Bitcoin Forum
May 24, 2024, 12:19:37 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Alternate cryptocurrencies > Marketplace (Altcoins) > HACKED !!
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: HACKED !!  (Read 1036 times)
parshuram (OP)
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
July 01, 2017, 12:59:58 AM
Last edit: July 01, 2017, 02:08:30 AM by parshuram
 #1
MINING ON ETHOS

SETTINGS ON REMOTE CONFIG - DIGITAL OCEAN.

SO ALL THE SETTINGS OF POOL AND WALLET ARE SAVED IN ONE CONFIG FILE ON OCEAN AND EVERY RIG TAKES UP THAT SETTING.

NOW AT NIGHT MOSTLY  BETWEEN 1-4 AM . SOMEONE USED TO ACCESS THE DROPLET AND CHANGE THE WALLET ADDRESS TO HIS OWN AND POOL TO EUROPE SERVERS AT ETHERMINE.ORG. BUT SOMEHOW THE RIGS NEVER MINED AND SHOWED 0 HASHRATE . AND CHANGING IT TO  OLD CONFIG FILES AGAIN AFTER  4 AM AROUND

AS WE WERE MONITORING THE POOL ONLY, SO WE CONSULTED MANY PEOPLE THAT RIGS ARE MINING BUT ARE NOT SHOWING UP IN THE POOL. BUT OBVIOUSLY NO ONE AGREED.

SO TODAY  HE CHANGED THE SERVERS TO INDIAN SERVER NEAREST TO OUR RIGS AND THEY MINED LIKE 4-5 MINUTES. I BECAME AWARE OF THE ISSUE AND CHECKED HIS WALLET ADDRESS ALL MACHINES WERE ONLINE.

BUT AS SOON AS I SHUT DOWN THE RIGS HE CHANGED THE CONFIG FILES TO ORIGINAL SETTINGS.

HERE IS THE WALLET ADDRESS : https://ethermine.org/miners/85b4203fff14f350b388f8d6f9b082ed184d4b69

AND WHY IN HIS WALLET ADDRESS, ONLY WHEN THE WORKERS ARE ACTIVE THEN ONLY WE CAN SEE THEM OTHERWISE THEY ARE REMOVED FROM POOL AT THAT TIME ONLY. USUALLY  INACTIVE WORKERS STAYS ON THE POOL FOR A DAY AT LEAST.

TRIED CHANGING DIGITAL OCEAN PASSWORD TWICE.

DOES ANY ONE KNOWS THIS ? ANYONE EVER BEEN ATTACKED THE SAME WAY PREVIOUSLY ?

HERE ARE SOME SCREENSHOTS OF TODAY,  YOU CAN CHECK OUT THE TIMINGS AT THE TOP LEFT FOR MORE CLARITY  -

http://imgur.com/a/nvaMB - THESE TWO WHEN EVERY RIG WAS MINING AT HIS ADDRESS AT 2:52AM

http://imgur.com/a/wRHxN - THIS ONE OF THE MORNING AT 6:13 AM

KINDLY HELP AND GUIDE.

THANKS .
Vann
Hero Member
*****
Offline Offline

Activity: 1036
Merit: 606



View Profile
July 01, 2017, 01:27:29 AM
 #2
Looks like the hacker froze the Caps lock on your keyboard. You expect someone to read that? LOL
boatznhoes
Newbie
*
Offline Offline

Activity: 52
Merit: 0


View Profile
July 01, 2017, 01:34:15 AM
 #3
I'd reinstall ethos, creat a brand new account for your config or just use config maker. Change ethos ssh and root passwords.
parshuram (OP)
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
July 01, 2017, 02:06:23 AM
 #4
Quote from: boatznhoes on July 01, 2017, 01:34:15 AM
I'd reinstall ethos, creat a brand new account for your config or just use config maker. Change ethos ssh and root passwords.

Yes Sir . Maybe I can try this. Done with SSH and root passwords changing.
Ahead
Member
**
Offline Offline

Activity: 74
Merit: 10

IT Solutions Architect


View Profile
July 01, 2017, 06:07:40 AM
 #5
Quote from: parshuram on July 01, 2017, 02:06:23 AM
Quote from: boatznhoes on July 01, 2017, 01:34:15 AM
I'd reinstall ethos, creat a brand new account for your config or just use config maker. Change ethos ssh and root passwords.

Yes Sir . Maybe I can try this. Done with SSH and root passwords changing.

The safest way is to reinstall everything, set it up with new passwords, and make sure not needed ports are close on the machine (not familiar with EthOS but I guess it is a Linux).
If the machine is already infected with some kind of trojan horse, then changing the passwords won't help you...

format and re-install everything from scratch, and never use same passwords again (or similar ones)
♦  Just-Dice.com  ♦   ♦  1% House Edge Dice Game  ♦   ♦  Play Now  ♦
jennywhzz
Sr. Member
****
Offline Offline

Activity: 415
Merit: 250



View Profile
July 02, 2017, 06:37:35 PM
 #6
Quote from: parshuram on July 01, 2017, 12:59:58 AM
MINING ON ETHOS

SETTINGS ON REMOTE CONFIG - DIGITAL OCEAN.

SO ALL THE SETTINGS OF POOL AND WALLET ARE SAVED IN ONE CONFIG FILE ON OCEAN AND EVERY RIG TAKES UP THAT SETTING.

NOW AT NIGHT MOSTLY  BETWEEN 1-4 AM . SOMEONE USED TO ACCESS THE DROPLET AND CHANGE THE WALLET ADDRESS TO HIS OWN AND POOL TO EUROPE SERVERS AT ETHERMINE.ORG. BUT SOMEHOW THE RIGS NEVER MINED AND SHOWED 0 HASHRATE . AND CHANGING IT TO  OLD CONFIG FILES AGAIN AFTER  4 AM AROUND

AS WE WERE MONITORING THE POOL ONLY, SO WE CONSULTED MANY PEOPLE THAT RIGS ARE MINING BUT ARE NOT SHOWING UP IN THE POOL. BUT OBVIOUSLY NO ONE AGREED.

SO TODAY  HE CHANGED THE SERVERS TO INDIAN SERVER NEAREST TO OUR RIGS AND THEY MINED LIKE 4-5 MINUTES. I BECAME AWARE OF THE ISSUE AND CHECKED HIS WALLET ADDRESS ALL MACHINES WERE ONLINE.

BUT AS SOON AS I SHUT DOWN THE RIGS HE CHANGED THE CONFIG FILES TO ORIGINAL SETTINGS.

HERE IS THE WALLET ADDRESS : https://ethermine.org/miners/85b4203fff14f350b388f8d6f9b082ed184d4b69

AND WHY IN HIS WALLET ADDRESS, ONLY WHEN THE WORKERS ARE ACTIVE THEN ONLY WE CAN SEE THEM OTHERWISE THEY ARE REMOVED FROM POOL AT THAT TIME ONLY. USUALLY  INACTIVE WORKERS STAYS ON THE POOL FOR A DAY AT LEAST.

TRIED CHANGING DIGITAL OCEAN PASSWORD TWICE.

DOES ANY ONE KNOWS THIS ? ANYONE EVER BEEN ATTACKED THE SAME WAY PREVIOUSLY ?

HERE ARE SOME SCREENSHOTS OF TODAY,  YOU CAN CHECK OUT THE TIMINGS AT THE TOP LEFT FOR MORE CLARITY  -

http://imgur.com/a/nvaMB - THESE TWO WHEN EVERY RIG WAS MINING AT HIS ADDRESS AT 2:52AM

http://imgur.com/a/wRHxN - THIS ONE OF THE MORNING AT 6:13 AM

KINDLY HELP AND GUIDE.

THANKS .




I am totally confused.  Is this person changing the settings on a website or your rig?  Are you renting from digital ocean or mining from home? 
tinyteapot
Sr. Member
****
Offline Offline

Activity: 1149
Merit: 275


View Profile
July 03, 2017, 12:25:08 PM
 #7
This often happens when you use a pre configured copy/paste settings to mine cryptos on ubuntu, you will need to look into the codes but the best thing to do is to personally write the codes from the scratch and do not copy paste into the droplet like safe screen stuffs.
parshuram (OP)
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
July 03, 2017, 02:17:44 PM
 #8
Quote from: jennywhzz on July 02, 2017, 06:37:35 PM
Quote from: parshuram on July 01, 2017, 12:59:58 AM
MINING ON ETHOS

SETTINGS ON REMOTE CONFIG - DIGITAL OCEAN.

SO ALL THE SETTINGS OF POOL AND WALLET ARE SAVED IN ONE CONFIG FILE ON OCEAN AND EVERY RIG TAKES UP THAT SETTING.

NOW AT NIGHT MOSTLY  BETWEEN 1-4 AM . SOMEONE USED TO ACCESS THE DROPLET AND CHANGE THE WALLET ADDRESS TO HIS OWN AND POOL TO EUROPE SERVERS AT ETHERMINE.ORG. BUT SOMEHOW THE RIGS NEVER MINED AND SHOWED 0 HASHRATE . AND CHANGING IT TO  OLD CONFIG FILES AGAIN AFTER  4 AM AROUND

AS WE WERE MONITORING THE POOL ONLY, SO WE CONSULTED MANY PEOPLE THAT RIGS ARE MINING BUT ARE NOT SHOWING UP IN THE POOL. BUT OBVIOUSLY NO ONE AGREED.

SO TODAY  HE CHANGED THE SERVERS TO INDIAN SERVER NEAREST TO OUR RIGS AND THEY MINED LIKE 4-5 MINUTES. I BECAME AWARE OF THE ISSUE AND CHECKED HIS WALLET ADDRESS ALL MACHINES WERE ONLINE.

BUT AS SOON AS I SHUT DOWN THE RIGS HE CHANGED THE CONFIG FILES TO ORIGINAL SETTINGS.

HERE IS THE WALLET ADDRESS : https://ethermine.org/miners/85b4203fff14f350b388f8d6f9b082ed184d4b69

AND WHY IN HIS WALLET ADDRESS, ONLY WHEN THE WORKERS ARE ACTIVE THEN ONLY WE CAN SEE THEM OTHERWISE THEY ARE REMOVED FROM POOL AT THAT TIME ONLY. USUALLY  INACTIVE WORKERS STAYS ON THE POOL FOR A DAY AT LEAST.

TRIED CHANGING DIGITAL OCEAN PASSWORD TWICE.

DOES ANY ONE KNOWS THIS ? ANYONE EVER BEEN ATTACKED THE SAME WAY PREVIOUSLY ?

HERE ARE SOME SCREENSHOTS OF TODAY,  YOU CAN CHECK OUT THE TIMINGS AT THE TOP LEFT FOR MORE CLARITY  -

http://imgur.com/a/nvaMB - THESE TWO WHEN EVERY RIG WAS MINING AT HIS ADDRESS AT 2:52AM

http://imgur.com/a/wRHxN - THIS ONE OF THE MORNING AT 6:13 AM

KINDLY HELP AND GUIDE.

THANKS .




I am totally confused.  Is this person changing the settings on a website or your rig?  Are you renting from digital ocean or mining from home? 

Yup using digital ocean and ssh login via mobaxterm. Plus he was accessing the config file of the droplet directly.
parshuram (OP)
Newbie
*
Offline Offline

Activity: 43
Merit: 0


View Profile
July 03, 2017, 02:20:11 PM
 #9
Quote from: tinyteapot on July 03, 2017, 12:25:08 PM
This often happens when you use a pre configured copy/paste settings to mine cryptos on ubuntu, you will need to look into the codes but the best thing to do is to personally write the codes from the scratch and do not copy paste into the droplet like safe screen stuffs.

Yeah. Droplet was also totally fucked up. And lack of security even after password changing and mailing digital ocean.
taxmanmt5
Legendary
*
Offline Offline

Activity: 1190
Merit: 1024


View Profile
July 06, 2017, 03:24:42 PM
 #10
I assume the setup is this....you are renting a VPS from DIgital Ocean, or a cloud piece, whatever and using that to mine on the pool you have images of.  If that is the case, then the point of attack is your digital ocean access.  IF so, I do not use them, but you need to change your access details, let digital ocean know and use 2FA or whatever equivalent they have.
2girls
Sr. Member
****
Offline Offline

Activity: 1002
Merit: 254


Tontogether | Save Smart & Win Big


View Profile
July 06, 2017, 03:36:39 PM
 #11
Quote from: parshuram on July 03, 2017, 02:20:11 PM
Quote from: tinyteapot on July 03, 2017, 12:25:08 PM
This often happens when you use a pre configured copy/paste settings to mine cryptos on ubuntu, you will need to look into the codes but the best thing to do is to personally write the codes from the scratch and do not copy paste into the droplet like safe screen stuffs.

Yeah. Droplet was also totally fucked up. And lack of security even after password changing and mailing digital ocean.

That's a pretty big company and they should have a decent security set up for you to use.  The only draw back is that mining may be against their terms, so be quiet about that.
▄▄███████▄▄
▄███████████████▄
▄████████▀▀████████▄
▄████████▀███▀████████▄
▄████████▀█████▀████████▄
████████▀███████▀████████
███████▀█████████▀███████
██████▀████▄█▄████▀██████
▀████▀████▄███▄████▀████▀
▀████▄▄▄███████▄▄▄████▀
▀███████████████████▀
▀███████████████▀
▀▀███████▀▀
TonTogether
Save Smart & Win Big
●   T W I T T E R   ●   T E L E G R A M   ●   M E D I U M   ●
Qunenin
Hero Member
*****
Offline Offline

Activity: 966
Merit: 506


View Profile
July 06, 2017, 05:33:19 PM
 #12
Quote from: parshuram on July 01, 2017, 12:59:58 AM
MINING ON ETHOS

SETTINGS ON REMOTE CONFIG - DIGITAL OCEAN.

SO ALL THE SETTINGS OF POOL AND WALLET ARE SAVED IN ONE CONFIG FILE ON OCEAN AND EVERY RIG TAKES UP THAT SETTING.

NOW AT NIGHT MOSTLY  BETWEEN 1-4 AM . SOMEONE USED TO ACCESS THE DROPLET AND CHANGE THE WALLET ADDRESS TO HIS OWN AND POOL TO EUROPE SERVERS AT ETHERMINE.ORG. BUT SOMEHOW THE RIGS NEVER MINED AND SHOWED 0 HASHRATE . AND CHANGING IT TO  OLD CONFIG FILES AGAIN AFTER  4 AM AROUND

AS WE WERE MONITORING THE POOL ONLY, SO WE CONSULTED MANY PEOPLE THAT RIGS ARE MINING BUT ARE NOT SHOWING UP IN THE POOL. BUT OBVIOUSLY NO ONE AGREED.

SO TODAY  HE CHANGED THE SERVERS TO INDIAN SERVER NEAREST TO OUR RIGS AND THEY MINED LIKE 4-5 MINUTES. I BECAME AWARE OF THE ISSUE AND CHECKED HIS WALLET ADDRESS ALL MACHINES WERE ONLINE.

BUT AS SOON AS I SHUT DOWN THE RIGS HE CHANGED THE CONFIG FILES TO ORIGINAL SETTINGS.

HERE IS THE WALLET ADDRESS : https://ethermine.org/miners/85b4203fff14f350b388f8d6f9b082ed184d4b69

AND WHY IN HIS WALLET ADDRESS, ONLY WHEN THE WORKERS ARE ACTIVE THEN ONLY WE CAN SEE THEM OTHERWISE THEY ARE REMOVED FROM POOL AT THAT TIME ONLY. USUALLY  INACTIVE WORKERS STAYS ON THE POOL FOR A DAY AT LEAST.

TRIED CHANGING DIGITAL OCEAN PASSWORD TWICE.

DOES ANY ONE KNOWS THIS ? ANYONE EVER BEEN ATTACKED THE SAME WAY PREVIOUSLY ?

HERE ARE SOME SCREENSHOTS OF TODAY,  YOU CAN CHECK OUT THE TIMINGS AT THE TOP LEFT FOR MORE CLARITY  -

http://imgur.com/a/nvaMB - THESE TWO WHEN EVERY RIG WAS MINING AT HIS ADDRESS AT 2:52AM

http://imgur.com/a/wRHxN - THIS ONE OF THE MORNING AT 6:13 AM

KINDLY HELP AND GUIDE.

THANKS .




Now, do you use SSH or another method to access the cloud, that might be the point of hacking also.  Lastly, without more info it is hard to say what you should do, but there is a site called miningrigrental.com and you can rent out your mining rig by pointing it at that site...blah, blah.  We used to use the site because you can point the site at your mining sites so that when it is not being rented it is mining for you and with multiple rigs it is easier to change those settings online than using SSH or another method like that.  Just a thought for an added line of security.
.
.1xBit.com.		███████████████
█████████████▀
█████▀▀       
███▀ ▄███     ▄
██▄▄████▌    ▄█
████████       
████████▌     
█████████    ▐█
██████████   ▐█
███████▀▀   ▄██
███▀   ▄▄▄█████
███ ▄██████████
███████████████		███████████████
███████████████
███████████████
███████████████
███████████████
███████████▀▀▀█
██████████     
███████████▄▄▄█
███████████████
███████████████
███████████████
███████████████
███████████████		         ▄█████
        ▄██████
       ▄███████
      ▄████████
     ▄█████████
    ▄███████
   ▄███████████
  ▄████████████
 ▄█████████████
▄██████████████
  ▀▀███████████
      ▀▀███████
          ▀▀		          ▄▄██▌
      ▄▄███████
     █████████▀
 ▄██▄▄▀▀██▀▀
▄██████     ▄▄▄
███████   ▄█▄ ▄
▀██████   █  ▀█
 ▀▀▀    ▀▄▄█▀
▄▄█████▄    ▀▀▀
 ▀████████
   ▀█████▀ ████
      ▀▀▀ █████
          █████		       ▄  █▄▄ █ ▄
     ▀▄██▀▀▀▀▀▀▀▀
      ▀ ▄▄█████▄█▄▄
    ▄ ▄███▀    ▀▀ ▀▀▄
  ▄██▄███▄ ▀▀▀▀▄  ▄▄
  ▄████████▄▄▄▄▄█▄▄▄██
 ████████████▀▀    █ ▐█
██████████████▄ ▄▄▀██▄██
 ▐██████████████    ▄███
  ████▀████████████▄███▀
  ▀█▀  ▐█████████████▀
       ▐████████████▀
       ▀█████▀▀▀ █▀		!
digitalgame4life
Full Member
***
Offline Offline

Activity: 378
Merit: 105


Active forum member, A+ poster, PM good sign camp.


View Profile
July 06, 2017, 05:46:53 PM
 #13
totally dont get it
Pages: [1]
  Print  
Bitcoin Forum > Alternate cryptocurrencies > Marketplace (Altcoins) > HACKED !!
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!