Bitcoin Forum
November 16, 2018, 07:17:53 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 »  All
  Print  
Author Topic: Multiple YiiMP pools hacked, this is what we know so far..  (Read 15029 times)
kawaiicrypto
Full Member
***
Offline Offline

Activity: 192
Merit: 101



View Profile
September 09, 2017, 09:12:49 AM
 #1

So, a lot of YiiMP pools got hacked, mine included.

So of course I try to understand what has happened. Looking at the nginx server logs I find this:

Code:
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

As you can see, nginx returns a 200 HTTP code, which means that the file has been found.
I just checked, the file is not on the server.. This leads me to believe that someone found a way to upload a php file that either is:
 a php shell (unlikely)
 a script getting RPC credentials from the YiiMP database to connect to coin daemons directly (most likely IMO).

later, the script was told to delete itself by passing the d parameter I assume.

grepping the server log for all entries from the 51.15.40.233 IP yields these results:

Code:
51.15.40.233 - - [08/Sep/2017:21:31:07 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/current_results HTTP/1.1" 200 972 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

Checking the IP it turns out that it is a Tor exit node. I am still not sure how that file got on my server in the first place.

Checking the nginx error log, this is shown:

Code:
2017/09/08 21:31:27 [error] 18760#18760: *5664081 FastCGI sent in stderr: "PHP message: PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290
PHP message: PHP Notice:  Use of undefined constant mysqli_connect - assumed 'mysqli_connect' in /var/web/lds.php on line 293" while reading response header from upstream, client: 51.15.40.233, server: _, request: "GET /lds.php HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.0-fpm.sock:", host: "kawaiipool.party"

Obviously I would be very interested from other YiiMP based pools if they find something similar in their logs, so I will be sending a link to this thread to some other YiiMP based pool owners.
If we are lucky, maybe the hacker forgot to delete lds.php from one of the pools and we can get a better understanding of what happened.


Edit: It seems the hacker used the dumpprivkey RPC command on wallets, so if you are running a mining pool you should assume the hacker has access to all mined funds - change addresses at once, just to be sure. Of course, until we find out how the hacker got in, you should disable mining anyway as a safety measure.

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
granat
Full Member
***
Offline Offline

Activity: 188
Merit: 100


granatgas-pool.info


View Profile WWW
September 09, 2017, 09:34:46 AM
 #2

i have found to but in different ip 141.101.69.188

Code:
2017/09/08 17:22:25 [error] 14380#14380: *20037 FastCGI sent in stderr: "PHP message: PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290
PHP message: PHP Notice:  Use of undefined constant mysqli_connect - assumed 'mysqli_connect' in /var/web/lds.php on line 293" while reading response header from upstream, client: 141.101.69.188, server: granatgas-pool.info, request: "GET /lds.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host: "granatgas-pool.info"
Supercoiner111
Full Member
***
Offline Offline

Activity: 448
Merit: 100


View Profile
September 09, 2017, 09:35:56 AM
 #3

Great share, hopefully will the community help we can indentify what exploits were used in YAAMP open source pools.

WWW.MYNODE.ROCKS
hashrefinery
Member
**
Offline Offline

Activity: 116
Merit: 11


View Profile WWW
September 09, 2017, 09:53:27 AM
 #4

Timestamps are in UTC:

51.15.40.233 - - [08/Sep/2017:21:33:15 +0000] "GET /lds.php HTTP/1.1" 200 8972 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:37:43 +0000] "GET /lds.php?d HTTP/1.1" 200 237 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

[Fri Sep 08 21:33:15.698424 2017] [:error] [pid 24327] [client 51.15.40.233:19979] PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290

Hash Refinery Pool http://pool.hashrefinery.com/ - Over 50 coins active on 15+ algos - Receive payouts in any listed coin or auto-conversion to BTC
enkayz
Full Member
***
Offline Offline

Activity: 295
Merit: 100

hashbag.cc


View Profile WWW
September 09, 2017, 10:57:07 AM
 #5

Same here.

185.170.42.18 - - [08/Sep/2017:21:15:56 +0000] "GET /lds.php HTTP/1.1" 200 3314 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101
185.170.42.18 - - [08/Sep/2017:21:16:47 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101

hashbag.cc - where do you put your hash? region based stratums available now: https://bitcointalk.org/index.php?topic=2044808.new
barrysty1e
Hero Member
*****
Offline Offline

Activity: 604
Merit: 500



View Profile WWW
September 09, 2017, 11:10:26 AM
 #6

i'd say most useful would be the commit of yiimp that you are running, httpd version (or package if installed this way), php module etc.
being able to upload anything directly to webroot indicates some fairly serious vuln..

most people running nginx here that were affected by this?

just like a chocolate milkshake, only crunchy..!
magnatum
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
September 09, 2017, 11:22:26 AM
 #7

Cannot find such, server apache, php 7
BBoBB
Sr. Member
****
Offline Offline

Activity: 346
Merit: 251

Do it right or don't do it at all.


View Profile
September 09, 2017, 11:44:09 AM
 #8

the ip that hit minertopia : 176.193.113.124
he didn't use lds.php.. no traces of it.. will provide more info as soon as more is dug up
on another pool
171.25.193.78
198.245.60.8
185.170.42.18
barrysty1e
Hero Member
*****
Offline Offline

Activity: 604
Merit: 500



View Profile WWW
September 09, 2017, 11:58:55 AM
 #9

i'd say most useful would be the commit of yiimp that you are running, httpd version (or package if installed this way), php module etc.
being able to upload anything directly to webroot indicates some fairly serious vuln..

most people running nginx here that were affected by this?

interesting; i ran vega (https://subgraph.com) against one of the yiimp pools i maintain for a client, and 'Possible HTTP PUT File Upload' is identified on the base URL for the pool. it gets particularly bad when you see this: https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/

could be wrong, but effectively allows attacker to upload a file, then call it (where it will run server side) effectively allowing them to do any number of things..
not sure if nginx is the issue here; i use lighttpd and havent had any problems?

james

just like a chocolate milkshake, only crunchy..!
Decker
Member
**
Offline Offline

Activity: 122
Merit: 48


View Profile
September 09, 2017, 12:17:00 PM
 #10

I was found the following string in my web-server logs:
Code:
POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1
That decodes too:
Code:
POST //cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n HTTP/1.1
But i don't know what is this: attempt to hack yiimp or a vulnerability scan. Seems just a vulnerability scan, i haven't php and cgi-bin dir on www.

AltMiner.net
Full Member
***
Offline Offline

Activity: 210
Merit: 100


AltMiner.Net | Low-Fee Pool | 2hr Payout


View Profile WWW
September 09, 2017, 01:06:21 PM
 #11

We were also affected. I thought i've seen several POST request against the explorer urls before, but cannot find them anymore. I'm also really wondering how they got this file uploaded there Sad

⚠️🚀 https://altminer.net 🚀⚠️ Low fee, multi algo pool | 2 hr payout | No registration required. ⚠️🚀 https://altminer.net 🚀⚠️
AltMiner.net
Full Member
***
Offline Offline

Activity: 210
Merit: 100


AltMiner.Net | Low-Fee Pool | 2hr Payout


View Profile WWW
September 09, 2017, 01:07:43 PM
 #12

use lighttpd and havent had any problems?

also lighttpd was affected. We are running nginx with apache - same issue.

⚠️🚀 https://altminer.net 🚀⚠️ Low fee, multi algo pool | 2 hr payout | No registration required. ⚠️🚀 https://altminer.net 🚀⚠️
ex_mac
Sr. Member
****
Offline Offline

Activity: 422
Merit: 250


"Proof-of-Asset Protocol"


View Profile
September 09, 2017, 01:35:47 PM
 #13

51.15.63.98 - - [08/Sep/2017:23:18:05 +0200] "GET /assets/lds.php HTTP/1.1" 200 9739 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.63.98 - - [08/Sep/2017:23:19:52 +0200] "GET /assets/lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

No idea how file uploaded.

(looks like all private keys on hacker now.
some transactions was few hours after hack )


|
 
 
50
|
 




                       ▄
           ▄▄▄▄▄▄███████
▄▄▄▄█████  █████████████
█████████  █████████████
█████████  █████████████
█████████  █████████████
█████████  █████████████
█████████  █████████████

█████████  █████████████
█████████  █████████████
█████████  █████████████
█████████  █████████████
█████████  █████████████
▀▀▀▀█████  █████████████
           ▀▀▀▀▀▀███████
                       ▀
|
 
 
$1,5 M
|



        ▄▄▄█████████▄▄▄
      ▄█████▀▀███▀▀█████▄
    ▄███▀     ███     ▀███▄
   ████       ███       ████
  ███▀                   ▀███
 ███▀                     ▀███
▄██▀       █████████       ▀██▄
███                         ███
███        █████████        ███
███                         ███
▀██▄       █████████       ▄██▀
 ███▄                     ▄███
  ███▄                   ▄███
   ████       ███       ████
    ▀███▄     ███     ▄███▀
      ▀█████▄▄███▄▄█████▀
        ▀▀▀█████████▀▀▀
|
 
|
 
<>
<>
<>
<>
 
GITHUB
TWITTER
YOUTUBE
FACEBOOK
AltMiner.net
Full Member
***
Offline Offline

Activity: 210
Merit: 100


AltMiner.Net | Low-Fee Pool | 2hr Payout


View Profile WWW
September 09, 2017, 01:38:06 PM
 #14

It looks like you can grep for "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" in your logfile, for me the attacker was the only person using this. I've filtered out all static content and see this in my logfile:

Code:
92.222.6.12 - - [08/Sep/2017:23:41:00 +0200] "GET / HTTP/1.1" 200 3703 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
Code:
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /?address= HTTP/1.1" 200 2898 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/current_results HTTP/1.1" 200 1152 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/history_results HTTP/1.1" 200 685 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/current_results HTTP/1.1" 200 1152 "https://altminer.net/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/user_earning_results?address= HTTP/1.1" 200 0 "https://altminer.net/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
Code:
92.222.6.12 - - [08/Sep/2017:23:41:42 +0200] "GET /?address= HTTP/1.1" 200 171 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
Code:
92.222.6.12 - - [08/Sep/2017:23:41:53 +0200] "GET /lds.php HTTP/1.1" 200 4893 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
Code:
144.217.240.34 - - [08/Sep/2017:23:56:59 +0200] "GET /?address= HTTP/1.1" 200 171 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
144.217.240.34 - - [08/Sep/2017:23:57:04 +0200] "GET /lds.php HTTP/1.1" 200 4907 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
144.217.240.34 - - [08/Sep/2017:23:57:27 +0200] "GET /lds.php?d HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Seperated by the different actions. Currently also no idea on how the file was uploaded.

⚠️🚀 https://altminer.net 🚀⚠️ Low fee, multi algo pool | 2 hr payout | No registration required. ⚠️🚀 https://altminer.net 🚀⚠️
Decker
Member
**
Offline Offline

Activity: 122
Merit: 48


View Profile
September 09, 2017, 01:54:49 PM
 #15

Interesting. Others affected also have /?address= GET request by attacker before get lds.php?

kawaiicrypto
Full Member
***
Offline Offline

Activity: 192
Merit: 101



View Profile
September 09, 2017, 02:01:02 PM
 #16

Grepping for that useragent results in this (along with some noise which I have omitted, requests to get javascript, images and css):

Code:
192.160.102.165 - - [08/Sep/2017:21:29:30 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:34 +0000] "GET /site/current_results HTTP/1.1" 200 968 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:34 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:42 +0000] "GET /?address= HTTP/1.1" 200 2570 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:43 +0000] "GET /site/current_results HTTP/1.1" 200 968 "http://kawaiipool.party/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:43 +0000] "GET /site/user_earning_results?address= HTTP/1.1" 200 31 "http://kawaiipool.party/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:30:00 +0000] "GET /?address= HTTP/1.1" 200 181 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

and later this:

Code:
51.15.40.233 - - [08/Sep/2017:21:31:07 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/current_results HTTP/1.1" 200 972 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

crombiecrunch
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
September 09, 2017, 02:31:27 PM
 #17

So even my brand new server that I just setup yesterday, thats not even advertised yet was hit.

And of course tpruvot has issues disabled still on his github
magnatum
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
September 09, 2017, 02:35:44 PM
 #18

Looks like there is ?address=%27 some reaction on ' symbol
maybe injection attack
pallas
Legendary
*
Offline Offline

Activity: 1834
Merit: 1087


Black Belt Developer


View Profile
September 09, 2017, 02:58:40 PM
 #19

Since it affects multiple web servers, it can either be a php vulnerability (but we would probably know about it already) or injection into insecure yiimp code.
I would for sure look into the latter, starting with those scripts reported.

MajedPro
Newbie
*
Offline Offline

Activity: 13
Merit: 0


View Profile
September 09, 2017, 03:08:19 PM
 #20

i've installed yiimp on local server using [nginx - php 7.1 - mariadb ]

ran a quick scan nd found many vulnerabilities and could allow an attacker to upload files to server.

Cross Site Scripting

GET /?address="%20src=-->">'>'"
GET /explorer/graph?id=/./
GET /site/./
GET /site/block_results?id=/./
GET /stats/./

HTTP PUT File Upload
PUT /PUT-putfile
"The HTTP PUT method was designed to allow HTTP clients to store resources on a HTTP server"

Pages: [1] 2 3 4 5 6 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!