Author

Topic: Possible malicious pool owners **URGENT** (Read 903 times)

sr. member
Activity: 406
Merit: 250
January 16, 2014, 05:26:20 PM
#11
I can confirm multiple accounts on my pool having the same payout address, running the query stated there. All having a payout threshold of 10 or 100. Removed the addresses from the pool and contacted the users.

When you have a comprehensive list of all pools the affected miners have recently used please contact me with said list, as well as a counter for each pool enumerating the number of affected miners who have recently used them.
member
Activity: 84
Merit: 10
https://dgb.luckyminers.com
January 16, 2014, 09:41:43 AM
#10
I can confirm multiple accounts on my pool having the same payout address, running the query stated there. All having a payout threshold of 10 or 100. Removed the addresses from the pool and contacted the users.
sr. member
Activity: 406
Merit: 250
January 16, 2014, 07:57:56 AM
#9
I ran across this thread. I will inject a bit of thought here. Not to confuse, but to help all readers understand something that maybe they didn't already know.


 Unless your https then any login data including passwords and usernames are transmitted in plain text.

 Network level sniffing the traffic would capture such plain text. It could have occurred that way.

 I am not stating that is what happened. I don't know. I hadn't even heard of your mining site as of yet, until now. And haven't ever heard of any mining sites being breached in such a fashion. But it's technically feasible, if not likely.


 I do know this:

 I try to never mine at http sites for the above reason. I only mine on https://*.* (secure/encrypted sites) pools if possible, but sometimes that isn't possible depending on the coin type.

 The plain text transmission is just one reason, another is that https is more difficult to hack, thus balances at those sites are a bit safer until withdrawn. But nothing online is really safe per say, as we all know. Still, at least I know my passwords are not compromised on https, and coins are a bit safer. 

 Seems like the OP has done quite a bit of good detective work, now just determining how it all leaked.
 

Best Advice:

 Users should get a reliable, secure (encrypted) VPN service, but that alone wont solve the http plain text transmission on the other end because after exiting the https VPN server your http transmissions are in plain text again. But a VPN stops others from finding your real ip, and following you back to your pc's.

 I strongly recommend a secure VPN for downloading any Qt's and such as well. By all means request that your favorite coins offer https download sites only, same for their home pages and what not too. I will let the reader figure out why but it's not hard to figure out given just a bit of thought. To this day these matters are still largely unaddressed in crypto-land. But step one is securing yourselves by way of a secure (encrypted) VPN service.



Caveat emptor - let the buyer beware

I also considered network snooping as a possible cause but, just like my argument against hacking, I highly doubt that ~60 miners were being snooped on by the same party. Regardless of what caused the current issue, however, I concur that everyone ought to enhance their security to the highest degree possible.
sr. member
Activity: 616
Merit: 250
January 16, 2014, 05:44:51 AM
#8
 I ran across this thread. I will inject a bit of thought here. Not to confuse, but to help all readers understand something that maybe they didn't already know.


 Unless your https then any login data including passwords and usernames are transmitted in plain text.

 Network level sniffing the traffic would capture such plain text. It could have occurred that way.

 I am not stating that is what happened. I don't know. I hadn't even heard of your mining site as of yet, until now. And haven't ever heard of any mining sites being breached in such a fashion. But it's technically feasible, if not likely.


 I do know this:

 I try to never mine at http sites for the above reason. I only mine on https://*.* (secure/encrypted sites) pools if possible, but sometimes that isn't possible depending on the coin type.

 The plain text transmission is just one reason, another is that https is more difficult to hack, thus balances at those sites are a bit safer until withdrawn. But nothing online is really safe per say, as we all know. Still, at least I know my passwords are not compromised on https, and coins are a bit safer. 

 Seems like the OP has done quite a bit of good detective work, now just determining how it all leaked.
 

Best Advice:

 Users should get a reliable, secure (encrypted) VPN service, but that alone wont solve the http plain text transmission on the other end because after exiting the https VPN server your http transmissions are in plain text again. But a VPN stops others from finding your real ip, and following you back to your pc's.

 I strongly recommend a secure VPN for downloading any Qt's and such as well. By all means request that your favorite coins offer https download sites only, same for their home pages and what not too. I will let the reader figure out why but it's not hard to figure out given just a bit of thought. To this day these matters are still largely unaddressed in crypto-land. But step one is securing yourselves by way of a secure (encrypted) VPN service.



Caveat emptor - let the buyer beware
sr. member
Activity: 406
Merit: 250
January 15, 2014, 10:39:42 PM
#7
ATTENTION POOL OWNERS

Please use the following code on PHPMyAdmin to search for addresses being withdrawn to from multiple accounts.

Code:
SELECT  m.username,m.email,m.ap_threshold,m.coin_address
FROM    (
        SELECT coin_address
        FROM    accounts
        GROUP BY
                coin_address
        HAVING  COUNT(*) > 2
        ) q
JOIN    accounts m
ON      m.coin_address = q.coin_address
sr. member
Activity: 406
Merit: 250
January 15, 2014, 10:28:11 PM
#6
If enough miners were hacked, statistically the pool they most have in common would be the culprit.

I agree, that's why we're asking miners to respond with a full list of pools they have used recently.
hero member
Activity: 532
Merit: 500
January 15, 2014, 10:24:43 PM
#5
If enough miners were hacked, statistically the pool they most have in common would be the culprit.
sr. member
Activity: 406
Merit: 250
January 15, 2014, 10:20:24 PM
#4
have you contacted those who lost their coins and asked them?

The body of the post was originally intended for a mass email to our miners. After sending it, I decided it would be worthwhile to add the bit about pools checking for multiple accounts sending to one address and post in the public domain.
sr. member
Activity: 452
Merit: 250
January 15, 2014, 09:58:09 PM
#3
Great job! Glad to see responsible pools acting in the interest of miners.
member
Activity: 266
Merit: 10
January 15, 2014, 09:55:29 PM
#2
have you contacted those who lost their coins and asked them?
sr. member
Activity: 406
Merit: 250
January 15, 2014, 09:52:54 PM
#1
Last night, amid complaints of fraudulent withdrawals from many of our miners, we at Hackshard launched a full investigation into our databases, websites, and other software with the goal of identifying and eliminating whatever faulty code, hardware, or security hole had caused miners to lose their coins. We discovered no fault in the cronjobs, databases, stratum servers, wallets, or any of the other various components of the Hackshard mining pools. While this did confirm that the Hackshard infrastructure was not at fault, our findings hinted at something perhaps even more worrisome. We found that several dozen miners had recently withdrawn to a single address: the same address as that which many of those claiming fraud had presented to us as having stolen their coins. Given the extreme unlikelihood of so many miners being host to the same keylogging virus, and given the complete lack of evidence that our own pools have been infiltrated by malicious agents, we have concluded that the issue could only have arisen from miners using identical login credentials with multiple pools. If this is the case, with a significant portion of our miners having been victims, we further conclude that only one with access to the database of a rather large pool could have been the thief. As such, we request that all miners who have been affected by this theft respond immediately with a full list of pools which they have recently used so that we may attempt to identify the malignant pool. We further request that all pool owners search their outgoing transactions for multiple usernames withdrawing to a few addresses.

We strongly urge everyone to use separate credentials on each and every pool he or she uses and to enable automatic payments. If you have been using the same username & password on multiple pools, change them immediately.

If you lost any coins from a fraudulent withdrawal and you use the same credentials on other pools as you do on the pool you were stolen from, please change your passwords on all pools and then contact the owners of whichever pool you lost coins on and tell them which pools you used the same credentials on. In this way, pool owners can attempt to find a common pool among miners bereft of coins.

For example, say you have the same password on pools A, B, C, D and your coins were stolen from pool C. Change your passwords on every pool immediately and then contact the owners of pool C, telling them that your coins were stolen and you had the same credentials on pools A, B and D. If enough miners do this and pool owners co-operate, we should be able to figure out which pool stole the coins.
Jump to: