[POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com - page 127.

paul.miner

newbie

Activity: 7

Merit: 2

Quote from: SnowLeopard on March 24, 2014, 06:51:12 PM

Code:

67272dab30992028ef77ee8d027a52a1e95582234e11ea9052a11626181c2ad4  -->  181c2ad452a116264e11ea90e9558223027a52a1ef77ee8d3099202867272dab

Looks like Worldcoin (first hash listed): http://bitinfocharts.com/worldcoin/block/1144085/181c2ad452a116264e11ea90e9558223027a52a1ef77ee8d3099202867272dab

oktay50000

sr. member

Activity: 560

Merit: 250

we are on new servers or ddos stopped???
it seems work better than before

SnowLeopard

newbie

Activity: 21

Merit: 0

The nefarious stratum server on 190.97.164.179:3333 is no longer answering.
It was not running standard stratum server pool -- normally the client sends data first (like HTTP) but this server was sending mining.notify immediately (more like SMTP).
The mining.notify includes the hash of the previous block, but it's endianess is opposite of what any block explorer expects, but someone with more patience than myself should be able to find what coin it was mining.

These are a few hashes I collected:

Code:

67272dab30992028ef77ee8d027a52a1e95582234e11ea9052a11626181c2ad4  -->  181c2ad452a116264e11ea90e9558223027a52a1ef77ee8d3099202867272dab
a5ed793ec7847f3b1904c3194d6bcec6977dc97b354a9f91c5c8985fb6344bb9  -->  b6344bb9c5c8985f354a9f91977dc97b4d6bcec61904c319c7847f3ba5ed793e
21cf02e69c9a41875ee6ea26dae7e9a1a993b2dc37b1fe0f829ae5172451612a  -->  2451612a829ae51737b1fe0fa993b2dcdae7e9a15ee6ea269c9a418721cf02e6
d0f67fec0722ba7f4ed0e10703a9afcbc86564316187944426906b5267345f62  -->  67345f6226906b5261879444c865643103a9afcb4ed0e1070722ba7fd0f67fec
430719e64f1653d0adb10b79ecb0a6bbcc8bfca77ab18713e123c66c03274404  -->  03274404e123c66c7ab18713cc8bfca7ecb0a6bbadb10b794f1653d0430719e6

First column is the hash from the mining.notify, second is the same swabbed around.

oktay50000

sr. member

Activity: 560

Merit: 250

IT SEEMS WE ARE BACK ONLINE Grin

ElMariachi

newbie

Activity: 51

Merit: 0

EU pool working fine again for over (behold!) 15 minutes now for me.

utahjohn

hero member

Activity: 630

Merit: 500

My hashrate consistently going up ... maybe waffle is back online?

Yep! 15 minute hashrate still increasing

... how long who long who knows LOL

suchmoon

legendary

Activity: 3654

Merit: 8909

https://bpip.org

Quote from: bbbbbb2014 on March 24, 2014, 06:10:13 PM

Quote from: bbbbbb2014 on March 24, 2014, 10:26:02 AM

Quote from: dogechode on March 24, 2014, 09:57:43 AM

People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...

Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits.

I expect DDOSes will continue to be executed.

I'm not saying it's a conspiracy, but one and one only profit switching pool is up:

http://poolpicker.eu/

What do you think?

Not true. Hasco.ws, CleverMining, and ScryptGuild were and are up. Middlecoin seems to be accepting shares, although website is down, not sure about that.

utahjohn

hero member

Activity: 630

Merit: 500

A few shares getting thru to uswest.wafflepool.com from here but nowhere like normal Sad

Worker    15m Hashrate    15m Stalerate
1HANJQygp3jHuzutceBgMT7wfCgEug6h4L_gpu2    105.56 kH/s    0.00%

Seems to be picking up a bit ...

Hash Rate: 269.88 kH/s (15min approximated)
Worker    15m Hashrate    15m Stalerate
1HANJQygp3jHuzutceBgMT7wfCgEug6h4L_gpu2    269.88 kH/s    0.00%

libbyporit

newbie

Activity: 16

Merit: 0

Quote from: gtraah on March 24, 2014, 06:25:10 PM

Can someone explain how failover works and why it swtiched back to waffle and is mining shit all?

CGWatcher is your friend.

gtraah

sr. member

Activity: 420

Merit: 250

What the hell is going on I had 3 fail-overs, and 2 Clevermining failovers all in the one batch file, 1st failovers were 3 Waffle pool servers, Useast, USwest & Sea And then I had Sf.clevermining & ny.clevermining...

I am now at work for the next 7 hrs and have no control over the miner (DAMMIT) Yes I know I should of setup teamviewer I did have it setup before just never got around to do it again for this machine.

anyway I been checking clevermining stats and all was good untill I arrive at work I check again and clever stats reporting 0Mh/s so I checked waffle and this is report 1.1mh which is Ridiculous i should be on 5.5-6Mhs on this 1 rig. Can someone explain how failover works and why it swtiched back to waffle and is mining shit all?

EDIT: Hmm Seems I did good with my failovers

, waffle is now showing 5.5Mhs

utahjohn

hero member

Activity: 630

Merit: 500

Quote from: bbbbbb2014 on March 24, 2014, 06:10:13 PM

Quote from: bbbbbb2014 on March 24, 2014, 10:26:02 AM

Quote from: dogechode on March 24, 2014, 09:57:43 AM

People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...

Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits.

I expect DDOSes will continue to be executed.

I'm not saying it's a conspiracy, but one and one only profit switching pool is up:

http://poolpicker.eu/

What do you think?

us-west2.multipool.us is still up

Rock6.3

member

Activity: 70

Merit: 10

I think Waffle is back online

bbbbbb2014

member

Activity: 93

Merit: 10

Quote from: bbbbbb2014 on March 24, 2014, 10:26:02 AM

Quote from: dogechode on March 24, 2014, 09:57:43 AM

People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...

Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits.

I expect DDOSes will continue to be executed.

I'm not saying it's a conspiracy, but one and one only profit switching pool is up:

http://poolpicker.eu/

What do you think?

bbbbbb2014

member

Activity: 93

Merit: 10

Quote from: paul.miner on March 24, 2014, 04:22:45 PM

If anyone has packet captures of work packets sent after their client was hijacked, could you post or send them? I'd be curious to see what they were mining. If it's DOGE, I'm also set up to extract the payout address from the coinbase parameters. A packet should look like this (I think this was an old packet capture from Clevermining):

Code:

{"id":null,"method":"mining.notify","params":["3a61","34d9b767ab5f9e4270ca11e6f823da99af2b6da089d7cb21490c3cce4831ac63","01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2703780702062f503253482f0436221c5308","0d2f6e6f64655374726174756d2f0000000001241b6d23db1200001976a914312f0edfb1647e2f9ddbc6a0faacf3c3c8d1d21588ac00000000",["e8c40423f1291090ace9ac3a88469cf61561ad9b0f06de877f9309b846264b9b","446dea3005104d328824ae1d93b6b26d6c18c69ed6cf3d5aa8a585eeebea534a","032c4da808bf500177768605095431ee58b2773e6397db02e93eae0db86952a4","d5e6cc3bc5dc96786f97cf42a07dff996ac4b9e572844300a0065c719d9ef186","5d7d235e26d856e1bb70ea2b669fa50b6ecf3256fc26ff0ac52d2ea2de4f5c08","2ab06ed0f757226b38213aeeaca5281d013f38259cc22ae04721ab35534d83fe","f66308601f97700e503e8cea31e8d1b57f34530054a222b4bb6f99015fd462a3"],"00000002","1b33c012","531c2247",true]}

And how the hijacker knew to what address the packet must be sent to and other parameters (TCP, UDP)? Systematic probing, sniffin' trafic somewhere?

Waffle told before that they are investigating the issue - but now is everything silent.

Thirtybird

hero member

Activity: 693

Merit: 500

Quote from: comeonalready on March 24, 2014, 05:01:13 PM

Quote from: Thirtybird on March 24, 2014, 04:49:18 PM

So....

did anyone investigate the possibility that the API for pool manipulation was being abused? If can modify peoples pool settings to create a pool with specific settings and then switch to that pool - which probably points at an http URL which then sends the stratum reconnect command to point to whatever the wallet address is at the time...

this, in theory could be done via javascript in your browser, miner monitoring software, malware, etc.

this tactic seems much easier than a large-scale man in the middle attack.

anyone whose miner is currently redirected and is running the curses interface, hit "S" for settings, then hit "W" for write. Write it out to some config file and view it. If it has more information in it than you put into it, post it here for people to evaluate.

From reviewing the code, it appeared to me that the client.reconnect message must have been received on an active stratum connection that had already passed the mining.subscribe, mining.authorize messages. So at the very least the server to which it was connected must have been able to emulate a stratum mining server up to that point.

As for gathering the rest of that type of information from miners, it's not much unlike herding cats. I had posted a list of information for affected miners to supply in order to help narrow down the cause, but not a single reply was posted. Perhaps some might have sent directly to poolwaffle?

(I really wanted to see it happen on one of my miners!)

Yes, basic stratum functionality can be emulated by anything that does TCP/IP & sockets. Just accept everything and say that it's good regardless of what they send you.

Also, consider this, a pool can redirect from http to stratum, so I wouldn't rule out basic http as the genesis just yet, but I haven't gone through to see where that occurs in the chain.

Ya, not a single one of my miners - 4 rigs in two locations got redirected. None of them using SGMiner or CGMiner - From what another user told me, the api functions from cgwatcher or cgmonitor did not work against YACMiner until it was renamed cgminer.

TheCoinFinder

legendary

Activity: 938

Merit: 1001

Looking through the code, I can only seem to find "client.reconnect" referenced in the stratum-mining-proxy rather than in the stratum itself. Could someone confirm this?

paul.miner

newbie

Activity: 7

Merit: 2

Quote from: comeonalready on March 24, 2014, 04:48:11 PM

It would be great to find a miner who was keeping share logs AND actually solved a block, as then we could trace it to a wallet address, perhaps seeing how much they were able to siphon and where it might ultimately have ended up.

Even if they didn't solve a block, the coinbase parameter in the packet contains a payout address, so we can at least see where the coins would have gone.

Someone on Reddit posted a packet capture when it was mining Worldcoin, but a Litecoin or Dogecoin packet would be more interesting.

ElMariachi

newbie

Activity: 51

Merit: 0

Quote from: comeonalready on March 24, 2014, 04:15:27 PM

Kalroth cgminer for sure and sgminer I think have a configurable delay for how long to wait before returning back to a failed server that is back up again -- just in case you are bouncing around and don't like it happening.

Thank you for the hint but it's not that bad, at least this whole situation gives me a reason to finally add useful pool controls to my pet coding project.

comeonalready

full member

Activity: 168

Merit: 100

Quote from: Thirtybird on March 24, 2014, 04:49:18 PM

So....

did anyone investigate the possibility that the API for pool manipulation was being abused? If can modify peoples pool settings to create a pool with specific settings and then switch to that pool - which probably points at an http URL which then sends the stratum reconnect command to point to whatever the wallet address is at the time...

this, in theory could be done via javascript in your browser, miner monitoring software, malware, etc.

this tactic seems much easier than a large-scale man in the middle attack.

anyone whose miner is currently redirected and is running the curses interface, hit "S" for settings, then hit "W" for write. Write it out to some config file and view it. If it has more information in it than you put into it, post it here for people to evaluate.

From reviewing the code, it appeared to me that the client.reconnect message must have been received on an active stratum connection that had already passed the mining.subscribe, mining.authorize messages. So at the very least the server to which it was connected must have been able to emulate a stratum mining server up to that point.

As for gathering the rest of that type of information from miners, it's not much unlike herding cats. I had posted a list of information for affected miners to supply in order to help narrow down the cause, but not a single reply was posted. Perhaps some might have sent directly to poolwaffle?

(I really wanted to see it happen on one of my miners!)

poolwaffle

sr. member

Activity: 322

Merit: 254

Quote from: paul.miner on March 24, 2014, 04:22:45 PM

If anyone has packet captures of work packets sent after their client was hijacked, could you post or send them? I'd be curious to see what they were mining. If it's DOGE, I'm also set up to extract the payout address from the coinbase parameters. A packet should look like this (I think this was an old packet capture from Clevermining):

Code:

{"id":null,"method":"mining.notify","params":["3a61","34d9b767ab5f9e4270ca11e6f823da99af2b6da089d7cb21490c3cce4831ac63","01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2703780702062f503253482f0436221c5308","0d2f6e6f64655374726174756d2f0000000001241b6d23db1200001976a914312f0edfb1647e2f9ddbc6a0faacf3c3c8d1d21588ac00000000",["e8c40423f1291090ace9ac3a88469cf61561ad9b0f06de877f9309b846264b9b","446dea3005104d328824ae1d93b6b26d6c18c69ed6cf3d5aa8a585eeebea534a","032c4da808bf500177768605095431ee58b2773e6397db02e93eae0db86952a4","d5e6cc3bc5dc96786f97cf42a07dff996ac4b9e572844300a0065c719d9ef186","5d7d235e26d856e1bb70ea2b669fa50b6ecf3256fc26ff0ac52d2ea2de4f5c08","2ab06ed0f757226b38213aeeaca5281d013f38259cc22ae04721ab35534d83fe","f66308601f97700e503e8cea31e8d1b57f34530054a222b4bb6f99015fd462a3"],"00000002","1b33c012","531c2247",true]}

I've got one here, soon as I get these servers back up, remind me (email please) and I'll dig through the pcap.

Topic: [POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com - page 127. (Read 465668 times)