Bitcoin Forum
April 26, 2019, 12:55:59 PM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 3 4 »
1  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 08:44:32 AM
For what it's worth...

When I first noticed the problem (maybe an hour or more after it likely occured) the first step I took is that I logged into each of my rigs and disabled the useast server (which each was pointing to). This had the effect of each rig going to the uswest backup server.

This immediately caused shares to once again be registered on wafflepool.

I didn't leave it at that, though. Worried, half an hour later, I power cycled routers and rigs, restarted miners, and monitored them, once again on useast, to see if shares were being registered.

They were.

Then I went to sleep, thinking I'd solve it in the morning.
2  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 08:37:33 AM
Okay, just checking information from last night.

It may not have happened quite simultaneously. I don't have enough information (didn't have verbose logging on) to be sure. I'm not even certain it affected every single one of my rigs, as when I noticed it on most of them I immediately began a slash and burn campaign on everything.

Unfortunately this muddies the waters a bit.
3  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 08:33:31 AM
So by gaining access to a remote router is it possible to perform an attack of this sort?  I am sure there are other resources such as the one I listed ...

Possible, yes. My router does not use default credentials though. Of course, backdoors are rife with these things.
4  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 08:25:31 AM

Yes, this is the weakest link in my setup for sure.


My configuration does not utilize any of the vulnerable equipment included in that list.  (Not that someone somewhere probably doesn't know how to hack it!)


Hmm, just checked through that list as well. My particular router is not included. Though, as you say, that certainly doesn't mean a lot.
5  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 08:23:29 AM
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this an many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or to check, worth a look.



This is a good question.

Most of the rigs are configured to use 8.8.8.8 and 8.8.4.4. Two of them I obviously didn't change when I set them up and they are pointing to the router, which is configured to use 8.8.8.8 and 8.8.4.4.

All were affected equally.


If all were miners affected equally, and not just the miners using the router ip address for dns servers, then I think we can rule out the dns forwarding/masquerading service on your router from having been compromised.  Thanks for checking.  I hate to have to ask, but are you absolutely 100% certain?


I am certain of some using direct DNS and some pointing to the router. I am certain some are using DHCP and some are static IP's. I am certain one router (connected to the external internet) is running proprietary Dlink software and the other bridged router is running dd-wrt. I set all of this up myself.

This does not entirely rule out some very clever hack on the router side of things, or injected in multiple miner's source codes. It just seems rather unlikely to me at this point.


As many of us as possible need to enable verbose logging to file for when this happens again.  And it will almost certainly happen again, as there is money to be made by attackers exploiting whatever weakness allowed them to do so this time around.  I have had logging enabled since the very beginning, but none of my equipment was affected by this problem.  I did notice a few atypical packets logged on my firewall making me suspect that a local router attack could be part of the redirect to a rogue server, which is why I asked you about yours, as you actually witnessed the redirection of your hashpower.



Agreed.

I've been awaiting a reoccurence all day. Nothing so far, at all. If it's local I'm betting it's the d-link router software, as it's connected to the external internet. But my money is leaning a bit towards not local. Not enough though for me to be completely convinced. Too many unknowns at this point.

6  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 08:13:57 AM

Yes, this is the weakest link in my setup for sure.
7  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 08:11:04 AM
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this an many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or to check, worth a look.



This is a good question.

Most of the rigs are configured to use 8.8.8.8 and 8.8.4.4. Two of them I obviously didn't change when I set them up and they are pointing to the router, which is configured to use 8.8.8.8 and 8.8.4.4.

All were affected equally.


If all were miners affected equally, and not just the miners using the router ip address for dns servers, then I think we can rule out the dns forwarding/masquerading service on your router from having been compromised.  Thanks for checking.  I hate to have to ask, but are you absolutely 100% certain?


I am certain of some using direct DNS and some pointing to the router. I am certain some are using DHCP and some are static IP's. I am certain one router (connected to the external internet) is running proprietary Dlink software and the other bridged router is running dd-wrt. I set all of this up myself.

This does not entirely rule out some very clever hack on the router side of things, or injected in multiple miner's source codes. It just seems rather unlikely to me at this point.
8  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 08:03:30 AM
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.


Many nat routers run a dns forwarding service on them.  If your internet service provider assigns your public ip address via dhcp, and you assign private ip address internally via dhcp, some routers will configure the dns server for those computers to the internal ip address of the router which will forward requests onto the router's configured dns server.  

If you check your ip configuration on one or more of the mining computers, does it/they point to the internal router ip address in the dns server field, or directly to an external dns server?  (I ask this an many nat routers running dns forwarding service are more vulnerable to attacks than internet dns servers are.)  This is a real long shot, but as it only takes a minute or to check, worth a look.



This is a good question.

Most of the rigs are configured to use 8.8.8.8 and 8.8.4.4 directly in /etc/resolv.conf. Two of them I obviously didn't change when I set them up and they are pointing to the router, which is configured to use 8.8.8.8 and 8.8.4.4.

All were affected equally.
9  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 07:55:50 AM
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?

Seems highly unlikely. Possible, but very unlikely.


You seem to have a good sampling of configurations, so it seems like agood place to start.  Do you they all run on the same local area network?  If so, are they using private ip addresses with your router running network address transalation?  Are they dynamically assigned or manually entered into the configuration of each mining computer?

Yes, all running on the same local network. Some are using static IP's and some dynamically assigned IP's via DHCP from the router, which is running proprietary software from the router manufacturer, though some of the rigs are bridged to the router via another router running open source dd-wrt. Quite a few different variables here. All are using Google's DNS, 8.8.8.8 and 8.8.4.4.

When the problem occurred, it happened on all rigs simultaneously, regardless of OS, miner software, static or dynamic IP, router connection, etc.
10  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 07:48:52 AM
@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

how would people check for this?

Malware cannot explain what has happened.

I am running linux on each of my rigs. On those rigs running linux, there are several different distributions of linux. Linux is notoriously difficult to infect with malware. On those rigs, some are running sgminer, some cgminer 3.7.2 (original) and some kalroth's or other version of cgminer. One of my rigs is running cudaminer. Other people are running various versions of windows, or even Mac, with various miners.

I cannot imagine any malware that could possibly be written to affect multiple miners in multiple operating systems.

In my case, my security practices are very reliable.

When this happened to me, it happened simultaneously on all my rigs all running various OS's and all running different miners.

The symptoms are not indicative of client side malware. It is indicative of some kind of DNS or networking hijacking.


Though one can easily download maliciously inserted code within 'trusted' linux software, I am generally inclined to agree that the miner-side malware possibility seems unlikely, but cannot as yet be completely ruled out.  

But as far as I know there has not been any effort to identify affected  client side operating systems versions, miner versions, pool configurations including backups, failover-only settings, etc, to determine if there are any commonalities.  And from reading this thread, one cannot even determine how many people might have been affected!


Agreed that it's possible to download malicious code in linux.

Given that I'm running various versions of cgminer, sgminer, bfgminer, and even cudaminer, all git pulled myself and compiled myself, this seems unlikely in the extreme. Possible, but very unlikely. The perpetrator would ave had to insert malicious working code in many different and seperate miners source codes, some completely incompatible with others, administered by many different people, and all able to function simultaneously.

Again, possible, but does not seem very plausible.
11  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 07:43:03 AM
Could be an infected source code for a miner or wallet which is compiled on each platform (windows, linux etc) ...

My rigs don't have wallets running on them.

Infected source code in all sgminer, cgmniner, bfgminer, and even Cudaminer? Code I've downloaded from github and compiled myself in each case?


Seems highly unlikely. Possible, but very unlikely.

12  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 23, 2014, 07:31:32 AM
@PW got this from multipool.us

Mar 22 4:22 PM It appears there is some kind of malware diverting some users' hashpower to 206.223.224.225. This is not a multipool pool server. If you are seeing this, please report it as well as what miner you are using, where you obtained it, and check your computer for malware.

It appears that waffle is not the only multipool under attack!

how would people check for this?

Malware cannot explain what has happened.

I am running linux on each of my rigs. On those rigs running linux, there are several different distributions of linux. Linux is notoriously difficult to infect with malware. On those rigs, some are running sgminer, some cgminer 3.7.2 (original) and some kalroth's or other version of cgminer. One of my rigs is running cudaminer. Other people are running various versions of windows, or even Mac, with various miners.

I cannot imagine any malware that could possibly be written to affect multiple miners in multiple operating systems.

In my case, my security practices are very reliable.

When this happened to me, it happened simultaneously on all my rigs all running various OS's and all running different miners.

The symptoms are not indicative of client side malware. It is indicative of some kind of DNS or networking hijacking.

13  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: March 22, 2014, 04:37:54 PM
Is it just me whose stats have flatlined for the last 7h or so? My miner still reports shares being accepted and my Wafflepool stats page indicates 0khs submitted since 1:00AM EST

I have had the exact same thing!!!  What is going on Wafflepool?  My miner was still hard at work but luckily I opened the Wafflepool stats page and noticed that my reported hashrate was 0.00khs for the past 9.5 hrs or so.  I have reported shares according to my miner but not according to Wafflepool.  Has anyone else had this experience?

Yup. Exact same problem here. API and stats page were showing 0 hashrate. I'm hoping I actually got credited for the shares submitted during that time, as my miners seemed to be merrily working along.
14  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: February 26, 2014, 07:44:44 PM
What happened to the "better stats" page Sad I really liked that service! It was amazing

At a guess, it's being updated or worked on. That's why it went down temporarily on other occasions. Just hang on, chances are
it'll be back up, and better than ever, in a bit of time.
15  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: February 26, 2014, 07:13:55 PM
Yes, it probably should.

Also, people should ensure, in any forum anywhere on the internet where they post a question that they refrain from posting the question until the read at least the last several pages first. Chances are always more than 90% the question has already been answered.

In this case, I was chuckling to myself at the absurdity of it. Poolwaffle explains about payouts, then four or five people, right below, are asking about payouts. It's eye-rolling stuff.
16  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: February 26, 2014, 04:09:45 AM
So is there any way to implement this "merged mining" I'm hearing about? Is this even really feasible or doable?

For those who haven't heard of this, it's some sciencey-mathy-magicky trick where you can mine several coins at once, all of them at your top hash rate. Not split between them, all of them at once at full hash. At the same time.

17  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: February 23, 2014, 09:22:43 PM
As of this moment, wafflepool now has a greater hashrate than middlecoin.

Wafflepool: 13.94
Middlecoin: 13.77

That is all.


I think this is evidence enough that PW is doing things the right way here. Let's keep the profitability moving up and worry less about complex payout solutions! Thanks again for the efforts PW!

Agreed. I can't imagine how frustrating this must be the last week or so, and especially the last couple of days, with the cryptsy issues, bugs, etc. Nice job staying on top of it all Poolwaffle.
18  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: February 23, 2014, 09:06:09 PM
As of this moment, wafflepool now has a greater hashrate than middlecoin.

Wafflepool: 13.94
Middlecoin: 13.77

That is all.
19  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: February 23, 2014, 09:00:08 PM
And a dedicated forum for interaction with multiple threads instead of a mega thread please!


We already have that, at reddit. www.reddit.com/r/wafflepool

Poolwaffle, I know it's a wee bit more work, but would it be possible to copy/paste your updates there as well?

As for the fees, one of the reasons I'm here is the low 1% fee.


reddit is not a forum in the format that I am used to.

Yeah, I know some folks see the format as odd. It's really trivial, actually. Just topics and posts under them with nested replies.
20  Alternate cryptocurrencies / Pools (Altcoins) / Re: [ANN][POOL] Profit switching pool - wafflepool.com on: February 23, 2014, 07:42:49 PM
And a dedicated forum for interaction with multiple threads instead of a mega thread please!


We already have that, at reddit. www.reddit.com/r/wafflepool

Poolwaffle, I know it's a wee bit more work, but would it be possible to copy/paste your updates there as well?

As for the fees, one of the reasons I'm here is the low 1% fee.
Pages: [1] 2 3 4 »
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!