Author

Topic: S9 switches pool on its own (Read 159 times)

legendary
Activity: 3822
Merit: 2703
Evil beware: We have waffles!
April 11, 2021, 09:33:00 AM
#19
Quote
If they all have it by now then why is the virus idle for so long? Why doesn't it screw all miners asap?
The answer is right in front of you: If it immediately affected all miners one would notice it and then take immediate action to remove the malware. By waiting a few days/weeks before re-directing your hash the malware is free to spread to other miners.

You should apply the SD process on ALL of your Bitmain miners to clean them up.
newbie
Activity: 15
Merit: 0
April 11, 2021, 08:27:41 AM
#18
So after turning off the miner with virus i was hoping everything will be fine but after 10 days the virus appeared on another miner.
Tried to hard reset and update firmware but now hardware version and bmminer version do not show up and kernel log says: bmminer not found, restart bmminer so i cant even connect anymore. Any ideas what to try? I will buy sd card and reader this week if stores open up( partial lockdown here due to covid19) and try to flash via sd card.
I have to isolate miners with virus but dont know which ones have it, how do i find that out? If they all have it by now then why is the virus idle for so long? Why doesnt it screw all miners asap?
If i try to put the latest bm firmware from august 2019 with enhance anti-virus capability and secure firmware with signature, SSH port is closed, would that protect me from further issues with this virus?
Also, in administration when you change the password, you put different password for every miner?
legendary
Activity: 3822
Merit: 2703
Evil beware: We have waffles!
April 10, 2021, 07:44:31 PM
#17
When you buy used gear, always flash it back to stock firmware following the sd recovery method. Don't even think about it, do it.
Exactly.
Look at it this way - a miner is ran by a small built-in PC that uses flash memory as a drive holding the operating system and miner software.

Would you buy a used PC and put it on a network without first wiping the drives and installing fresh copy of the OS? I hope to God your answer is a resounding: "HELL NO -- intentionally or not, who knows what malware has been loaded onto it!"

Same logic to wipe all storage and re-install fresh OS & programs applies here.
legendary
Activity: 2030
Merit: 1573
CLEAN non GPL infringing code made in Rust lang
April 09, 2021, 02:58:18 PM
#16
When you buy used gear, always flash it back to stock firmware following the sd recovery method. Don't even think about it, do it.
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
April 03, 2021, 08:53:58 PM
#15
What puzzles me is where the virus came from because i scanned my computer and didnt find any viruses. Maybe my antivirus protection is not good enough.

Antivirus could be useless in this case, according to my experience and based on most stories I heard, the virus comes from second-hand miners, the miner will seem okay when you first test it "the virus is probably made to behave that way" and then eventually you notice the hashrate on your pool drops from time to time, it takes time to know you are infected, some people don't see it until a long period of time has passed.

So this isn't the average virus that screams out loud to bring attention, now how does it spread to other gears isn't something I am fully aware of, but for my farm and farms I manage/built for clients, I noticed the virus didn't show up when we start to use custom firmware and/or new bitmain versions with SSH disabled by default.

Of course, I developed a habit of Sdcarding any second miner I buy before bringing it close to the other gears, you can use a different spare router as the other methods require some knowledge, I also avoid logging into the miner before the Sdcard is done, so from the box to the Sdcard process only then I allow myself to log-in to that miner to flash a new firmware, SSH should be disabled or change the password, also right after you flash the new firmware make sure you change the miner's web password to a new password, not one you use on other miners ( at least until you confirm the miner is 100% clean).

By doing this personally and engorging my clients to so, I have not had a problem with any mining virus ever since.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
April 03, 2021, 10:32:50 AM
#14
First i would like to thank you all for trying to help me out.
I will get an sd card and try what you told me. For now i just replaced control board because i have some spare ones.
What puzzles me is where the virus came from because i scanned my computer and didnt find any viruses. Maybe my antivirus protection is not good enough.
Also i remembered that i did add one new unit couple months ago but that unit doesnt seem to be infected. Is it possible that it is infecting my other units but not showing any signs of infection itself?


Possible.
Is there any external access to the network that the miners are on? VPN, RDP, any remote access to the PC?

I have not been following the miner malware that much but I have been reading a bit since your post, some people were claiming that some of the vulnerable routers were allowing access back to the miners using telnet / ssh

https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/gpon-routers-botnet/
https://www.welivesecurity.com/2020/07/09/popular-home-routers-plagued-critical-security-flaws/
https://graphics.wsj.com/table/ROUTERSTABLE_0116
etc...

So you could be clean, your PC could be clean, but your front end router is screwed Sad

I have seen and pulled from service mikrotik routers that have been compromised so it's out there:
https://blog.avast.com/mikrotik-routers-targeted-by-cryptomining-campaign-avast

-Dave
newbie
Activity: 15
Merit: 0
April 03, 2021, 02:54:31 AM
#13
First i would like to thank you all for trying to help me out.
I will get an sd card and try what you told me. For now i just replaced control board because i have some spare ones.
What puzzles me is where the virus came from because i scanned my computer and didnt find any viruses. Maybe my antivirus protection is not good enough.
Also i remembered that i did add one new unit couple months ago but that unit doesnt seem to be infected. Is it possible that it is infecting my other units but not showing any signs of infection itself?
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
April 02, 2021, 04:54:42 PM
#12
The last time I checked you could just plug in your external address and it would work. Did not know they ever changed it.

I really have no idea, I could be wrong on this one anyways.

Good evening fellow miners!  Just wanted to let you know that I’ve had another S9 hacked today and the controller is ruined and I ran out of the replacement controllers Cry

Firewall is set to medium, if I set it to higher level then the miners don’t connect.  Not sure what else I can do to stop this guy from stealing my coins and braking my hardware.

If anyone is interested here is the address that this bastard puts instead of my pool settings and his wallet address.


35TVW8JXxnrPviwyZoRbtNfs2RD1vXNRu1


stratum+tcp://sha256.hk.nicehash.com:3334#xnsub

The controllers can not be hard reset, the address can not be changed.  BEWARE AND KEEP YOU NETWORK SAFE¡

Good night and mine on!  The block is coming soon! Smiley

This quote brings some bad news to OP, some virus's versions lock you out of your control board, and this seems to be one of them, let's hope he gets lucky.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
April 02, 2021, 03:36:39 PM
#11
The miner won't connect if the address is not owned by NH.

The last time I checked you could just plug in your external address and it would work. Did not know they ever changed it.

Using the 3BjMWfED7RJvtBPPikJpweDT6A9xRW952x address you posted when you google it, it's everywhere. Using the 35TVW8JXxnrPviwyZoRbtNfs2RD1vXNRu1 address the OP posted when you google it there is no discussion about it. I would think if it was part of a large number of compromised miners it would be posted / discussed all over.

-Dave
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
April 02, 2021, 02:26:06 PM
#10
Not that it matters since the miner *is* infected, but where do you see that this is a NH owned address?

The miner won't connect if the address is not owned by NH.

As far as I know you can mine to nicehash 2 ways either with an external address or with an internal one...

Not that I still use NH but when I did back then you had to use the bitcoin address THEY give you, not just a bitcoin address,  white it's a different addy for everyone and you can even send BTC to it, your mining rewards are not sent to that address but rather are stored in NH database and then you can withdraw them to an "external" address, in fact, you can even use the same nicehash BTC address to mine other coins.

If you google this address instead 3BjMWfED7RJvtBPPikJpweDT6A9xRW952x you will find that many people were infected with a virus that uses this address, I have personally had gears infected with a virus that mines to that NH address, so I know for a fact that mining address made a lot of coins, but if you check on the blockchain it has 0 transactions on it.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
April 02, 2021, 06:07:10 AM
#9
Not that it matters since the miner *is* infected, but where do you see that this is a NH owned address?

I googled it and checked a few other places and did not see it linking back to NH at all. As far as I know you can mine to nicehash 2 ways either with an external address or with an internal one, but even with an internal address it's still a different address for everyone who has one.

-Dave
legendary
Activity: 2436
Merit: 6643
be constructive or S.T.F.U
April 01, 2021, 06:00:40 PM
#8
Weird, that address does not look like it's been mining at nicehash according to their dashboard lookup and looking at an explorer, the last time it received funds was January of last year.

Ignore nicehash dashboard it's useless, also this BTC addy belongs to nicehash, it's really more or less used as a username, and then you withdraw your BTC to your own wallet, so the process isn't traceable on the public ledger, of course, only nicehash know which mining address sent bitcoin to which address.

OP, your miner is indeed infected, I am pretty familiar with this virus, although I don't recall the real name (I think it's called NightSwitcher) I do remember the nicehash hk, jp and the address looks familiar, so I am 100% positive.

You will need to flash the hashboard using Sdcard, do that on a separate LAN, before putting the miner back online make sure you change the password and disable SSH, after doing so, your miners will be secured to a good degree, the only thing left to fix would be the PC/phone you use to access the miners, that's where the virus probably came from.

If you want more security, get a cheap PC (the cheapest you can get), don't connect it to the internet, and use it exclusively to monitor and configure your miners.
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
April 01, 2021, 03:12:09 PM
#7
Looks like you are going to have to try flashing the firmware to a clean one.
Instructions from bitmain: https://support.bitmain.com/hc/en-us/articles/360019493654-S9-series-S9-S9i-S9j-S9-Hydro-Control-Board-Program-Recovery

Much like NotFuzzyWarm I have not used their gear in a while so I can't help more then that but if you can't get it done post the issue in the hardware section, someone there should be able to help.
https://bitcointalk.org/index.php?board=76.0

Also, as NotFuzzyWarm said move it off the network that has any other mining gear on it.

-Dave
newbie
Activity: 15
Merit: 0
April 01, 2021, 02:07:12 PM
#6
Yes, all 3 pools are set to poolin.
pool1-stratum+tcp://btc.ss.poolin.com:443
pool2-stratum+tcp://btc.ss.poolin.com:1883
pool3-stratum+tcp://btc.ss.poolin.com:25
legendary
Activity: 3500
Merit: 6320
Crypto Swap Exchange
April 01, 2021, 01:51:31 PM
#5
Weird, that address does not look like it's been mining at nicehash according to their dashboard lookup and looking at an explorer, the last time it received funds was January of last year.
Most of the infected miners that I have seen / heard about mined to a common address.

Are all 3 pools in the config set to poolin?

-Dave
legendary
Activity: 3822
Merit: 2703
Evil beware: We have waffles!
April 01, 2021, 01:50:42 PM
#4
If they were running fine until recently then you picked up a virus/malware from *somewhere* and how to fix still needs to be addressed (by others here).
newbie
Activity: 15
Merit: 0
April 01, 2021, 01:03:35 PM
#3
All of my miners are second hand bought, but last time i bought any was one year ago. And this started only few weeks ago. First time i couldnt resolve the issue so i just took hashboards out of the s9 and put them in others that had a dead board. But now its happening again and i dont have a clue what to do.
legendary
Activity: 3822
Merit: 2703
Evil beware: We have waffles!
April 01, 2021, 12:52:55 PM
#2
Did you buy the miner (a long time ago) directly from Bitmain and this started recently or did you recently buy the s9 used? If the 1st then malware has infected it. If the 2nd - the miner was sold infected.

Either way IMMEDIATELY isolate it from your network as several of the mining malwares out there will search for more miners on the network to infect... Others here will have to explain how to fix the issue as I no longer run any hardware from Bitmain.
newbie
Activity: 15
Merit: 0
April 01, 2021, 12:30:32 PM
#1
Hi.

So my antminer s9 is set to mine on poolin but it switched from poolin to nicehash on its own and i never had account on nicehash.  Under miner configuration it is set on poolin but when i go to miner status i see this:

Code:
stratum+tcp://sha256.hk.nicehash.com:3334#xnsub35TVW8JXxnrPviwyZoRbtNfs2RD1vXNRu1

So i guess my miner is mining for someone else? Reboot or unplug doesnt change anything. If someone has any advice how to fix this i would appreciate it.
Jump to: