Bitcoin Forum

There is a botnet that is capable of compromising Claymore ETH mining rigs at default settings. It will change the wallet address to the hacker's.

Please take action to secure your mining rig now. It can be done through the use of a simple command line switch.

https://www.cryptoinfomag.com/2018/01/18/satori-botnet-attack-hijacks-ethereum-from-mining-rigs/

If you have opened port 3333 on your modem\router and not set a password you deserve it. NO ports should be open to your mining rig, you should VPN to your router or another machine then connect to mining rig

Truth

masscan -p 3333 --max-rate 99999 -oX botnet.xml 0.0.0.0/0

This started happening probably about a year ago.

By default Claymore config makes changing settings disabled to prevent this from happening.

This is how I understand it too, right?
So the firewall on my router should block any traffic into any port that I haven't specifically opened/forwarded (even using uPnP), correct?

This would affect people having specifically opened and forwarded port 3333 and not set a password in Claymore settings?

Awesome.  I'm shocked that someone who was foolish enough not to change the defaults on Claymore would be competent enough to configure their router to port map to it.  ;)  Maybe this botnet should create a bounty for Claymore to add UPnP support - that would definitely help them get a few more machines.

Really this only must affect very small users, unless they mapped each of their rigs to different ports, and I highly doubt the botnet is portscanning a target, but instead just looking for open machines.  I would also suspect this is targeted more to people colo'ing at traditional datacenters where they have a static IP and their box exposed to the world (as a miner-specific colo is going to presumably have them behind a router/firewall).