I did notice lots of miners already infected with a remote login called "nobody" in their configuration files.
It basically uses the same exploit, and totally took control over several miners.
It's mining at eligius, once I stumble upon that specific hacker again, I'll post his pool address.
Knc however, does not responds at all, let alone patch up their firmwares to protect the users.
Note, even my Jupiter has been hacked and infected by this eligius pool at specific times.
Execute code: userdel nobody in ssh.
Do not factory reset, as al these files are also infected.
It's not up to me to post details about how to remove this hacker, that's up to Knc, who clearly does not give a f*CK about it.
nobody is a user and is there for running unprivileged items, standard Unix construct across distros.. If it's shell was changed from /nonexistant than one needs to worry about it but the user definitely exists on un-compromised boxes and is not an indication the box was compromised.. With that said I don't see it being used on any running binaries so it may not be needed on this box, just came as part of the busybox setup along with many of the other users..
Given some of the information kicking around this thread I decided to take a closer look at my Jupiters...
My Jupiters are completely behind a firewall so I can't say for sure but this conversation made me wonder what might be going on outside of a possible SSH or HTTP compromise... The basic security profile of the boxes is rather open but at it's heart it's no different than a Linux distro with a default username/password, Windows, etc. Although KnC should do more in their documentation to discuss changing things there are no actually vulnerabilities, just a weak security posture.
By default cgminer is open read/write for any address and in one of the recent firmware updates I think KnC enabled it by default..
Perhaps it's direct cgminer connections on the cgminer port?
Two options exist to mitigate:
- Disable cgminer remote management on the mining page.
- Another is a manual edit of the cgminer.conf file (manual mode) to disable world wide remote write access will take care of it, change "api-allow": "W:0/0" to something more restrictive, for example W:192.168.0/24 if you only need access from 192.168.0.x addresses.