Bitcoin Forum

I ran a netstat on my machine and found a certain connection with a foreign address...

pool-108-51-140-90:14905

Does anyone know what is this ? Is it a mining pool where I am connected ?

Check your active processes?

Hello,
Not sure but i ran the netstat and it is showing to me also something like this, but after the pool there different numbers. I am not sure if there is something wrong with my machine too.. ???
I google it and it is not showing anything there..

pool-xxx-xxx is often your own ip

you are sure this is not your ip ?

ipchicken.com to check it

http://www.ip-tracker.org/locator/ip-lookup.php?ip=108.51.140.90

Not really. It is neither my private nor the public ip. I'm not from US, but this ip belongs to verizon n/w of US. If I find in any way that it is a trojan mining pool, I promise I'll boot it down >:(

Check your CPU usage, it should be really high like 60% and above if someone is mining on your computer..

I'd assume that refers to an address pool, not a mining pool.

i dont know if its the same for you,i just did netstat -a ,also had this pool thingy,shut down the bitcoin client removed the connection for me

CPU usage is below 5% at the moment, though I dont see that pool in the netstat anymore !!!

Why would I be connected to an address pool beyond my ISP's NAT box. I'm behind DHCP and already behind multiple layers from the internet backbone. So, I dont think, I can be connect to an address pool of a different country.

When I got the address, I was not running any Bitcoin client at all !!!

I think this is a RAT/WORM

Use hitman pro to clean your pc :)

Use Process explorer to search for any weird services and processes.

Hi bitcoindream as a greyhat hacker i can help you with this if the cpu usage or gpu is running hot on sometimes then i would be worried, if you are going to remove this kinda malware it is most often loaded with an encrypter and a persistance module in the registry so if you are trying to delete it then it will most often be tough and if it is well encrypted virus scans will do you no good because they can not pick up that it is malware i did some testing on this subject just to see how the whole progress worked and most often the miners are set to mine at -4 to reduce chances of being detected so the cpu or gpu could be using around 20% of its power to mine now if you have a powerfull computer you would not notice any changes in performance, anyways check the process explorer for an shady looking Svchost that seems to be taking high resources
it is most often set to create another process that is named svchost or similar, if you want to remove the malware and its encrypted then it is very hard especially if the miner is covered with a ring3 rootkit that hides the process from the process explorer so you can not see it, but you can easily prevent it from connecting to the mining pool and therefore it will stop mining, if you edit your hosts file in the windows settings you can add to the hosts file the desired ip or dns at the end of file and save it i will show you an example here below :

 1. go to C:\Windows\System32\drivers\etc\
 2. open hosts with notepad
 it should show something like this

# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#   127.0.0.1       localhost
#   ::1             localhost


4 . ok now you want to add to the end of the file like this

hackeripormineripordns 127.0.0.1


This will make it so when the miner tries to connect to the pool it will instead of connecting to it resolve to your local ip 127.0.0.1 and will not be able to get the data from the pool to start mining therefore you have disabled the miner and it can not mine anymore because it can not connect to the pool because it automaticly redirects to your local ip and it can not get the mining data from there so proplem solved

this is just a quick easy way to disable it so it will stop hogging your resources =) .

i hope you enjoyed my little input here and it does you good :)

Have a nice day.

PS: sometimes the hosts file is locked so you actually need to copy it to your desktop first edit it there and then overwrite the original one with the new one and then restart the pc.

This is a sad fact that many fellas use blackhat method to mine bitcoin,everything has positive and negative aspects.Even though you have antivirus and firewalls on they bypass it by several methods.Hope you get it removed out of your system soon.

it could be also a silent miner mate best is you scan it with some av and hitman ;)

Turn off your internet and see if it's still there.

Always wear protection...

Just googling that IP looks like Verizon in the Washington area.  Do you happen to be in this area?  If so i would be less worried.

If you are not I would start running a few malware and virus scans. 

Who would even still try and mine bitcoins with others CPU's.

Most trojan miner mine using CPU instead, cause everyone have a cpu and not GPU....

People who have an automated script to go an infect multiple machines.  They don't need to manually control your machine, they can controls herds of machines - BOTNET.

Although botnets could probably make more money doing something other than mining.

How can botnet make money except for participating in cyber crimes like DDOS ? One I heard is participating in CERN's grid computing. Do u know anything else ?

be careful sometimes its false positive

use netstat -tulpn to see what process owns it.

Save your valuable data on USB, use soft - kill disk, then make new Windows installation, after this check USB files with modern AV + antimalware + second AV soft

i didnt know miners cant be infected with a trojan..

Yeah happens all the time if you download stuff.

Just having unprotected VNC server software's enough. Many GPU miners still use VNC for remote interfacing, and some programs actually restrict password length as low as 8 characters. Especially mining on dubious fly-by-night altcoin pools and putting your IP out there as someone who uses crypto, there're a good few risks many don't account for -- like, say you keep a hot wallet backup on a MS Homegroup-shared folder and have your mining PCs in the homegroup with read access to the backup. Someone doesn't need to brute force the PC with a wallet on it, they just need to get into one of the mining PCs and search the network for files.

Back in 2012/13 people would spread viruses that mined on their behalf. I heard of someone making a few bits a day from this by infecting work computers. This was when diff was so much lower though.