Bitcoin Forum
November 14, 2024, 04:25:55 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 [4] 5 6 7 »  All
  Print  
Author Topic: KnC Miner : Security hacked - UPDATE with TOOL admin remove plz  (Read 25842 times)
padrino
Legendary
*
Offline Offline

Activity: 1428
Merit: 1000


https://www.bitworks.io


View Profile WWW
January 05, 2014, 06:49:50 PM
 #61

A number of claims have been made on this thread about possible hacks, even the OP himself, although seemingly well intentioned doesn't seem to understand the basics of Linux security.. Odd given the claims by the OP of being a penetration tester with many years of experience but I suppose that is beside the point.

To summarize the situation there doesn't seem to be any actual vulnerabilities (as in software bugs) being exploited, rather people seem to be taking advantage of the weak security posture of the miners when the default configuration has not been changed.

Given the situation there are some things that can be done in code to improve the security posture of the systems out of the box but in lieu of that I'm providing the following recommendations on what any user can do to improve the security posture of the systems.

If you have changed the password for the miner it's unlikely there was an actual system compromise, more likely it's been remote access via cgminer like I mentioned in this thread a couple of days ago, and the OP apparently just picked up on.

If you suspect you have had system files on the miner changed it is best to reload the factory image on the system using an SD card, reference https://www.kncminer.com/pages/troubleshooting. If you had changed the password before putting it on the internet check the below options as this is unlikely and instead it was most likely access via cgminer itself.

First, the OP himself said he found a "nobody" user on his system and made claims he had been hacked, it is NOT an indication of a hack, that is a standard user used for running unprivileged items and is on the system.

Now onto the options for securing the system, some odd 2 second script like the OP suggests isn't needed, simply protect the system properly and it will stay secure.

1. Firewall the system from remote access, there is no reason any port on a KNC Miner needs to be accessible on the open internet, it works fine from behind a NAT on a home router, etc.. If you need remote access recommend a VPN solution as an option.

If you would like to limit exposure but still keep it online I suggest the following.

2. As discussed by an earlier post I made disable cgminer remote admin, or limit remote admin.. All things considered this seems to be the most likely access point. Definitely disable remote admin unless it's needed, if it is limit to to a specific set of IP addresses.

Quote
- Another is a manual edit of the cgminer.conf file (manual mode) to disable world wide remote write access will take care of it, change   "api-allow": "W:0/0" to something more restrictive, for example W:192.168.0/24 if you only need access from 192.168.0.x addresses.

1CPi7VRihoF396gyYYcs2AdTEF8KQG2BCR
https://www.bitworks.io
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
January 05, 2014, 07:09:36 PM
 #62

I don't see any issue, this is just fud. If you have a router you're safe. Tell me how the hell this miner opens ports when bitcoind with upnp can barely do it.

steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 05, 2014, 09:11:25 PM
 #63

Padrino is right at most of the part.

The remote CGminer exploit can be executed without privileges to the system.
As my tests with a specific portscanner proof, the high portnumber cgminer uses by default is not always closed by the router.

My own router had the port 'filtered', but not closed. That's how i got my cgminer hacked.

Padrino, about the 'Nobody' user, like posted, i was looking via my smartphone in a quick hurry via SSH.
While i was loosing about 5Th/s to a hacker, please excuse me for posting reply to fast  Wink

So, lesson learned here. DISABLE the remote CG management, and your safe.
Well, at least from the remote CG exploit...

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
sickpig
Legendary
*
Offline Offline

Activity: 1260
Merit: 1008


View Profile
January 05, 2014, 10:50:17 PM
 #64


1. Firewall the system from remote access, there is no reason any port on a KNC Miner needs to be accessible on the open internet, it works fine from behind a NAT on a home router, etc.. If you need remote access recommend a VPN solution as an option.


This.

Never ever expose your miner directly to the internet.

Do not assign public IP to miner network interface. 

Even if you're using a private address for your miner do not trust your router fw/firewall.

Router firmwares are updated once in very long while, they reach support EOL quite rapidly. Taking this into account implies using your router port forwarding is moot. 

Use a bridge system between your router and your miner(s). Be it a linux hardened box or an OpenBSD one.

Set up a firewall on this machine that do both ingress/egress filtering. Set up a VPN service on this bridge box. Access to the miner only through this VPN service. 

If you do not have a static IP spend a few bucks a month for a VPS with a static IP address and use n2n (a layer two p2p VPN) to mimic a more classic VPN set up.

Bitcoin is a participatory system which ought to respect the right of self determinism of all of its users - Gregory Maxwell.
MiningBuddy
Hero Member
*****
Offline Offline

Activity: 927
Merit: 1000


฿itcoin ฿itcoin ฿itcoin


View Profile
January 07, 2014, 10:52:09 AM
 #65

When I used to mine I never had a miner exposed to the internet, instead if I wanted to do any remote work I would SSH into a laptop that was open to the internet and on my miners network then SSH into my miners or however they were managed. This is fine as long as the bridge (laptop) is secure in this instance.

steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 15, 2014, 04:43:26 PM
 #66

KnC released a new firmware with all my points emailed to them taken into account.

THANK YOU KNC

However....

The new firmware has a HUGE security flaw. BUT...

Since KnC does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!

If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.


Quote
We have a new firmware for you today, version 0.99.2 firmware which can be downloaded from our firmware page here: https://www.kncminer.com/pages/firmware The firmware contains the following changes.
New features:

- Initial splash screen on first use now asks the user to specify a new administrator user name and password and also a enter a list of trusted addresses allowed to manage the miner. (Please note that by entering trusted addresses incorrectly you could block your access to the miner. The only way to regain access would be to perform a hard reset by pressing the button on the front of the miner 5 times, waiting 5 seconds and pressing another 5 times, as described in the user manual)

There you go, just as i suggested it.

- Miner management can be configured to allow access for trusted addresses only. The trusted addresses should be specified by using space separated addresses from which the miner is allowed to be accessed via HTTP and SSH.

That's about time!!

- List of trusted management addresses can be changed on the "Network" page of the miner interface.

- On the "Mining" page there is now a setting which allows to the user to specify which addresses can access the miner's API interface. 

- Added support for BFGMiner, which is now selectable from the "Mining" page of the interface.

Thanks,
KnC team

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
padrino
Legendary
*
Offline Offline

Activity: 1428
Merit: 1000


https://www.bitworks.io


View Profile WWW
January 15, 2014, 05:38:22 PM
 #67

Since KnC does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!

If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.


Sure they could have said something and should have, but are sure it was in fact you and not someone else that emailed them before you but followed industry best practice and didn't make a post on a public forum with a lot of the technical details?

Of course this reply continues to destroy any creditability with respect to the massive amount of professional experience you say you have. As you continue this campaign I doubt more and more you were genuine to begin with and were at best a fame seeker, at worse malicious..

1CPi7VRihoF396gyYYcs2AdTEF8KQG2BCR
https://www.bitworks.io
arousedrhino
Sr. Member
****
Offline Offline

Activity: 347
Merit: 250


View Profile
January 16, 2014, 01:16:50 AM
 #68

KnC released a new firmware with all my points emailed to them taken into account.

THANK YOU KNC

However....

The new firmware has a HUGE security flaw. BUT...

Since KnC does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!

If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.


Quote
We have a new firmware for you today, version 0.99.2 firmware which can be downloaded from our firmware page here: https://www.kncminer.com/pages/firmware The firmware contains the following changes.
New features:

- Initial splash screen on first use now asks the user to specify a new administrator user name and password and also a enter a list of trusted addresses allowed to manage the miner. (Please note that by entering trusted addresses incorrectly you could block your access to the miner. The only way to regain access would be to perform a hard reset by pressing the button on the front of the miner 5 times, waiting 5 seconds and pressing another 5 times, as described in the user manual)

There you go, just as i suggested it.

- Miner management can be configured to allow access for trusted addresses only. The trusted addresses should be specified by using space separated addresses from which the miner is allowed to be accessed via HTTP and SSH.

That's about time!!

- List of trusted management addresses can be changed on the "Network" page of the miner interface.

- On the "Mining" page there is now a setting which allows to the user to specify which addresses can access the miner's API interface.  

- Added support for BFGMiner, which is now selectable from the "Mining" page of the interface.

Thanks,
KnC team


Steve,

Would this new bug you found be a problem for only public facing miners or all miners?

Just wondering if an miner on a private network with all the api's turned off for cgminer would be vulnerable to such an attack.

Edit: Oh and im on .99.1-t.

Thanks.

KNC will never admit the security problem because that would legally make them potentially liable for loses suffered because of the breach. They could have at least sent ya a 1 BTC or something for your effort. Time is money and if they don't want to pay you anything its not worth your time.
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
January 16, 2014, 01:18:14 AM
 #69

This guy is abrasive like I am

noext
Newbie
*
Offline Offline

Activity: 38
Merit: 0


View Profile
January 16, 2014, 11:29:14 AM
 #70

how bypass the http digest ? i want try this hack on my knc
steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 16, 2014, 03:48:45 PM
 #71

KnC released a new firmware with all my points emailed to them taken into account.

THANK YOU KNC

However....

The new firmware has a HUGE security flaw. BUT...

Since KnC does not even thanks me for writing a detailed report, consuming several hours of my time, it's not worth it to me to write another one.
They DID implent every bugfix and security improvement i emailed them, and now taking credit for it... Lame ass f*ckers!

If the script kiddies find out this new (ridiculous) bug in the miners, rest assured that many rigs will be taken over.


Quote
We have a new firmware for you today, version 0.99.2 firmware which can be downloaded from our firmware page here: https://www.kncminer.com/pages/firmware The firmware contains the following changes.
New features:

- Initial splash screen on first use now asks the user to specify a new administrator user name and password and also a enter a list of trusted addresses allowed to manage the miner. (Please note that by entering trusted addresses incorrectly you could block your access to the miner. The only way to regain access would be to perform a hard reset by pressing the button on the front of the miner 5 times, waiting 5 seconds and pressing another 5 times, as described in the user manual)

There you go, just as i suggested it.

- Miner management can be configured to allow access for trusted addresses only. The trusted addresses should be specified by using space separated addresses from which the miner is allowed to be accessed via HTTP and SSH.

That's about time!!

- List of trusted management addresses can be changed on the "Network" page of the miner interface.

- On the "Mining" page there is now a setting which allows to the user to specify which addresses can access the miner's API interface.  

- Added support for BFGMiner, which is now selectable from the "Mining" page of the interface.

Thanks,
KnC team


Steve,

Would this new bug you found be a problem for only public facing miners or all miners?

Just wondering if an miner on a private network with all the api's turned off for cgminer would be vulnerable to such an attack.

Edit: Oh and im on .99.1-t.

Thanks.

KNC will never admit the security problem because that would legally make them potentially liable for loses suffered because of the breach. They could have at least sent ya a 1 BTC or something for your effort. Time is money and if they don't want to pay you anything its not worth your time.

Well, without trying to reveal to much details, the bugs in the newest firmware are major issues.

I found 3 critical exposures of user credentials in a very simple way.

1) This has something to do with a parameter that is not sanitized, making you read protected files (userfiles?)
2) Userfile is readable without login in to the system webinterface
3) Cross Site Scripting "prompt" methods are able to be executed

To answer your question, your miner itself will be well shielded from outside access. However, the biggest problem once again comes down to the user.
You may protect your miner with all available options, but what about your other hardware that is connected to your internet?

Almost every available router has at least one working exploit available out there on the internet. Piece of cake to login/hack/crack your router, and your miner is accessible.

The most recent problems are however using smart devices on the same network. For example, a smart TV, a WiFi printer, a NAS server, ....
Same here, almost all these devices have one or more security flaws. These are also known to be "less" secured by the user itself.

Once again, just by accessing these devices, your miner can be at risk.

Now, dont be a fool thinking your miner IP is unknown to the internet also. Even from behind a router, your end ip address gets submitted with every share on the internet....
There are many many huge lists available on the net with miner IP addresses. And then it's just a matter of scanning this specific network range for weak devices.

A very good solution comes from SickPig:

Quote
Never ever expose your miner directly to the internet.

Do not assign public IP to miner network interface. 

Even if you're using a private address for your miner do not trust your router fw/firewall.

Router firmwares are updated once in very long while, they reach support EOL quite rapidly. Taking this into account implies using your router port forwarding is moot. 

Use a bridge system between your router and your miner(s). Be it a linux hardened box or an OpenBSD one.

Set up a firewall on this machine that do both ingress/egress filtering. Set up a VPN service on this bridge box. Access to the miner only through this VPN service. 

If you do not have a static IP spend a few bucks a month for a VPS with a static IP address and use n2n (a layer two p2p VPN) (http://www.ntop.org/products/n2n/) to mimic a more classic VPN set up.

Keep your eyes open, and change your passwords of ALL devices in your network every now and then.
Dont be scared to use long passwords, for exmple, you can SHA-512 hash your current password.

Your basic password known as for example

"password"

then becomes

"b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976e c049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86"

way more secure against bruteforce/dictionary hacking methods.

If you are not allowed this much characters, take a simple MD5 encryption of your current password.



The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
U1TRA_L0RD
Full Member
***
Offline Offline

Activity: 126
Merit: 100

CAUTION: Angry Man with Attitude.


View Profile
January 17, 2014, 06:44:54 AM
 #72

Maybe im not so sure about getting a Jupiter now, Until this vulnerability gets fixed with a new firmware update.
steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 18, 2014, 06:49:28 PM
 #73

Since KnC patched up, i'm going to compile my injection application and release it to the public.

However, some restrictions will apply for general safety!!

-- My application will be limited to ONLY scan your OWN subnet or IP range (127.0.x.x and 192.168.x.x).

-- This application will act as proof of concept, no changes to the miner itself can be made.

-- The newest firmware bug will spill out your <super secret> login without authentication

The reason i will release the application is for miners to test their own miners against the exploits in the firmware.

Stay tuned, i will compile all this into a nice running GUI by sunday evening  Grin



NOTE: STOP asking me in PM about the full exploit in the new firmware. This will not be revealed !


The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
palawan
Sr. Member
****
Offline Offline

Activity: 386
Merit: 250


View Profile
January 19, 2014, 06:45:54 AM
 #74


I'm extremely addicted at looking at my Antminer S1 miner from anywhere, lol.  I have to be able to connect to it from anywhere.  I got a hotspot on my phone...

I still have the default root password of root on my S1, however:

  • 1. My ddwrt router can only be managed remotely from 1 IP address
  • 2. My Antminer S1 can only be managed by 1 IP address
  • 3. My Antminer S1 can only ssh'ed to by 1 IP address
  • 4. Ports 80, 443 or 22 are not the ports to connect to

Amazon EC2 micro instance for free (I think it's still free).  I have paid about $1/month for the past 3 months and it's only because I've exceeded the data transfer quota.  Set one up.  Install OpenVPN on it.  Install PPTP VPN on it (for tablets and cell phones).  This is your personal VPN server and you don't need to pay nobody  (pun intended).  You can use this when using unsecured public wifi.

Choose ubuntu instance.  apt-get the necesary packages. Guides are out there.  EC2 requires opening the necessary ports as well as on the Ubuntu hosts.  If I somehow find the time and feeling energetic I would write a detailed  step-by-step and post it on a webpage, but I doubt it will be anytime soon...


halu
Acejam
Full Member
***
Offline Offline

Activity: 124
Merit: 251


View Profile
January 22, 2014, 06:55:50 AM
 #75

Since KnC patched up, i'm going to compile my injection application and release it to the public.

However, some restrictions will apply for general safety!!

-- My application will be limited to ONLY scan your OWN subnet or IP range (127.0.x.x and 192.168.x.x).

-- This application will act as proof of concept, no changes to the miner itself can be made.

-- The newest firmware bug will spill out your <super secret> login without authentication

The reason i will release the application is for miners to test their own miners against the exploits in the firmware.

Stay tuned, i will compile all this into a nice running GUI by sunday evening  Grin



NOTE: STOP asking me in PM about the full exploit in the new firmware. This will not be revealed !



Needs to be open source. Otherwise you will be stealin our wallet dot dat's!

 Grin
Walking Glitch
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250

Amateur Professional


View Profile
January 22, 2014, 07:51:04 AM
 #76

You guys need to quit port forwarding/DMZing everything to the internet so blindly. One thing that would have completely prevented your kncminer from being a target is setting up a VPN on a computer inside your network, and forward only the necessary port to connect to it. Then using the VPN session, log into your miner. Then no matter what bug is in kncminers firmware, if it's not receiving inbound connections from the internet, it is unhackable. (Unless of course one of your own machines are compromised.)
ici_lemmy
Member
**
Offline Offline

Activity: 75
Merit: 100


View Profile
January 22, 2014, 07:53:25 AM
 #77

Stay tuned, i will compile all this into a nice running GUI by sunday evening  Grin
Sunday Huh You mean next sunday Huh
bitpop
Legendary
*
Offline Offline

Activity: 2912
Merit: 1060



View Profile WWW
January 22, 2014, 08:13:36 AM
 #78

Yes awaiting Sunday

steve15 (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
January 22, 2014, 09:46:04 AM
 #79

Hi all,

I'm sorry, but at the moment I have another priority task :-)
I will publish it later this week!!

About the open source demand, due to the nature of this application, of course, for general safety open source will be impossible.

There is no need for the entire world to be able to exploit mining rigs!

You will only be allowed to scan your own network ;-)

There will also be an option that scans your entire network for weak or exposed devices, showing whether there is a known exploit available or not, like your router etc.

Please stay tuned!

The world's most secured bitcoin wallet | http://tinyurl.com/btcwallet | Armory
Walking Glitch
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250

Amateur Professional


View Profile
January 23, 2014, 02:56:14 AM
 #80

If you're not a script kiddie, you would be able to figure out how to trick his app into scanning everything. Keep that in mind when you release it steve.
Pages: « 1 2 3 [4] 5 6 7 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!