I am going to explain this one last time. This is third and last time I will explain it. Its going to be long winded and complex.
Lets say burn out a miner remotely. Better burn your house down in honor of the
Talking Heads "Burning Down the House"
This Miner will self destuct in 10 seconds
A. You connect to your miner
B. Appweb sends back the esp file with a little surprise before you Finnish clicking the submit button on login.
C. Its not the miners that are connecting out, Its the machine your using a browser with.
Lets look a little closer.
fgrep -r baidu
Binary file cache/view_cbb7866fb91eccef78994dc93adea6fb.so matches
Binary file cache/view_fb23b72a36b7b4dbe70628d8cca96ed0.so matches
Binary file cache/view_c767ad3476fed9929b188b80cfbb45cb.so matches
Binary file cache/so.tar.gz matches
Binary file cache/view_035f15cc8bbe24799d3e54770f8d8295.so matches
Binary file cache/view_61b0e78a6f6e04dc3fe24ce0b7cf8e4f.so matches
Binary file cache/view_1e6f4c0c0a10cbe7cfc371f4f1d38e6c.so matches
Binary file cache/view_3a2b7a533e83e2d61b2cad29bb4b187e.so matches
Binary file cache/view_f77f36b0d78321b044f0e296a2c667a2.so matches
Binary file cache/view_afc502e1aa9bcff357e9eb694dabe642.so matches
Binary file cache/view_4d4d2036351546190541ac2a32bcc383.so matches
Binary file cache/view_53ea0d6735e4fb0329c094a648870277.so matches
Binary file cache/view_f6669d1b369196a904ea1967e72739a2.so matches
Binary file cache/view_b2068302aa7479365676d89b37de0a1e.so matches
Binary file cache/view_6f60de3de9ffb67d1f2e97f4b428386d.so matches
Binary file cache/view_04f9c7da622b21b96049f15706d92938.so matches
web/Ethernet/IPEthernetPort.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/Ethernet/IPEthernetPort_en.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/Cgminer/CgminerStatus.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/Cgminer/CgminerConfig_en.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/Cgminer/CgminerStatus_en.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/Cgminer/CgminerConfig.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/admininfo/getadmininfo.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/admininfo/getadmininfo_en.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/alarm/AlarmManagement.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/Status/SystemStatusRpm_en.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/Status/SystemStatusRpm.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/update/help.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/update/help_en.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/update/update_en.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
web/update/update.esp:document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
Before the browser can render a page, it has to build the DOM tree by parsing the HTML markup. Whenever the parser encounters a script it has to stop and execute it before it can continue parsing the HTML. If the script dynamically injects another script, the parser is forced to wait even longer for the resource to download, which can incur one or more network roundtrips and delay the time to first render of the page. Now If you connect to the miner and are retrieving a javascript file from them is it run on the miner noooooo.
It is run on the client. Or the big box that has monitor you connect to miner with.
So thank your Mr Security engineer. A fucking firewall in front of every miner will not catch it because.
A. Its ssl encrypted because its sent from your client.
B. uses you pc that you like to whatever on to get the code.
C. Since it uses javascript you can get/alter/inject or turn off your fans and start your house on fire.
Lets Create a little sample exploit to Hmm ahh Change your mining pool remotely. Then Hmm set your asics on fire.
First lets disable the submit button
// Disable submit_callback submit buttons redirect to the ajax code to rewrite the variables and submit to the appweb controller after login in
$form['submit'] = array(
);
We have not logged in yet
Now as you click any code It can basically take any variable and change it like this.
Lets start with the meltdown
Turn off all those pesky safety features, Like turn your fans on low and disable the auto shutdown
$.post("/alarm/SetAlarmthreshold"
setValue("cgminertasknoanswer",data.feedback["cgminertasknoanswer"]);
setValue("tempalarmvalue",data.feedback["tempalarmvalue"]);
setValue("deviceclosetempvalue",data.feedback["deviceclosetempvalue"]);
setValue("devicesllowalarm",data.feedback["devicesllowalarm"]);
Disable your fan,
setValue("devicefan",data.feedback["devicefan"]); //设备风扇
setValue("devicefan2",data.feedback["devicefan2"]);
Set you PLL to the MAX:
setValue("pllconfig",data.feedback["pllconfig"]);
Now That your temp is disabled but it shows its normal, your fan is set to low your asics are set to high.
Remember this is a simple example you can do alot more.
Because of this is on every page and
<script type="text/javascript">
var _bdhmProtocol = (("https:" == document.locatio[Suspicious link removed]otocol) ? " https://" : " http://");
document.write(unescape("%3Cscript src='" + _bdhmProtocol + "hm.baidu.com/h.js%3F938ac8f30a6ec8c517f65bcdae695111' type='text/javascript'%3E%3C/script%3E"));
Now as you connect to the web interface and it pulls there javascript. Your miner has been turned into giant bic lighter.
Black hole the address. This is like one of the more simple back doors.
You disabled/killoff your appweb, I thought. I still use the appweb, but I got rid of all this crap from the esp files in my "firmware". the miners are still trying to talk to at least two entities in china when dwang starts up, it's still a good idea to box your miners in by firewall, IMHO. tekcomm is right though, those esp files are also loaded with phone home crap that is execute on the browser/machine your using to connect to your miner. (if you havn't cracked your miner, al lyou have to do is view source on the frame in the web pages and you can see the stmts that are making your client machine connect to outside sources).