Author

Topic: [POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com - page 138. (Read 465769 times)

full member
Activity: 168
Merit: 100
So by gaining access to a remote router is it possible to perform an attack of this sort?  I am sure there are other resources such as the one I listed ...

Possible yes, likely no.  The simultaneous timing of the redirection attack would be very difficult to carry out without 'the short list' of miners' ip addresses which would only be obtained from the server, or the network on which the server resides.
newbie
Activity: 56
Merit: 0
Okay, just checking information from last night.

It may not have happened quite simultaneously. I don't have enough information (didn't have verbose logging on) to be sure. I'm not even certain it affected every single one of my rigs, as when I noticed it on most of them I immediately began a slash and burn campaign on everything.

Unfortunately this muddies the waters a bit.
hero member
Activity: 630
Merit: 500
1 Gain ownership of router
2 determine OS
3 find miner process running
4 Alter pool info
newbie
Activity: 56
Merit: 0
So by gaining access to a remote router is it possible to perform an attack of this sort?  I am sure there are other resources such as the one I listed ...

Possible, yes. My router does not use default credentials though. Of course, backdoors are rife with these things.
hero member
Activity: 630
Merit: 500
So by gaining access to a remote router is it possible to perform an attack of this sort?  I am sure there are other resources such as the one I listed ...
newbie
Activity: 56
Merit: 0

Yes, this is the weakest link in my setup for sure.


My configuration does not utilize any of the vulnerable equipment included in that list.  (Not that someone somewhere probably doesn't know how to hack it!)


Hmm, just checked through that list as well. My particular router is not included. Though, as you say, that certainly doesn't mean a lot.
newbie
Activity: 56
Merit: 0
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this an many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or to check, worth a look.



This is a good question.

Most of the rigs are configured to use 8.8.8.8 and 8.8.4.4. Two of them I obviously didn't change when I set them up and they are pointing to the router, which is configured to use 8.8.8.8 and 8.8.4.4.

All were affected equally.


If all were miners affected equally, and not just the miners using the router ip address for dns servers, then I think we can rule out the dns forwarding/masquerading service on your router from having been compromised.  Thanks for checking.  I hate to have to ask, but are you absolutely 100% certain?


I am certain of some using direct DNS and some pointing to the router. I am certain some are using DHCP and some are static IP's. I am certain one router (connected to the external internet) is running proprietary Dlink software and the other bridged router is running dd-wrt. I set all of this up myself.

This does not entirely rule out some very clever hack on the router side of things, or injected in multiple miner's source codes. It just seems rather unlikely to me at this point.


As many of us as possible need to enable verbose logging to file for when this happens again.  And it will almost certainly happen again, as there is money to be made by attackers exploiting whatever weakness allowed them to do so this time around.  I have had logging enabled since the very beginning, but none of my equipment was affected by this problem.  I did notice a few atypical packets logged on my firewall making me suspect that a local router attack could be part of the redirect to a rogue server, which is why I asked you about yours, as you actually witnessed the redirection of your hashpower.



Agreed.

I've been awaiting a reoccurence all day. Nothing so far, at all. If it's local I'm betting it's the d-link router software, as it's connected to the external internet. But my money is leaning a bit towards not local. Not enough though for me to be completely convinced. Too many unknowns at this point.

full member
Activity: 168
Merit: 100

Yes, this is the weakest link in my setup for sure.


My configuration does not utilize any of the vulnerable equipment included in that list.  (Not that someone somewhere probably doesn't know how to hack it!)
full member
Activity: 168
Merit: 100
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this an many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or to check, worth a look.



This is a good question.

Most of the rigs are configured to use 8.8.8.8 and 8.8.4.4. Two of them I obviously didn't change when I set them up and they are pointing to the router, which is configured to use 8.8.8.8 and 8.8.4.4.

All were affected equally.


If all were miners affected equally, and not just the miners using the router ip address for dns servers, then I think we can rule out the dns forwarding/masquerading service on your router from having been compromised.  Thanks for checking.  I hate to have to ask, but are you absolutely 100% certain?


I am certain of some using direct DNS and some pointing to the router. I am certain some are using DHCP and some are static IP's. I am certain one router (connected to the external internet) is running proprietary Dlink software and the other bridged router is running dd-wrt. I set all of this up myself.

This does not entirely rule out some very clever hack on the router side of things, or injected in multiple miner's source codes. It just seems rather unlikely to me at this point.


As many of us as possible need to enable verbose logging to file for when this happens again.  And it will almost certainly happen again, as there is money to be made by attackers exploiting whatever weakness allowed them to do so this time around.  I have had logging enabled since the very beginning, but none of my equipment was affected by this problem.  I did notice a few atypical incoming packets logged on my firewall making me suspect that a local router attack could be part of the redirect to a rogue server, which is why I asked you about yours, as you actually witnessed the redirection of your hashpower.
newbie
Activity: 56
Merit: 0
newbie
Activity: 56
Merit: 0
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this an many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or to check, worth a look.



This is a good question.

Most of the rigs are configured to use 8.8.8.8 and 8.8.4.4. Two of them I obviously didn't change when I set them up and they are pointing to the router, which is configured to use 8.8.8.8 and 8.8.4.4.

All were affected equally.


If all were miners affected equally, and not just the miners using the router ip address for dns servers, then I think we can rule out the dns forwarding/masquerading service on your router from having been compromised.  Thanks for checking.  I hate to have to ask, but are you absolutely 100% certain?


I am certain of some using direct DNS and some pointing to the router. I am certain some are using DHCP and some are static IP's. I am certain one router (connected to the external internet) is running proprietary Dlink software and the other bridged router is running dd-wrt. I set all of this up myself.

This does not entirely rule out some very clever hack on the router side of things, or injected in multiple miner's source codes. It just seems rather unlikely to me at this point.
full member
Activity: 168
Merit: 100
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this an many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or to check, worth a look.



This is a good question.

Most of the rigs are configured to use 8.8.8.8 and 8.8.4.4. Two of them I obviously didn't change when I set them up and they are pointing to the router, which is configured to use 8.8.8.8 and 8.8.4.4.

All were affected equally.


If all your miners were affected equally, and not just the miners using the internal router ip address for dns servers, then I think we can rule out the dns forwarding/masquerading service on your router from having been compromised.  Thanks for checking.  I hate to have to ask, but are you absolutely 100% certain?
newbie
Activity: 56
Merit: 0
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this an many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or to check, worth a look.



This is a good question.

Most of the rigs are configured to use 8.8.8.8 and 8.8.4.4 directly in /etc/resolv.conf. Two of them I obviously didn't change when I set them up and they are pointing to the router, which is configured to use 8.8.8.8 and 8.8.4.4.

All were affected equally.
full member
Activity: 168
Merit: 100
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers receiving its address via dhcp, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this as many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or so to check, worth a look.

newbie
Activity: 56
Merit: 0
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.

When the problem occurred, it happened on all rigs simultaneously, regardless of OS, miner software, static or dynamic IP, router connection, etc.
full member
Activity: 168
Merit: 100
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?
newbie
Activity: 56
Merit: 0
@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

how would people check for this?

Malware cannot explain what has happened.

I am running linux on each of my rigs. On those rigs running linux, there are several different distributions of linux. Linux is notoriously difficult to infect with malware. On those rigs, some are running sgminer, some cgminer 3.7.2 (original) and some kalroth's or other version of cgminer. One of my rigs is running cudaminer. Other people are running various versions of windows, or even Mac, with various miners.

I cannot imagine any malware that could possibly be written to affect multiple miners in multiple operating systems.

In my case, my security practices are very reliable.

When this happened to me, it happened simultaneously on all my rigs all running various OS's and all running different miners.

The symptoms are not indicative of client side malware. It is indicative of some kind of DNS or networking hijacking.


Though one can easily download maliciously inserted code within 'trusted' linux software, I am generally inclined to agree that the miner-side malware possibility seems unlikely, but cannot as yet be completely ruled out.  

But as far as I know there has not been any effort to identify affected  client side operating systems versions, miner versions, pool configurations including backups, failover-only settings, etc, to determine if there are any commonalities.  And from reading this thread, one cannot even determine how many people might have been affected!


Agreed that it's possible to download malicious code in linux.

Given that I'm running various versions of cgminer, sgminer, bfgminer, and even cudaminer, all git pulled myself and compiled myself, this seems unlikely in the extreme. Possible, but very unlikely. The perpetrator would ave had to insert malicious working code in many different and seperate miners source codes, some completely incompatible with others, administered by many different people, and all able to function simultaneously.

Again, possible, but does not seem very plausible.
full member
Activity: 168
Merit: 100
@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

how would people check for this?

Malware cannot explain what has happened.

I am running linux on each of my rigs. On those rigs running linux, there are several different distributions of linux. Linux is notoriously difficult to infect with malware. On those rigs, some are running sgminer, some cgminer 3.7.2 (original) and some kalroth's or other version of cgminer. One of my rigs is running cudaminer. Other people are running various versions of windows, or even Mac, with various miners.

I cannot imagine any malware that could possibly be written to affect multiple miners in multiple operating systems.

In my case, my security practices are very reliable.

When this happened to me, it happened simultaneously on all my rigs all running various OS's and all running different miners.

The symptoms are not indicative of client side malware. It is indicative of some kind of DNS or networking hijacking.


Though one can easily download maliciously inserted code within 'trusted' linux software, I am generally inclined to agree that the miner-side malware possibility seems unlikely, but cannot as yet be completely ruled out.  

But as far as I know there has not been any effort to identify affected client side operating systems versions, miner versions, pool configurations including backups, failover-only settings, etc, to determine if there are any commonalities.  And from reading this thread, one cannot even determine how many people might have been affected!

Where is poolwaffle through all of this?  I'm one to support weekends off, but this problem is deserving of some attention as he has access to considerably more information than we do.
newbie
Activity: 56
Merit: 0
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?


Seems highly unlikely. Possible, but very unlikely.

Jump to: