Bitcoin Forum
May 06, 2024, 09:54:35 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Bitcoin / Mining speculation / ANTBLEED VIRUS!!! CLONE on: February 10, 2020, 07:41:10 PM
I recently purchased some Antminer S9's from eBay with bitmain firmware on them,  I started seeing some abnormals in hash reporting vs actual hash rate at the pool.

I have seen numerous threads with people with the same problem but no resolve.

What I found:   



Code:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:22:36.264415 IP (tos 0x0, ttl 64, id 9890, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.45.36302 > 192.169.6.241.48748: Flags [S], cksum 0xb9fd (correct), seq 2314096459, win 29200, options [mss 1460,sackOK,TS val 8285329 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 26a2 4000 4006 8aaa c0a8 012d  E..<&.@.@......-
        0x0010:  c0a9 06f1 8dce be6c 89ee 4f4b 0000 0000  .......l..OK....
        0x0020:  a002 7210 b9fd 0000 0204 05b4 0402 080a  ..r.............
        0x0030:  007e 6c91 0000 0000 0103 0305            .~l.........
11:22:37.245654 IP (tos 0x0, ttl 64, id 4740, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x6562 (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285566 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1284 4000 4006 9ec5 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 6562 0000 0204 05b4 0402 080a  ..r.eb..........
        0x0030:  007e 6d7e 0000 0000 0103 0305            .~m~........
11:22:38.244593 IP (tos 0x0, ttl 64, id 4741, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x64fe (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285666 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1285 4000 4006 9ec4 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 64fe 0000 0204 05b4 0402 080a  ..r.d...........
        0x0030:  007e 6de2 0000 0000 0103 0305            .~m.........
11:22:40.244595 IP (tos 0x0, ttl 64, id 4742, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x6436 (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285866 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1286 4000 4006 9ec3 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 6436 0000 0204 05b4 0402 080a  ..r.d6..........
        0x0030:  007e 6eaa 0000 0000 0103 0305            .~n.........
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel

This is a ANTBLEED VIRUS CLONE!

What this does:

The infected ant miner will boot up and connect to 192.169.6.241  on port:  48748  once connected:  the miner will receive remote hashing and pool switching,  AKA dev fee (BOT NETWORK)
"192.169.6.241" IS NOT YOUR LOCAL NETWORK... This is a hosted company hosting for the virus
The Virus will then change any SSH password on the local device and then begin a network subnet scan and try to install itself on other miners

You can tell in several ways this virus is on your network of miners, 

1. that the WEBUI for the miner will show its status page VERY SLOW!  this is due to the 100% CPU load and the MODIFIED bminer software that is on it.   
2.  Your miner with show HW errors on all chains, this is due to the modified bminer overclocking the miner to get better hash rate for the attacker!

Check your miner or router for ESTABLISHED CONNECTION to:  192.169.6.241   - If its there you have the virus

Solutions:

1. BLOCK ALL TRAFFIC  to 192.169.6.0/24 on your network,  and if you cannot block subnets, BLOCK 192.169.6.241  all protocols
2.  Pull your miners off your network
3. CHANGE PASSWORDS on all your miners, don't leave default password
4. SD Card your miner and install latest firmware from your miner manufacture.

Where did the virus come from?  Unknown I only purchased 3 Antminer S9's off eBay and had them on the test bench when I noticed it.  It appeared to be running latest bitmain firmware from May/2019

LP
2  Bitcoin / Project Development / Bip39helper to work with brainflayer on: March 13, 2019, 12:39:25 AM
Since I accidentally posted in this forum and it was deleted from the technical forum, info again.

Bip39 Super Fast Generator for BTC Crypto

This uses automated python scripts to generate 3,6, and 12 random word phrases to use with brainflayer, The speed on this is super fast

Usage

Just running the script from the commandline will randomly generate 3, 6, 12 BIP39 code phrases::

The Python Dependencies are listed below

- evolve roman
- limit endeavor
- askari cobras
- hellspawn mystic
- manpower anvil
Running the script is simple

USAGE EXAMPLES:

Make it super simple I have encluded the BIP39.txt files for the different languages, all you need to do is choose your target. I will update and work on this more.. However right now all you need to do is for EXAMPLE english, copy the english.txt to wordlist.txt In unix its cp english.txt wordlist.txt This sets up the wordlist for your target or you can use the -w flash for wordlist file

./generate12words.py -n 5000000

In this example the script generates 12 random words per line of a text file, the -n specifys the # of lines you wish to make your txt file, and then save them to 12words.txt as output file NOTE This can create VERY LARGE .txt files depending how many <-n> you pass to the script

This example Does not create any massive txt file and directs output directly to brainflayer, this is the most effect and fastest way to start checking BIP39 phrases

./brain12words.py -n 9000000000000000000 | ../brainflayer/brainflayer -v -m tablefile.tab -o foundkeys.txt -b testfile.blm

SAMPLE OUTPUT:

rate: 270111.98 p/s found: 0/786432 elapsed: 11.218 s

Operators

-n

Generates code phrases. Without selecting this option the default is 5.
-w or --wordlist

Imports file to use for generating random phrases instead of the default wordlist.txt.
Multiple operators can be used together.

License

Free and OpenSource to the public

If you find this useful and wish to donate:

BTC Address: 1PJbzgqXDcbeqv2NXccQhY7HFWFxeURE22
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!