Bitcoin Forum
November 14, 2024, 09:12:05 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: ANTBLEED VIRUS!!! CLONE  (Read 391 times)
LordPower (OP)
Newbie
*
Offline Offline

Activity: 19
Merit: 54


View Profile
February 10, 2020, 07:41:10 PM
Merited by Welsh (20), frodocooper (10), suchmoon (4), LoyceV (4), bones261 (4), malevolent (3), o_e_l_e_o (2), ABCbits (1)
 #1

I recently purchased some Antminer S9's from eBay with bitmain firmware on them,  I started seeing some abnormals in hash reporting vs actual hash rate at the pool.

I have seen numerous threads with people with the same problem but no resolve.

What I found:   



Code:
tcpdump: listening on eth1, link-type EN10MB (Ethernet), capture size 262144 bytes
11:22:36.264415 IP (tos 0x0, ttl 64, id 9890, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.45.36302 > 192.169.6.241.48748: Flags [S], cksum 0xb9fd (correct), seq 2314096459, win 29200, options [mss 1460,sackOK,TS val 8285329 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 26a2 4000 4006 8aaa c0a8 012d  E..<&.@.@......-
        0x0010:  c0a9 06f1 8dce be6c 89ee 4f4b 0000 0000  .......l..OK....
        0x0020:  a002 7210 b9fd 0000 0204 05b4 0402 080a  ..r.............
        0x0030:  007e 6c91 0000 0000 0103 0305            .~l.........
11:22:37.245654 IP (tos 0x0, ttl 64, id 4740, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x6562 (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285566 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1284 4000 4006 9ec5 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 6562 0000 0204 05b4 0402 080a  ..r.eb..........
        0x0030:  007e 6d7e 0000 0000 0103 0305            .~m~........
11:22:38.244593 IP (tos 0x0, ttl 64, id 4741, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x64fe (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285666 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1285 4000 4006 9ec4 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 64fe 0000 0204 05b4 0402 080a  ..r.d...........
        0x0030:  007e 6de2 0000 0000 0103 0305            .~m.........
11:22:40.244595 IP (tos 0x0, ttl 64, id 4742, offset 0, flags [DF], proto TCP (6), length 60)
    192.168.1.48.33514 > 192.169.6.241.48748: Flags [S], cksum 0x6436 (correct), seq 3083763706, win 29200, options [mss 1460,sackOK,TS val 8285866 ecr 0,nop,wscale 5], length 0
        0x0000:  4500 003c 1286 4000 4006 9ec3 c0a8 0130  E..<..@.@......0
        0x0010:  c0a9 06f1 82ea be6c b7ce 7ffa 0000 0000  .......l........
        0x0020:  a002 7210 6436 0000 0204 05b4 0402 080a  ..r.d6..........
        0x0030:  007e 6eaa 0000 0000 0103 0305            .~n.........
^C
4 packets captured
5 packets received by filter
0 packets dropped by kernel

This is a ANTBLEED VIRUS CLONE!

What this does:

The infected ant miner will boot up and connect to 192.169.6.241  on port:  48748  once connected:  the miner will receive remote hashing and pool switching,  AKA dev fee (BOT NETWORK)
"192.169.6.241" IS NOT YOUR LOCAL NETWORK... This is a hosted company hosting for the virus
The Virus will then change any SSH password on the local device and then begin a network subnet scan and try to install itself on other miners

You can tell in several ways this virus is on your network of miners, 

1. that the WEBUI for the miner will show its status page VERY SLOW!  this is due to the 100% CPU load and the MODIFIED bminer software that is on it.   
2.  Your miner with show HW errors on all chains, this is due to the modified bminer overclocking the miner to get better hash rate for the attacker!

Check your miner or router for ESTABLISHED CONNECTION to:  192.169.6.241   - If its there you have the virus

Solutions:

1. BLOCK ALL TRAFFIC  to 192.169.6.0/24 on your network,  and if you cannot block subnets, BLOCK 192.169.6.241  all protocols
2.  Pull your miners off your network
3. CHANGE PASSWORDS on all your miners, don't leave default password
4. SD Card your miner and install latest firmware from your miner manufacture.

Where did the virus come from?  Unknown I only purchased 3 Antminer S9's off eBay and had them on the test bench when I noticed it.  It appeared to be running latest bitmain firmware from May/2019

LP
taserz
Sr. Member
****
Offline Offline

Activity: 808
Merit: 294


Created AutoTune to saved the planet! ~USA


View Profile
February 10, 2020, 07:46:04 PM
 #2

You need to sd card flash and wipe the miner and reflash it and yes change password is wise but knock off all your miners as you do it so it doesn't get reinfected or

If you install our firmware from asic.to and run the virus scanner it can't disinfect that. You're describing the NightSwitcher virus. 90% chance that S9 came from china preloaded with malware.

Autotune Firmware for S19 and S19j! Overclock, Underclock, AutoTuning. Asic.to The MOON Increased hashrate, improved power efficiency 30w/TH up to 85th/s!!Mining bitcoin since 2011 • Best nerd decision of my life
LordPower (OP)
Newbie
*
Offline Offline

Activity: 19
Merit: 54


View Profile
February 10, 2020, 07:53:31 PM
Last edit: February 14, 2020, 12:17:42 AM by frodocooper
 #3

I will investigate more,  I am wondering if this virus may have created a hidden partition on boot up, I will check partition layout on good ant miner.    I have seen others post that they have installed latest firmware from bitmain and the virus comes back after a day or two.

I am wondering if this partition does not get wipe durning a firmware upgrade and when the miner is rebooted that partition boots first and then loads the miner software.

Also:  I have seen other threads showing this active connection to :  192.169.6.241,  that is a USA hosting company,  filing a complaint against that HOST.

Thoughts?
DaveF
Legendary
*
Offline Offline

Activity: 3654
Merit: 6671


Crypto Swap Exchange


View Profile WWW
February 10, 2020, 09:58:45 PM
 #4

When booting with an SD card it should wipe all partitions and start again.
At least that is the way it used to work.

Since you got them from eBay who knows what else was done to them.

Also, this is not antbleed but just one of the many hacked firmwares that are out there.

People will install anything.

* If you did not change the root / root password on other miners on your network check them too.

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
mikeywith
Legendary
*
Offline Offline

Activity: 2422
Merit: 6620


be constructive or S.T.F.U


View Profile
February 11, 2020, 12:14:42 AM
Last edit: February 14, 2020, 12:17:21 AM by frodocooper
Merited by malevolent (2)
 #5

Here is all you need to know about 192.169.6.241, it is pretty smart to use 192.169, a public IP that looks pretty identical to the private IP range 192.168 and attracts no suspicion.

As taserz explained, I am sure the miners you bought from Ebay came with that virus because I had the same exact thing happen to me, you should report the seller to Ebay and explain the issue.

You need to turn off every miner, SDcard each of them one by one, perform a full virus scan on all devices in your network, preferably use a Linux based system to access your miners for better security.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
DaveF
Legendary
*
Offline Offline

Activity: 3654
Merit: 6671


Crypto Swap Exchange


View Profile WWW
February 11, 2020, 03:54:20 AM
Last edit: February 14, 2020, 12:20:31 AM by frodocooper
Merited by frodocooper (2)
 #6

For US based IP addresses. You can get the contact info from ARIN:

https://search.arin.net/rdap/?query=192.169.6.241

The abuse contact for that IP range is on the bottom of the page.

-Dave



It's been going on for a while. These threads have popped up from time to time.

Biggest issue is that a lot of times miners pass though a lot of hands.

Case in point for a miner I am selling. Bitmain --> bought by someone on this forum --> sold to me --> mixed with parts from other miners that
I have bought from others --> on this forum sold to xxx on this forum

I think the control board is legit, but as of now; since *I* who is someone who knows his way around a miner can't tell you where the controller came from there might be something lurking that I don't know about. There were 3 miners that I built into 1 working one. So even "legit" can be bad.

Sad but true.

-Dave

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
philipma1957
Legendary
*
Offline Offline

Activity: 4312
Merit: 8844


'The right to privacy matters'


View Profile WWW
February 13, 2020, 01:43:37 AM
Last edit: February 14, 2020, 12:21:06 AM by frodocooper
 #7

Yep I have purchased from you and sold to you. I have mixed and matched tons of parts. from many sources.

In fact tomorrow I get Three controllers for l3+ units.  but i will run them on an empty mining ⛏ modem for a week before i try them on the big farm.

all the old gear may have firmware issues. lots of tricks for them.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
Artemis3
Legendary
*
Offline Offline

Activity: 2030
Merit: 1573


CLEAN non GPL infringing code made in Rust lang


View Profile WWW
February 14, 2020, 03:02:40 PM
 #8

You need to sd card flash and wipe the miner and reflash it and yes change password is wise but knock off all your miners as you do it so it doesn't get reinfected or

If you install our firmware from asic.to and run the virus scanner it can't disinfect that. You're describing the NightSwitcher virus. 90% chance that S9 came from china preloaded with malware.

So this virus is called NightSwitcher? Does it replicate itself, looking for miners with default passwords? Does it attack windows computers as well?

What else can you share about it?

I agree with wiping the nand using SD. What do you know about a malware that supposedly damages the nand storage entirely? Some people even claim it won't let boot from sd card anymore (i have always believed thats just a faulty sd reader slot).

People leaving the default password are a major part of the problem, there are even some countries planning to legislate against devices having a single default password (ie. wifi access points). I wonder if asic sales in those countries would then become illegal?

Human lazyness, the attackers favorite meal...

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Braiins Pool
kano
Legendary
*
Offline Offline

Activity: 4620
Merit: 1851


Linux since 1997 RedHat 4


View Profile
February 15, 2020, 10:43:12 AM
Last edit: February 15, 2020, 11:13:19 AM by kano
 #9

For US based IP addresses. You can get the contact info from ARIN:

https://search.arin.net/rdap/?query=192.169.6.241

The abuse contact for that IP range is on the bottom of the page.

-Dave



...
The server supplier for that IP address is (as it says) CrownCloud

The OzCoin pool (that no longer exists) was run by the same person who runs CrownCloud
CrownCloud's web site is: https://crowncloud.net/

It 'should' be easy to contact them and get them to take down the server that is being used for this virus if you provide the details shown by others above.

Code:
whois 192.169.6.241

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/resources/registry/whois/tou/
#
# If you see inaccuracies in the results, please report at
# https://www.arin.net/resources/registry/whois/inaccuracy_reporting/
#
# Copyright 1997-2020, American Registry for Internet Numbers, Ltd.
#


NetRange:       192.169.6.0 - 192.169.7.255
CIDR:           192.169.6.0/23
NetName:        CROWNCLOUD-3
NetHandle:      NET-192-169-6-0-1
Parent:         NET192 (NET-192-0-0-0-0)
NetType:        Direct Allocation
OriginAS:      
Organization:   Crowncloud US LLC (CUL-34)
RegDate:        2015-03-13
Updated:        2015-03-13
Comment:        All IP addresses in this range are statically assigned to end customers. Report any abuse to admin@crowncloud.us
Ref:            https://rdap.arin.net/registry/ip/192.169.6.0


OrgName:        Crowncloud US LLC
OrgId:          CUL-34
Address:        530 W 6th St
Address:        C/O Cid 4573 Quadranet Inc. Ste 901
City:           Los Angeles
StateProv:      CA
PostalCode:     90014-1207
Country:        US
RegDate:        2014-07-25
Updated:        2017-10-10
Ref:            https://rdap.arin.net/registry/entity/CUL-34


OrgAbuseHandle: CROWN9-ARIN
OrgAbuseName:   Crowncloud Support
OrgAbusePhone:  +1-940-867-4072
OrgAbuseEmail:  admin@crowncloud.us
OrgAbuseRef:    https://rdap.arin.net/registry/entity/CROWN9-ARIN

OrgTechHandle: CROWN9-ARIN
OrgTechName:   Crowncloud Support
OrgTechPhone:  +1-940-867-4072
OrgTechEmail:  admin@crowncloud.us
OrgTechRef:    https://rdap.arin.net/registry/entity/CROWN9-ARIN

Edit: I've sent them a message about it also, referencing this thread.

Edit2: I got a reply, they have suspended the server.

Pool: https://kano.is - low 0.5% fee PPLNS 3 Days - Most reliable Solo with ONLY 0.5% fee   Bitcointalk thread: Forum
Discord support invite at https://kano.is/ Majority developer of the ckpool code - k for kano
The ONLY active original developer of cgminer. Original master git: https://github.com/kanoi/cgminer
mikeywith
Legendary
*
Offline Offline

Activity: 2422
Merit: 6620


be constructive or S.T.F.U


View Profile
February 15, 2020, 11:29:50 AM
 #10

Edit: I've sent them a message about it also, referencing this thread.

Edit2: I got a reply, they have suspended the server.

That was quick, well done Kano.



as a general rule, one should always SDcard any used gear they buy BEFORE plugging it to the network, these viruses affect every other miner on the same network, so once you make that mistake of installing an infected miner, you will later have to fix every other miner, specifically those who don't bother with changing the default root/root username and password or use words that are easy to brute force.

The same or similar viruses exist in most of these "Boost Firmware" you find online.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
LordPower (OP)
Newbie
*
Offline Offline

Activity: 19
Merit: 54


View Profile
February 16, 2020, 08:30:02 PM
Last edit: February 16, 2020, 08:46:22 PM by LordPower
 #11

good job!!! I imagine many people will see a boost in their hash rate at the pools on there SHA256 miners.. I tried to find the thread earlier, there was something talking about 4/5TH loss at the pool and their TCPDUMP showed same connection to the 192.169.6.241 address, that thread was about 8 months old so this virus has been out for sometime.

Awesome to see the community come together,

edit:  was able to find the thread

https://bitcointalk.org/index.php?topic=5172514.0
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!