that point all that has to be done is re-load the image and you are ready to go.  In order to prevent this from happening again though you would need to determine where exactly the breach was and fix/patch it, and then re-image the newly patched OS.

I had a laptop that I had at work one time, open on my desk, not work related, and I noticed activity on the screen.  The mouse was moving around and someone was able to remote in with TeamViewer and they started to transfer my bitcoin wallet.  They got nothing however as it was passworded and empty at the time.  For a long time I suspected a co-worker because I left my laptop open while I was not around, however I was eventually able to determine that my TeamVIewer credentials were compromised.  I don't install remote access software anymore on any of my coin/mining-related machines.

Use complex passwords and change them frequently, patch known vulnerabilities, don't become lazy or assume your coins are safe today because no one hacked you yesterday.

so bad if you have a big farm and one day hacker come a take it from your farm man. someone know how to survive from the hacker guys?

Amen to this, but anyone using these linux-based mining OSes are living on borrowed time.  The one theme I see with them is they all tout the mining updates they provide, but they also have zero documentation on what packages are installed, what kernel is installed, and if there is a security update mechanism.  I mean this is the documentation:  http://ethosdistro.com/source/   Ubuntu 14.04, really?  I think its safe to assume that no one that is running this is applying security updates with any frequency.  If you want to run linux, do it right and get Ubuntu or something similar and do it yourself.  If that is too daunting, then Awesome miner on windows is the best choice. 

So did you change default passwords for root and user at first or were you running default passwords?

That's brutal.  I have Windows 10 on my mining rigs and considered EthOS.  I have been hacked before with Teamviewer and won't install that on my rigs, or any other remote enabling software.  I don't even check email on them.  I'd follow the previous suggestions and maybe see if it is possible to lock your ports down.  Not sure if that will help to prevent this in the future.

In my case they were able to gain access to my Teamviewer account.

I've told many people to stay away from ETHos, main Dev abandoned the project a year ago, terrible interface to change any settings, extremely costly (If you actually bought ONE per rig $40??). Here's how to not get hacked. Get rid of that PoS "mining operating system" and move to something like Simple-miningOS or better than simple mining HiveOS. If you don't like either of those (for some weird reason) you can always use NV-OC or RX-OC which are free and decent. I actually purchased ETHos in my review/quest for a miningOS's. I didn't like it, clunky to change settings in claymore, how to monitor the miner remotely, etc none of it was simple. Moved to SMOS which as better. I used that for a few months before jumping into HiveOS. HiveOS is by far and large best Linux mining OS. Constant updates. 1-3 days for new miner released to get added in. Easy to see all your rigs what failed etc. In the end I'm actually using Windows and Awesome-miner because for my medium-sized farm is actually cheaper paying one time fees than monthly fees and windows has far superior power saving features compared to linux.

Whoa that's big.
The hackers already received (at least) 614 eth probably thru various hack and he started a bit more than a year ago.
I wonder why i'm working
EthOs dev should look this issue ASAP.

Was running 1.3.1, this morning they're all pointed at a different pool.

Looks like every one of my 4 machines has been rooted, teamviewer and a few other things automatically installed (and ran)

02:35 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ ps -ef | grep eam
root       731     1  0 14:31 ?        00:00:00 /opt/teamviewer/tv_bin/teamviewerd -f

Can update local.conf, and has been forced to this wallet proxywallet 0x00351843e3e2fbaa8e1e87dd962c90b999acee60

Which appears to be mining now on various pools (I was nanopool) - suspect I am not the only one exploited

But if you check etherscan, a lot of payments coming from other pools.

And yes, my SSH login was secure.

I suspect this was caused by an exploit in ShellInABox  (easy to google it). A very old version comes packaged with ethOs.

02:38 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ /usr/bin/shellinaboxd --version
ShellInABox version 2.10 (revision 239)

I've stopped the hack by, sudo mv /opt/miners/claymore /opt/miners/clayno, which leaves my machines useless.

[killing the miner doesnt work, as auto reboots, cant change wallet config, as mounted read only, lots of horrible kit things also there].

Does anybody know where the EthOS dev's are?  

If you get bored, you can track the money to https://etherscan.io/address/0x003e36550908907c2a2da960fd19a419b9a774b7