Topic: Wonder who this solominer is? 88.6.216.9 - page 28. (Read 60445 times)
I've been watching this thread for a while and today came up with a way to possibly confirm if this new miner indeed is a botnet, I e-mailed an active researcher in a major company dealing in antiviral/security-software, I have no way of knowing if the mail will ever be even read or responded to. However should I get a reply I will be reporting in.
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
On this webpage it says "Vulnerabilities in Remote Desktop Could Allow Remote Code Execution"
On this webpage it says "Vulnerabilities in Remote Desktop Could Allow Remote Code Execution"
Ok, i think i recalled wrong :/
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...
Very much true, but still a denial of service exploit does not give full access ... So in this case it's not the case.
On this webpage it says "Vulnerabilities in Remote Desktop Could Allow Remote Code Execution"
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...
Very much true, but still a denial of service exploit does not give full access ... So in this case it's not the case.
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
I thought the recent RDP exploit was a mere DDoS, and proof of concept was done ~wednesday, far after it became known ... It's not even been "weaponized" yet, so kinda hard for that exploit ...
Going from the computer names in paste linked, it looks like all the machines are running windows. So this could be the work of a script kiddie and the recent windows rdp exploit.
So far, Sudo is only talking. He refused to point some of his hashpower to BitMinter to back up what he claims !
One question that comes to mind...
1.3TH/s at current price/difficulty is over $30k per week in bitcoins.
I know it's fairly easy to launder funds through mt gox, but surely if they're selling any significant portion of what they mine there would be red flags somewhere?
I can believe it though, and to be honest I think the problem's only going to get worse
1.3TH/s at current price/difficulty is over $30k per week in bitcoins.
I know it's fairly easy to launder funds through mt gox, but surely if they're selling any significant portion of what they mine there would be red flags somewhere?
I can believe it though, and to be honest I think the problem's only going to get worse
The following A records are set to 85.214.124.168:
antirechts-team.de, enlight-visuals.de, geknicktemit.de, jas-transport.com, muemmelmann.com
The bolded domain is the only one out of the list that is active. Either the botnet op works there, or (more likely) he has compromised that server to be his pool. Anyone feel like contacting them to see what they say?
EDIT: nvm, stupid he.net search only returning a halfassed set of results. Robtex shows better info, seems that it is a shared host.
3 day trend is not confirmed by the 7 day or 14 day trend. Given "mystery" has been around a lot longer than 3 days why would use want to look at the more volatile number. Less info & more noise?
By intercept blocks I guess you mean act as a man in the middle and prevent miners from submitting valid blocks to the pool? Well I guess that is a good reason to use p2pool. Every block is submitted to every other node who submits it to every bitcoind peer.
By intercept blocks I guess you mean act as a man in the middle and prevent miners from submitting valid blocks to the pool? Well I guess that is a good reason to use p2pool. Every block is submitted to every other node who submits it to every bitcoind peer.
This is what Im looking at:
http://bitcoin.sipa.be/speed-lin-2k.png
And obviously not the 8 hour avg green line, but the 3 day estimate. Though variability is high enough to make firm conclusions impossible, its not quite what youd expect if 1.3 TH joined the network out of the blue. There is no spike up, its flat or down best I can tell.
DrHaribo did have another hypothesis; rather than stealing blocks he suggested it might be possible for an attacker with a botnet to intercept a % of winning blocks of other pools to keep difficulty down. That would show up in stats eventually, but made me wonder why we arent using HTTPS on our miners to prevent such sabotage in the first place.
http://bitcoin.sipa.be/speed-lin-2k.png
And obviously not the 8 hour avg green line, but the 3 day estimate. Though variability is high enough to make firm conclusions impossible, its not quite what youd expect if 1.3 TH joined the network out of the blue. There is no spike up, its flat or down best I can tell.
DrHaribo did have another hypothesis; rather than stealing blocks he suggested it might be possible for an attacker with a botnet to intercept a % of winning blocks of other pools to keep difficulty down. That would show up in stats eventually, but made me wonder why we arent using HTTPS on our miners to prevent such sabotage in the first place.
I don't know what charts you are looking at. I honestly don't.
7 day avg is higher today than 15 & 30 days ago.
14 day avg is higher today than 15 & 30 days ago.
More specifically you keep saying 10 days so today the 7 day avg is ~ 11.2 TH/s, 10 days ago it was 10.1 TH/s.
Are you looking at some other charts?
7 day avg is higher today than 15 & 30 days ago.
14 day avg is higher today than 15 & 30 days ago.
More specifically you keep saying 10 days so today the 7 day avg is ~ 11.2 TH/s, 10 days ago it was 10.1 TH/s.
Are you looking at some other charts?
Yes. I thought I made that clear. A 5% reduction in found blocks relative to expected is rare over a 10 day period but not impossible.
There are a lot of rare but not impossible things going on right now. Thats the point. But the fact the network block rate is not showing the increase you would expect from an extra 1+TH, either because of bad luck or because that 1TH is not new, is not the same thing as deepbit having calculated bad luck on their published stats. They are related to some extend given deepbits size, but its not the same thing.
Slush has been having spurts of very good luck the last few days.
Its at:
120%, 109%, 103% (1 day, 7 day, 30 day)
2:33 pm 2012/3/16 UTC
Its at:
120%, 109%, 103% (1 day, 7 day, 30 day)
2:33 pm 2012/3/16 UTC
Never said you were an idiot but stating both bad luck and declining global hashing power is kinda silly.
Still having trouble distinguishing between deepbit and the entire network it seems. Or are you saying the entire network (except for the mystery miner) is being unlucky for over 10 days now ?
Yes. I thought I made that clear. A 5% reduction in found blocks relative to expected for the entire network over a 10 day period is rare but not impossible.
Just to beat this zombie horse dead:
IF the entire network in aggregate (note this doesn't mean every pool just the aggregate effect across all miners) is having a period "bad luck" then it would reflect in a lower reported hashrate. So while sipa may show a decline or flat hashrate in reality hashate has increased and is just reported "low" due to bad luck.
Also I don't see this major drop in hashing power. Anything shorter than the 8 day average is essentially useless from a statistical point of view.
This lack of hashing power decline can be seen in the pools also. Deepbit for example hasn't show any significant decline in hashrate.
Now the network calculates hashrate based on blocks (~1.5 mil dif shares) and pools calculate it based on diff 1 shares. Obviously Deepbit internal number is going to have less variance.
Seeing as the major pools haven't shown a major decline in hashing power there likely isn't any.
This does bring up an interesting idea. One could calculate the network normally and also take the reported hashing power of the largest pools as a countervalue. Unless both numbers are moving in the same direction likely any change is simply variance.
Never said you were an idiot but stating both bad luck and declining global hashing power is kinda silly.
Still having trouble distinguishing between deepbit and the entire network it seems. Or are you saying the entire network (except for the mystery miner) is being unlucky for over 10 days now ?
Does that list strike anyone as odd? Unless it is 0.5% and it's already been sorted to show only the most powerful machines, there is way too much powerful hardware there. There's 383 machines listed, if that 0.5% it implies he controls 76 thousand PCs. If you had a real random botnet, finding 1000 machines with that kind of horsepower would probably require infecting 1,000,000. You'd think he could find something more profitable and less likely to be detected to do with his botnet than mining.
Botnets can do multiple things. It actually would be smart for an operator to take an inventory of victims and direct the more capable one towards mining and use the less capable ones for less computationally intensive tasks like bulk spam email or DDOS.
Not saying that makes the claim valid just indicating someone could have a 1 million node botnet and use just the 100K most capable of mining for mining.
That makes sense, but would it not imply a simply massive botnet? Looking at the list, there's a lot of hardware you simply couldn't run full out without being detected. As a generalization, high end hardware is more likely to be run by more sophisticated users. A lot of that hardware is higher end nVidia stuff, anGetting 140MHash/s out of those 580s and 480s at full bore would tip off anyone that something is wrong.
Am I incorrect in thinking that anyone with this sort of botnet would have to run these higher end machines at much lower hashrates than they're capable of to maintain responsiveness and avoid detection? I would think that if they're running on gaming hardware they'd also have to disable mining when the computer launches a game or GPGPU app, where the slowdown would be pretty instantly noticeable. If this is true, it would have to be one of the largest botnets around.
Does that list strike anyone as odd? Unless it is 0.5% and it's already been sorted to show only the most powerful machines, there is way too much powerful hardware there. There's 383 machines listed, if that 0.5% it implies he controls 76 thousand PCs. If you had a real random botnet, finding 1000 machines with that kind of horsepower would probably require infecting 1,000,000. You'd think he could find something more profitable and less likely to be detected to do with his botnet than mining.
Botnets can do multiple things. It actually would be smart for an operator to take an inventory of victims and direct the more capable one towards mining and use the less capable ones for less computationally intensive tasks like bulk spam email or DDOS.
Not saying that makes the claim valid just indicating someone could have a 1 million node botnet and use just the 100K most capable of mining for mining.
Never said you were an idiot but stating both bad luck and declining global hashing power is kinda silly. It is like saying "the thief made a left turn AND he didn't make a right turn". Due to how hashrate is calculated if the network is in a bad luck "slump" it will show declined hashing power. Both events occurring together is expected.
Jump to: