Multiple YiiMP pools hacked, this is what we know so far..

[kawaiicrypto]

So, a lot of YiiMP pools got hacked, mine included.

So of course I try to understand what has happened. Looking at the nginx server logs I find this:

Code:

51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

As you can see, nginx returns a 200 HTTP code, which means that the file has been found.
I just checked, the file is not on the server.. This leads me to believe that someone found a way to upload a php file that either is:
 a php shell (unlikely)
 a script getting RPC credentials from the YiiMP database to connect to coin daemons directly (most likely IMO).

later, the script was told to delete itself by passing the d parameter I assume.

grepping the server log for all entries from the 51.15.40.233 IP yields these results:

Code:

51.15.40.233 - - [08/Sep/2017:21:31:07 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/current_results HTTP/1.1" 200 972 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

Checking the IP it turns out that it is a Tor exit node. I am still not sure how that file got on my server in the first place.

Checking the nginx error log, this is shown:

Code:

2017/09/08 21:31:27 [error] 18760#18760: *5664081 FastCGI sent in stderr: "PHP message: PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290
PHP message: PHP Notice:  Use of undefined constant mysqli_connect - assumed 'mysqli_connect' in /var/web/lds.php on line 293" while reading response header from upstream, client: 51.15.40.233, server: _, request: "GET /lds.php HTTP/1.1", upstream: "fastcgi://unix:/run/php/php7.0-fpm.sock:", host: "kawaiipool.party"

Obviously I would be very interested from other YiiMP based pools if they find something similar in their logs, so I will be sending a link to this thread to some other YiiMP based pool owners.
If we are lucky, maybe the hacker forgot to delete lds.php from one of the pools and we can get a better understanding of what happened.


Edit: It seems the hacker used the dumpprivkey RPC command on wallets, so if you are running a mining pool you should assume the hacker has access to all mined funds - change addresses at once, just to be sure. Of course, until we find out how the hacker got in, you should disable mining anyway as a safety measure.

[granat]

i have found to but in different ip 141.101.69.188

Code:

2017/09/08 17:22:25 [error] 14380#14380: *20037 FastCGI sent in stderr: "PHP message: PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290
PHP message: PHP Notice:  Use of undefined constant mysqli_connect - assumed 'mysqli_connect' in /var/web/lds.php on line 293" while reading response header from upstream, client: 141.101.69.188, server: granatgas-pool.info, request: "GET /lds.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.0-fpm.sock:", host: "granatgas-pool.info"

[Supercoiner111]

Great share, hopefully will the community help we can indentify what exploits were used in YAAMP open source pools.

[hashrefinery]

Timestamps are in UTC:

51.15.40.233 - - [08/Sep/2017:21:33:15 +0000] "GET /lds.php HTTP/1.1" 200 8972 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:37:43 +0000] "GET /lds.php?d HTTP/1.1" 200 237 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

[Fri Sep 08 21:33:15.698424 2017] [:error] [pid 24327] [client 51.15.40.233:19979] PHP Notice:  Use of undefined constant mysql_connect - assumed 'mysql_connect' in /var/web/lds.php on line 290

[enkayz]

Same here.

185.170.42.18 - - [08/Sep/2017:21:15:56 +0000] "GET /lds.php HTTP/1.1" 200 3314 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101
185.170.42.18 - - [08/Sep/2017:21:16:47 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101

[barrysty1e]

i'd say most useful would be the commit of yiimp that you are running, httpd version (or package if installed this way), php module etc.
being able to upload anything directly to webroot indicates some fairly serious vuln..

most people running nginx here that were affected by this?

[magnatum]

Cannot find such, server apache, php 7

[BBoBB]

the ip that hit minertopia : 176.193.113.124
he didn't use lds.php.. no traces of it.. will provide more info as soon as more is dug up
on another pool
171.25.193.78
198.245.60.8
185.170.42.18

[barrysty1e]

i'd say most useful would be the commit of yiimp that you are running, httpd version (or package if installed this way), php module etc.
being able to upload anything directly to webroot indicates some fairly serious vuln..

most people running nginx here that were affected by this?

interesting; i ran vega (https://subgraph.com) against one of the yiimp pools i maintain for a client, and 'Possible HTTP PUT File Upload' is identified on the base URL for the pool. it gets particularly bad when you see this: https://nealpoole.com/blog/2011/04/setting-up-php-fastcgi-and-nginx-dont-trust-the-tutorials-check-your-configuration/

could be wrong, but effectively allows attacker to upload a file, then call it (where it will run server side) effectively allowing them to do any number of things..
not sure if nginx is the issue here; i use lighttpd and havent had any problems?

james

[Decker]

I was found the following string in my web-server logs:

Code:

POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1

That decodes too:

Code:

POST //cgi-bin/php?-d+allow_url_include=on+-d+safe_mode=off+-d+suhosin.simulation=on+-d+disable_functions=""+-d+open_basedir=none+-d+auto_prepend_file=php://input+-d+cgi.force_redirect=0+-d+cgi.redirect_status_env=0+-d+auto_prepend_file=php://input+-n HTTP/1.1

But i don't know what is this: attempt to hack yiimp or a vulnerability scan. Seems just a vulnerability scan, i haven't php and cgi-bin dir on www.

[AltMiner.net]

We were also affected. I thought i've seen several POST request against the explorer urls before, but cannot find them anymore. I'm also really wondering how they got this file uploaded there

[AltMiner.net]

use lighttpd and havent had any problems?

also lighttpd was affected. We are running nginx with apache - same issue.

[ex_mac]

51.15.63.98 - - [08/Sep/2017:23:18:05 +0200] "GET /assets/lds.php HTTP/1.1" 200 9739 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.63.98 - - [08/Sep/2017:23:19:52 +0200] "GET /assets/lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

No idea how file uploaded.

(looks like all private keys on hacker now.
some transactions was few hours after hack )

[AltMiner.net]

It looks like you can grep for "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" in your logfile, for me the attacker was the only person using this. I've filtered out all static content and see this in my logfile:

Code:

92.222.6.12 - - [08/Sep/2017:23:41:00 +0200] "GET / HTTP/1.1" 200 3703 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Code:

92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /?address= HTTP/1.1" 200 2898 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/current_results HTTP/1.1" 200 1152 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/history_results HTTP/1.1" 200 685 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/current_results HTTP/1.1" 200 1152 "https://altminer.net/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
92.222.6.12 - - [08/Sep/2017:23:41:07 +0200] "GET /site/user_earning_results?address= HTTP/1.1" 200 0 "https://altminer.net/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Code:

92.222.6.12 - - [08/Sep/2017:23:41:42 +0200] "GET /?address= HTTP/1.1" 200 171 "https://altminer.net/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Code:

92.222.6.12 - - [08/Sep/2017:23:41:53 +0200] "GET /lds.php HTTP/1.1" 200 4893 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Code:

144.217.240.34 - - [08/Sep/2017:23:56:59 +0200] "GET /?address= HTTP/1.1" 200 171 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
144.217.240.34 - - [08/Sep/2017:23:57:04 +0200] "GET /lds.php HTTP/1.1" 200 4907 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"
144.217.240.34 - - [08/Sep/2017:23:57:27 +0200] "GET /lds.php?d HTTP/1.1" 200 12 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0" "-"

Seperated by the different actions. Currently also no idea on how the file was uploaded.

[Decker]

Interesting. Others affected also have /?address= GET request by attacker before get lds.php?

[kawaiicrypto]

Grepping for that useragent results in this (along with some noise which I have omitted, requests to get javascript, images and css):

Code:

192.160.102.165 - - [08/Sep/2017:21:29:30 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:34 +0000] "GET /site/current_results HTTP/1.1" 200 968 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:34 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:42 +0000] "GET /?address= HTTP/1.1" 200 2570 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:43 +0000] "GET /site/current_results HTTP/1.1" 200 968 "http://kawaiipool.party/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:29:43 +0000] "GET /site/user_earning_results?address= HTTP/1.1" 200 31 "http://kawaiipool.party/?address=" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
192.160.102.165 - - [08/Sep/2017:21:30:00 +0000] "GET /?address= HTTP/1.1" 200 181 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

and later this:

Code:

51.15.40.233 - - [08/Sep/2017:21:31:07 +0000] "GET / HTTP/1.1" 200 2715 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/current_results HTTP/1.1" 200 972 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:08 +0000] "GET /site/history_results HTTP/1.1" 200 474 "http://kawaiipool.party/" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:31:27 +0000] "GET /lds.php HTTP/1.1" 200 3210 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"
51.15.40.233 - - [08/Sep/2017:21:32:09 +0000] "GET /lds.php?d HTTP/1.1" 200 43 "-" "Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0"

[crombiecrunch]

So even my brand new server that I just setup yesterday, thats not even advertised yet was hit.

And of course tpruvot has issues disabled still on his github

[magnatum]

Looks like there is ?address=%27 some reaction on ' symbol
maybe injection attack

[pallas]

Since it affects multiple web servers, it can either be a php vulnerability (but we would probably know about it already) or injection into insecure yiimp code.
I would for sure look into the latter, starting with those scripts reported.

[MajedPro]

i've installed yiimp on local server using [nginx - php 7.1 - mariadb ]

ran a quick scan nd found many vulnerabilities and could allow an attacker to upload files to server.

Cross Site Scripting

GET /?address="%20src=-->">'>'"
GET /explorer/graph?id=/./
GET /site/./
GET /site/block_results?id=/./
GET /stats/./

HTTP PUT File Upload
PUT /PUT-putfile
"The HTTP PUT method was designed to allow HTTP clients to store resources on a HTTP server"