Darkhand
Newbie
 Offline
Activity: 26
Merit: 0
|
 |
December 31, 2013, 09:24:09 PM |
|
No logs posted, just a troll. Post logs and everyone will be on your side. Take your pick!
|
|
|
|
|
|
|
|
"Bitcoin: mining our own business since 2009" -- Pieter Wuille
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
traiz
Newbie
Offline
Activity: 40
Merit: 0
|
|
December 31, 2013, 09:49:33 PM |
|
what do you expect me to think?
That you should have some evidence beyond pure circumstance before slinging around legal threats? Would you somehow have been better off if OP had been intimidated by legal liabilities into never discovering and posting this information? P.S. If you don't want people "attacking" your gear through a public IP interface, simply configure it to not fulfill requests so promptly and politely. Is it that difficult? first off I am not the op. i did not brute force 28 knc machines he did. now when he did the brute force on the 28 machines he did not tell us he had permission to do it. so stop defending him for doing something that is not legal. did his brute force attack hurt this person? https://bitcointalk.org/index.php?topic=31163.msg4140767#msg4140767maybe I do not know but time wise it matches. was he off line for 3 or 5 hours extra due to the password attack ? do not know. I ask you this. would you want someone coming to the front door of your home and testing your door knob to see if it opens easily ? so to the op did you have permission to attack the 28 machines? yes or no? my apologies if you informed those miners. before you attacked them Wait... the OP is kind enough to inform us of a possible exploit and you're nailing him for it??? I rather this type of information is made public than kept under wraps and have "hackers" exploit it. Besides, if you have a machine directly connected to the internet, you should sort of expect something like this to happen. I mean if someone had remote access to your machine, locking you out should be the least of your concerns (since you would know something was wrong). Instead, they could have reflashed your machine with a custom rom who's gui looks exactly like the standard knc one, but is set to mine for them on a part time basis (but also keep your settings as well). Then you're paying resources to mine for them, all the while thinking your miner was defective/had stale shares. Not knowing its compromised. It's even worst if they had it randomly mine for them on one of the larger pools (that only requires an address) - say like 2am to 6am, 10am to 12pm, then 2pm to 4pm. While occasionally submitting shares to your pools so it doesn't time out and alert you. Then again, if this was a troll post, good job.
You got me |
|
|
|
|
Tigggger
Legendary
Offline
Activity: 1098
Merit: 1000
|
|
December 31, 2013, 11:47:14 PM |
|
Wait... the OP is kind enough to inform us of a possible exploit and you're nailing him for it???
I rather this type of information is made public than kept under wraps and have "hackers" exploit it.
My thoughts exactly, thank you OP for doing the honourable thing and giving users a chance to lock down their machines before someone less honest found it. |
|
|
|
|
|
|
timmmers
|
|
January 01, 2014, 03:49:09 AM |
|
Thanks to the OP for the warning, hopefully no-one lost due to this. Got to say that it's a fairly obvious target for anyone with skills and the mindset to try this eventually.
Could have been worse, could have been 2 months ago by someone sensible enough not to be greedy and milk a lot of rigs a little each day.
Posting ANY details was a bit "look at me" though, no need for that here, just warn KNC and advise the PW changes needed etc.
As for the rigs mentioned that seem to have lost some hashing, if they are on Slush there was a problem recently where earnings were deducted or some such nonsense which may account for that..which has been remedied now.
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 01, 2014, 12:50:54 PM |
|
Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
|
|
|
|
philipma1957
Legendary
 Online
Activity: 4116
Merit: 7858
'The right to privacy matters'
|
|
January 01, 2014, 01:18:43 PM |
|
Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
Okay I call myself jaded and suspicious . Thanks for your efforts to warn us. |
|
|
|
padrino
Legendary
Offline
Activity: 1428
Merit: 1000
https://www.bitworks.io
|
|
January 01, 2014, 02:23:52 PM |
|
Yes, well posting ANY DETAILS should put the pressure on KnC to patch up their firmware.
To the person claiming i hacked their rig, i bruteforce 28 miners under 20 minutes, that's about 50 seconds/miner.
What are you complaining about 3 hours non activity for you miner?
Second of all, your http is seperated from the mining activity itself. Even if i bruteforce your miner for 24h, you'll never notice this.
Third of all, POST SOME LOGS THEN!!! That's why logs are made for anyway.
Last but not least, if i DID hacked your machine, it would not even be visible to you.
I am not a 15yr old scriptkiddie trying to hack into every account i see.
I'm a 30+ professional security penetration tester.
But fine to me, next time, i'll post nothing, and get your rigs hacked then.
Underground is already offering me +150 BTC for all details, be glad i keep it to myself instead of thinking i would hack your lame rig with almost no profit according to your blockchain....
Bitcoin is about the community. That's why i keep this public and not underground, so all users can patch up before massive attacks start!
Or are you so naive to think i'm the only one who can discover this...
I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue. In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk. I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career... |
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 01, 2014, 02:37:12 PM |
|
I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue.
In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.
I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...
Since KnC does not reply when i attempt to warn them, the best way to bring things to their attention is by involving the users/owners/customers. The information i posted here, is nothing more than public source information as shown on their own Github page. Believe me, no critical information is display on this forum. The information provided here is useless to so called 'hackers' trying to abuse miners. If all details that i supplied to KnC are leaked, all public online miners are hacked within a 2 hour timespan. I'm not looking to receive credits, badges or rewards by this exploit. I just want to prevent a massive miner attack. |
|
|
|
padrino
Legendary
Offline
Activity: 1428
Merit: 1000
https://www.bitworks.io
|
|
January 01, 2014, 02:49:42 PM |
|
I'm glad you posted of the issue and think it's good to make the community aware of the issue, but as a professional penetration tester (since you keep bringing it up) I would think you would follow industry best practices and not post the technical details in your initial posting, but give the vendor time to address the issue.
In addition to that it's not even a hack, but a weakness in a vanilla vendor configuration putting users at risk.
I think you have the best intentions in mind but you are not conducting yourself as professionally as you could, especially given your career...
Since KnC does not reply when i attempt to warn them, the best way to bring things to their attention is by involving the users/owners/customers. The information i posted here, is nothing more than public source information as shown on their own Github page. Believe me, no critical information is display on this forum. The information provided here is useless to so called 'hackers' trying to abuse miners. If all details that i supplied to KnC are leaked, all public online miners are hacked within a 2 hour timespan. I'm not looking to receive credits, badges or rewards by this exploit. I just want to prevent a massive miner attack. Fair enough, apologize for jumping too quick on it.. A quick glance at your first post indicated enough was available, didn't realize it was missing some things... |
|
|
|
bitnpieces
Newbie
Offline
Activity: 22
Merit: 0
|
|
January 01, 2014, 03:30:36 PM |
|
Wow I cant believe some people are jumping down your throat, I think you have done a great service to these guys by finding and highlighting these risks.
|
|
|
|
|
af_newbie
Legendary
Offline
Activity: 2688
Merit: 1468
|
|
January 01, 2014, 04:28:47 PM |
|
Hi all, So, what else to do in my spare time while mining some BTC? Exploiting security holes in my hardware. It turns out that every KnC miner can be hacked within 5-10 minutes, making it possible to control the CGMiner remotely. I've submitted a higly detailed report to KNC, explaining how i did it, and how they can patch it with a new firmware upgrade. To avoid a huge breach, i will not reveal all details, but i give you a short summary [proof of concept]. 1: Scan the internet, using a special tool, for the default KnC Miner header response WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="f76e06a34c00b5fec1da6749d4ed0bfc", qop="auth" EVERY miner uses this header, so in 10 seconds, i found about 1180 responses vulnerable to my attack. Don't use Internet to access your miners directly. Use some sort of API aggregation web page ( https) to list status of all miners, restart them or power cycle them. Protect that page with user login and https. Port forward your Internet connections to that page. |
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 01, 2014, 06:41:17 PM |
|
Wow I cant believe some people are jumping down your throat, I think you have done a great service to these guys by finding and highlighting these risks.
Thank you sir! |
|
|
|
kano
Legendary
Offline
Activity: 4494
Merit: 1808
Linux since 1997 RedHat 4
|
|
January 01, 2014, 09:21:48 PM |
|
...
Don't use Internet to access your miners directly.
Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them. Protect that page with user login and https.
Port forward your Internet connections to that page.
cgminer already has all this by default - I wrote it - but no idea if KnC enabled it or not. |
|
|
|
af_newbie
Legendary
Offline
Activity: 2688
Merit: 1468
|
|
January 02, 2014, 04:00:15 AM |
|
...
Don't use Internet to access your miners directly.
Use some sort of API aggregation web page (https) to list status of all miners, restart them or power cycle them. Protect that page with user login and https.
Port forward your Internet connections to that page.
cgminer already has all this by default - I wrote it - but no idea if KnC enabled it or not. I meant a page like your api-example.php. If you have 10 miners (on 10 different IPs) and one rPi watchdog. On that watchdog, have a page that would go to 10 IPs and fetch API summaries, format and display. Something like https://bitcointalk.org/index.php?topic=222632.0rPi gpio ports that can be used to drive relays (via a simple transistor driver) to power cycle the miners (waiting for my relays to try this). Got the gpio ports working (set them on 3.3V/off 0.4V), but not from the web server (requires access to sysfs). Work in progress... Something like http://code.google.com/p/raspberrypi-gpio/downloads/list but it uses mySQL, which is an overkill to do this if you ask me. |
|
|
|
mostclicked
Newbie
Offline
Activity: 10
Merit: 0
|
|
January 02, 2014, 05:01:41 AM |
|
OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
|
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 02, 2014, 05:44:07 AM |
|
OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
By the look of your results i know how you found them, but it's a very bad tool to use. It will only bring up about +/- 130 results, 3/4 of then are already dead. |
|
|
|
|
pdawg
|
|
January 02, 2014, 05:54:46 AM |
|
Steve is helping here. He could have easily done this without posting anything and made a good amount of coin. Give the guy a break.
|
|
|
|
mostclicked
Newbie
Offline
Activity: 10
Merit: 0
|
|
January 02, 2014, 07:11:54 AM |
|
OP is not bluffing. I can retrieve the IP addresses of KNC Miners from available search engine. The IP addresses are removed for security reason. Search result examples:
Added on 01.01.2014
United States New York
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="354d48be494a88e6eccd16cdc7a1f67d", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Wed, 01 Jan 2014 05:39:41 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
United States Englewood
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="3b7e9df094c80de0a73e05bc14066075", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 22:50:39 GMT
Server: lighttpd/1.4.32
Added on 31.12.2013
Netherlands
HTTP/1.0 401 Unauthorized
WWW-Authenticate: Digest realm="KnC Miner configuration", nonce="71e7f1f82e328c05cf4d406705270c25", qop="auth"
Content-Type: text/html
Content-Length: 351
Date: Tue, 31 Dec 2013 20:23:39 GMT
Server: lighttpd/1.4.32
By the look of your results i know how you found them, but it's a very bad tool to use. It will only bring up about +/- 130 results, 3/4 of then are already dead. Yup it's bad. Just want to demonstrate the possibility of finding the IPs. |
|
|
|
|
steve15 (OP)
Member
Offline
Activity: 70
Merit: 10
|
|
January 02, 2014, 07:37:13 AM |
|
Steve is helping here. He could have easily done this without posting anything and made a good amount of coin. Give the guy a break.
A tip is also welcome :-D |
|
|
|
|
