Author

Topic: [POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com - page 127. (Read 465769 times)

newbie
Activity: 7
Merit: 2
Code:
67272dab30992028ef77ee8d027a52a1e95582234e11ea9052a11626181c2ad4  -->  181c2ad452a116264e11ea90e9558223027a52a1ef77ee8d3099202867272dab

Looks like Worldcoin (first hash listed): http://bitinfocharts.com/worldcoin/block/1144085/181c2ad452a116264e11ea90e9558223027a52a1ef77ee8d3099202867272dab
sr. member
Activity: 560
Merit: 250
we are on new servers or ddos stopped???
it seems work better than before
newbie
Activity: 21
Merit: 0
The nefarious stratum server on 190.97.164.179:3333 is no longer answering.
It was not running standard stratum server pool -- normally the client sends data first (like HTTP) but this server was sending mining.notify immediately (more like SMTP).
The mining.notify includes the hash of the previous block, but it's endianess is opposite of what any block explorer expects, but someone with more patience than myself should be able to find what coin it was mining.

These are a few hashes I collected:
Code:
67272dab30992028ef77ee8d027a52a1e95582234e11ea9052a11626181c2ad4  -->  181c2ad452a116264e11ea90e9558223027a52a1ef77ee8d3099202867272dab
a5ed793ec7847f3b1904c3194d6bcec6977dc97b354a9f91c5c8985fb6344bb9  -->  b6344bb9c5c8985f354a9f91977dc97b4d6bcec61904c319c7847f3ba5ed793e
21cf02e69c9a41875ee6ea26dae7e9a1a993b2dc37b1fe0f829ae5172451612a  -->  2451612a829ae51737b1fe0fa993b2dcdae7e9a15ee6ea269c9a418721cf02e6
d0f67fec0722ba7f4ed0e10703a9afcbc86564316187944426906b5267345f62  -->  67345f6226906b5261879444c865643103a9afcb4ed0e1070722ba7fd0f67fec
430719e64f1653d0adb10b79ecb0a6bbcc8bfca77ab18713e123c66c03274404  -->  03274404e123c66c7ab18713cc8bfca7ecb0a6bbadb10b794f1653d0430719e6
First column is the hash from the mining.notify, second is the same swabbed around.
sr. member
Activity: 560
Merit: 250
IT SEEMS WE ARE BACK ONLINE Grin
newbie
Activity: 51
Merit: 0
EU pool working fine again for over (behold!) 15 minutes now for me.
hero member
Activity: 630
Merit: 500
My hashrate consistently going up ... maybe waffle is back online?

Yep! 15 minute hashrate still increasing Smiley ... how long who long who knows LOL
legendary
Activity: 3654
Merit: 8909
https://bpip.org
People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...

Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits.

I expect DDOSes will continue to be executed.

I'm not saying it's a conspiracy, but one and one only profit switching pool is up:

http://poolpicker.eu/

What do you think?

Not true. Hasco.ws, CleverMining, and ScryptGuild were and are up. Middlecoin seems to be accepting shares, although website is down, not sure about that.
hero member
Activity: 630
Merit: 500
A few shares getting thru to uswest.wafflepool.com from here but nowhere like normal Sad

Worker    15m Hashrate    15m Stalerate
1HANJQygp3jHuzutceBgMT7wfCgEug6h4L_gpu2    105.56 kH/s    0.00%

Seems to be picking up a bit ...

Hash Rate: 269.88 kH/s (15min approximated)
Worker    15m Hashrate    15m Stalerate
1HANJQygp3jHuzutceBgMT7wfCgEug6h4L_gpu2    269.88 kH/s    0.00%
newbie
Activity: 16
Merit: 0
Can someone explain how failover works and why it swtiched back to waffle and is mining shit all?


CGWatcher is your friend.
sr. member
Activity: 420
Merit: 250
What the hell is going on I had 3 fail-overs, and 2 Clevermining failovers  all in the one batch file, 1st failovers were 3 Waffle pool servers, Useast, USwest & Sea And then I had Sf.clevermining & ny.clevermining...

I am now at work for the next 7 hrs and have no control over the miner (DAMMIT) Yes I know I should of setup teamviewer I did have it setup before just never got around to do it again for this machine.


anyway I been checking clevermining stats and all was good untill I arrive at work I check again and clever stats reporting 0Mh/s so I checked waffle and this is report 1.1mh which is Ridiculous i  should be on 5.5-6Mhs on this 1 rig. Can someone explain how failover works and why it swtiched back to waffle and is mining shit all?


EDIT: Hmm Seems I did good with my failovers Smiley, waffle is now showing 5.5Mhs
hero member
Activity: 630
Merit: 500
People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...

Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits.

I expect DDOSes will continue to be executed.

I'm not saying it's a conspiracy, but one and one only profit switching pool is up:

http://poolpicker.eu/

What do you think?

us-west2.multipool.us is still up
member
Activity: 70
Merit: 10
I think Waffle is back online Smiley
member
Activity: 93
Merit: 10
People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...

Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits.

I expect DDOSes will continue to be executed.

I'm not saying it's a conspiracy, but one and one only profit switching pool is up:

http://poolpicker.eu/

What do you think?
member
Activity: 93
Merit: 10
If anyone has packet captures of work packets sent after their client was hijacked, could you post or send them? I'd be curious to see what they were mining. If it's DOGE, I'm also set up to extract the payout address from the coinbase parameters. A packet should look like this (I think this was an old packet capture from Clevermining):

Code:
{"id":null,"method":"mining.notify","params":["3a61","34d9b767ab5f9e4270ca11e6f823da99af2b6da089d7cb21490c3cce4831ac63","01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2703780702062f503253482f0436221c5308","0d2f6e6f64655374726174756d2f0000000001241b6d23db1200001976a914312f0edfb1647e2f9ddbc6a0faacf3c3c8d1d21588ac00000000",["e8c40423f1291090ace9ac3a88469cf61561ad9b0f06de877f9309b846264b9b","446dea3005104d328824ae1d93b6b26d6c18c69ed6cf3d5aa8a585eeebea534a","032c4da808bf500177768605095431ee58b2773e6397db02e93eae0db86952a4","d5e6cc3bc5dc96786f97cf42a07dff996ac4b9e572844300a0065c719d9ef186","5d7d235e26d856e1bb70ea2b669fa50b6ecf3256fc26ff0ac52d2ea2de4f5c08","2ab06ed0f757226b38213aeeaca5281d013f38259cc22ae04721ab35534d83fe","f66308601f97700e503e8cea31e8d1b57f34530054a222b4bb6f99015fd462a3"],"00000002","1b33c012","531c2247",true]}

And how the hijacker knew to what address the packet must be sent to and other parameters (TCP, UDP)? Systematic probing, sniffin' trafic somewhere?

Waffle told before that they are investigating the issue - but now is everything silent.
hero member
Activity: 693
Merit: 500
So....

did anyone investigate the possibility that the API for pool manipulation was being abused?  If can modify peoples pool settings to create a pool with specific settings and then switch to that pool - which probably points at an http URL which then sends the stratum reconnect command to point to whatever the wallet address is at the time...

this, in theory could be done via javascript in your browser, miner monitoring software, malware, etc.  

this tactic seems much easier than a large-scale man in the middle attack.

anyone whose miner is currently redirected and is running the curses interface, hit "S" for settings, then hit "W" for write.  Write it out to some config file and view it.  If it has more information in it than you put into it, post it here for people to evaluate.


From reviewing the code, it appeared to me that the client.reconnect message must have been received on an active stratum connection that had already passed the mining.subscribe, mining.authorize messages.  So at the very least the server to which it was connected must have been able to emulate a stratum mining server up to that point.

As for gathering the rest of that type of information from miners, it's not much unlike herding cats.  I had posted a list of information for affected miners to supply in order to help narrow down the cause, but not a single reply was posted.  Perhaps some might have sent directly to poolwaffle?

(I really wanted to see it happen on one of my miners!)


Yes, basic stratum functionality can be emulated by anything that does TCP/IP & sockets.  Just accept everything and say that it's good regardless of what they send you. 

Also, consider this, a pool can redirect from http to stratum, so I wouldn't rule out basic http as the genesis just yet, but I haven't gone through to see where that occurs in the chain. 

Ya, not a single one of my miners - 4 rigs in two locations got redirected.  None of them using SGMiner or CGMiner - From what another user told me, the api functions from cgwatcher or cgmonitor did not work against YACMiner until it was renamed cgminer.
legendary
Activity: 938
Merit: 1001
Looking through the code, I can only seem to find "client.reconnect" referenced in the stratum-mining-proxy rather than in the stratum itself. Could someone confirm this?
newbie
Activity: 7
Merit: 2
It would be great to find a miner who was keeping share logs AND actually solved a block, as then we could trace it to a wallet address, perhaps seeing how much they were able to siphon and where it might ultimately have ended up.

Even if they didn't solve a block, the coinbase parameter in the packet contains a payout address, so we can at least see where the coins would have gone.

Someone on Reddit posted a packet capture when it was mining Worldcoin, but a Litecoin or Dogecoin packet would be more interesting.
newbie
Activity: 51
Merit: 0
Kalroth cgminer for sure and sgminer I think have a configurable delay for how long to wait before returning back to a failed server that is back up again -- just in case you are bouncing around and don't like it happening.
Thank you for the hint but it's not that bad, at least this whole situation gives me a reason to finally add useful pool controls to my pet coding project.
full member
Activity: 168
Merit: 100
So....

did anyone investigate the possibility that the API for pool manipulation was being abused?  If can modify peoples pool settings to create a pool with specific settings and then switch to that pool - which probably points at an http URL which then sends the stratum reconnect command to point to whatever the wallet address is at the time...

this, in theory could be done via javascript in your browser, miner monitoring software, malware, etc.  

this tactic seems much easier than a large-scale man in the middle attack.

anyone whose miner is currently redirected and is running the curses interface, hit "S" for settings, then hit "W" for write.  Write it out to some config file and view it.  If it has more information in it than you put into it, post it here for people to evaluate.


From reviewing the code, it appeared to me that the client.reconnect message must have been received on an active stratum connection that had already passed the mining.subscribe, mining.authorize messages.  So at the very least the server to which it was connected must have been able to emulate a stratum mining server up to that point.

As for gathering the rest of that type of information from miners, it's not much unlike herding cats.  I had posted a list of information for affected miners to supply in order to help narrow down the cause, but not a single reply was posted.  Perhaps some might have sent directly to poolwaffle?

(I really wanted to see it happen on one of my miners!)
sr. member
Activity: 322
Merit: 254
If anyone has packet captures of work packets sent after their client was hijacked, could you post or send them? I'd be curious to see what they were mining. If it's DOGE, I'm also set up to extract the payout address from the coinbase parameters. A packet should look like this (I think this was an old packet capture from Clevermining):

Code:
{"id":null,"method":"mining.notify","params":["3a61","34d9b767ab5f9e4270ca11e6f823da99af2b6da089d7cb21490c3cce4831ac63","01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2703780702062f503253482f0436221c5308","0d2f6e6f64655374726174756d2f0000000001241b6d23db1200001976a914312f0edfb1647e2f9ddbc6a0faacf3c3c8d1d21588ac00000000",["e8c40423f1291090ace9ac3a88469cf61561ad9b0f06de877f9309b846264b9b","446dea3005104d328824ae1d93b6b26d6c18c69ed6cf3d5aa8a585eeebea534a","032c4da808bf500177768605095431ee58b2773e6397db02e93eae0db86952a4","d5e6cc3bc5dc96786f97cf42a07dff996ac4b9e572844300a0065c719d9ef186","5d7d235e26d856e1bb70ea2b669fa50b6ecf3256fc26ff0ac52d2ea2de4f5c08","2ab06ed0f757226b38213aeeaca5281d013f38259cc22ae04721ab35534d83fe","f66308601f97700e503e8cea31e8d1b57f34530054a222b4bb6f99015fd462a3"],"00000002","1b33c012","531c2247",true]}

I've got one here, soon as I get these servers back up, remind me (email please) and I'll dig through the pcap.
Jump to: