[POOL][Scrypt][Scrypt-N][X11] Profit switching pool - wafflepool.com

[poolwaffle]

I sure dont hope we have funds on vircurex atm... BTC, LTC, TRC and FTC funds are getting frozen, so you cant withdraw or spend them.

https://vircurex.com/welcome/ann_reserved.html

We don't

[1714247558]

1714247558

[1714247558]

1714247558

[MrGrave]

Hey Guys, joined waffle a week or so ago and love the dedication some of you guys have, that made me want to mine here.  Let me warn you that I am not very knowledgeable about alot of the technical stuff that has been discussed in the last few hundred posts.  I believe that I was one of the "hijack" victims of the other night.  My miner was hashing but nothing being received at my intended destination, wafflepool(stratum+tcp://useast.wafflepool.com:3333)  for a total of 9 1/2 hours.  I switched over to cleverming in an attempt to see if a new pool was going to fix my problem, knowing full well that I would be way over my head trying to solve or help solve a problem by lending information that i new little about.  What I can tell you, and will because I believe that you are further ahead in solving this that anyone at clever and i want to mine here and try to contribute in some way.

Basically, I was mining at clever for approx. 23 hours and when I was browsing I heard the fan slow, so I open my cgminer and took a look.  I believe it showed that I was disconnected from the pool and it reconnected to an IP address instead of my intended destination which was stratum+tcp://ny.clevermining.com:3333. and the worksize changed to 1024 instead of 512.

If you believe that this may be the same type of situation some of us had at waffle, let me know what I can do to help.  Let me warn you again, you will have to dumb it down for me, but I will catch on.

 

[bbbbbb2014]

Basically, I was mining at clever for approx. 23 hours and when I was browsing I heard the fan slow, so I open my cgminer and took a look.  I believe it showed that I was disconnected from the pool and it reconnected to an IP address instead of my intended destination which was stratum+tcp://ny.clevermining.com:3333. and the worksize changed to 1024 instead of 512.

If you believe that this may be the same type of situation some of us had at waffle, let me know what I can do to help.  Let me warn you again, you will have to dumb it down for me, but I will catch on.

Hi there!

I have 20+ years of networking experience in terms of security. While I dont know about inner workings of cgminer, to me - it seems:

- there is no malware installed directly on machines - causing the redirect - as clients and operating systems are too different
- that google DNS hijacking could be the cause - but it was corrected - so it is not the cause - as hijcking is still in progress

Questions which should be asked - are:
a) how the man in the middle knows IP numbers, where miners are?
b) is it possible to send a spoofed package from a distant network (with fake source IP) - to cause the redirection
c) there is no widespread abuse - to me it seems - there are some random elements in the package, which must be guessed - is it possible that there are many redirect requests but only a few are successful?
d) as victims have no common point - perhaps someone is firing redirection packages at will to IP addresses - hoping that they will catch miners

Perhaps source IPs are not faked, but someone is just firing redirection packages.

Most ISPs have filters to block if a source IP leaving the net is from the ISP's blocks. But not all ISPs are so careful.

But in any case - it does not matter - if the resolution of this problem will be found or not. There are plenty of ways for man in the middle attack.

Security within all this should be upgraded in a way that the client (cgminer) can always check if the stratum server is a pristine one. One solution would be that a server public key is stored at client's side (fingerprint of the key can be checked), and a client sends a cleartext challenge, and the server responds with a signed response - which can be ckecked with a client.

As a quick intermediate fix would be implementing a command line switch '-noredir' - ignoring any redirect requests.

If I understand Waffle, this redir command is never issued from his side. Then, afterall, this redir is not needed.

I know that many pools implemented a feautre that you point the miner to one location only, and they redirect hashing to the right server. Another situation where a redir is needed is perhaps for some pool balancing or something. But there is no such situation if I understand the situation correctly.

So a client can always check if it's communicating with a right server.

I'd also like to warn all of you, that some hashing distributions - for example SMOS 1.2 - stop your hashing and start their own hashing for 15 mins. Many miners didn't know that.

[GalacticMiningCorp]

Not sure if this is helpful for investigation, but I noticed one of my rigs' hashrate dropped to zero on WP stats, did a lsof -i and got:

cgminer    5820     user   10u  IPv4 3470164      0t0  TCP GPUMiner001:57242->server.live-chat-studio.com:3333 (ESTABLISHED)

(definitely not WP's IP)

Restarted cgminer and went back to:

cgminer     319     user    4u  IPv4 3543219      0t0  TCP GPUMiner001:51742->192.241.211.125:3333 (ESTABLISHED)

This rig is running BAMT / cgminer 3.7.2

I've been working on another rig that's a clean Ubuntu 13 install with cgminer compiled from source, and so far it's not been affected (AFAIK)

Edit: tell a lie: my other rig that's a clean Ubuntu install was hijacked as well (it was mining DOGE on multipool)

[utahjohn]

heres what that url http://server.live-chat-studio.com:3333/
produced, I would definitely say this could be our suspect ... notice the set difficulty to 1024 which was noted in other posts


{"error": null, "id": 1, "result": [["mining.notify", "ae6812eb4cd7735a302a8a9dd95cf71f"], "f8010684", 4]}
{"error": null, "id": 1, "result": true}
{"params": [1024], "id": null, "method": "mining.set_difficulty"}
{"params": ["969", "ec16f44c81715aadfdac1a0ec0a968048c72900d7fa3a2195f7ae05e0ad23eae", "01000000010000000000000000000000000000000000000000000000000000000000000000fffff fff27036c5502062f503253482f046b482f5308", "0d2f7374726174756d506f6f6c2f0000000001327f71e3bc1600001976a9148d6906222b82cd2b4 b99d14bee6182084cab17fe88ac00000000", ["bc8ca418194fa3377125405c78378fd37754348b0796b8f0e07c95ebc80a1ad7", "5c35a1e02d5f91d7466742d084f9a3898d22559eaa6fc8587f97afde26ea982d", "02a3971e0304baf69a6cddd27b38e1f3dd28f872709b73780363b4beaf5952db", "527494b77a6f7f077ede7c8f8cd98c4d642c5c0dd92b1f360c1f4f94180cd0e1", "961c78a492fd6780ad9cb44c0a2395bc3390cefecaf5c531dfe0790f34c7cea9"], "00000002", "1b379193", "532f486b", true], "id": null, "method": "mining.notify"}
{"params": ["d382", "fc0a299002df7c021ff504df9ac5b0da1a3e9d93ff095960b906443517bdc2b5", "01000000010000000000000000000000000000000000000000000000000000000000000000fffff fff27036d5502062f503253482f04a2482f5308", "0d2f7374726174756d506f6f6c2f000000000197b97bfcbc1600001976a9148d6906222b82cd2b4 b99d14bee6182084cab17fe88ac00000000", ["720f0b434cfda1989ce0e2032bdc03552bce4821e33dd6111d79f57fcc1b6153", "4e792db70a7de00d59f50c4f4ad9af411159367aae8bf195a620274ec4ab2fbb", "3abfadeeee44badb3bd0be87ca935a7e7a56ae4b2506a64bb79c423215a663de", "3b8f8db2565514851ebbef8be3456ab987f69e2e914061cb34c6a51abd0513b2", "bb274aaa592286733602a040ef063b075595009f35ae240ad901bb72db1dbb7f"], "00000002", "1b32f01c", "532f48a2", true], "id": null, "method": "mining.notify"}
{"params": ["e1a0", "84455d8195856659f447aadcef1d9134e62b293547ef40421a9e93c6728988d9", "01000000010000000000000000000000000000000000000000000000000000000000000000fffff fff27036e5502062f503253482f04b1482f5308", "0d2f7374726174756d506f6f6c2f000000000180f532cabc1600001976a9148d6906222b82cd2b4 b99d14bee6182084cab17fe88ac00000000", ["013b417a04a58304d5fee774c50972bd4ef060af665af3fef9a5da82e5c7320d", "9f4823a2cbae2a001defa6633f10922ea5ea97bd5eacf51ff3e7a4725462cbfc", "bd88d51e90821ed6fc4762fd3fa2763d9a3362ed7d212a0dc7cb1be9549f1734"], "00000002", "1b372ec9", "532f48b1", true], "id": null, "method": "mining.notify"}

[bbbbbb2014]

cgminer    5820     user   10u  IPv4 3470164      0t0  TCP GPUMiner001:57242->server.live-chat-studio.com:3333 (ESTABLISHED)

 a lie: my other rig that's a clean Ubuntu install was hijacked as well (it was mining DOGE on multipool)

I think a redirection feature must be disabled. Someone is firing redirection packages at will.

[GalacticMiningCorp]

cgminer    5820     user   10u  IPv4 3470164      0t0  TCP GPUMiner001:57242->server.live-chat-studio.com:3333 (ESTABLISHED)

 a lie: my other rig that's a clean Ubuntu install was hijacked as well (it was mining DOGE on multipool)

I think a redirection feature must be disabled. Someone is firing redirection packages at will.

I've got a route to 127.0.0.1 in place now for that network now, so if they do hijack my rigs, my hash rate will go to zero, but they'll get no free mining time from me.

[utahjohn]

Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\Administrator>nslookup server.live-chat-studio.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    server.live-chat-studio.com
Address:  190.97.165.179


C:\Users\Administrator>tracert server.live-chat-studio.com

Tracing route to server.live-chat-studio.com [190.97.165.179]
over a maximum of 30 hops:

  1     7 ms     2 ms     2 ms  modem.Home [10.42.0.1]
  2    61 ms    53 ms    48 ms  67.41.239.68
  3    33 ms    29 ms    26 ms  67-41-234-25.slkc.qwest.net [67.41.234.25]
  4    70 ms    82 ms    39 ms  sjp-brdr-04.inet.qwest.net [67.14.34.38]
  5    77 ms    49 ms    75 ms  63.146.27.214
  6    54 ms    52 ms    44 ms  ae-6.r20.snjsca04.us.bb.gin.ntt.net [129.250.5.1
2]
  7   136 ms    66 ms    69 ms  ae-4.r21.lsanca03.us.bb.gin.ntt.net [129.250.6.1
0]
  8    89 ms    79 ms    85 ms  ae-2.r05.lsanca03.us.bb.gin.ntt.net [129.250.5.8
6]
  9    72 ms   100 ms    84 ms  xe-0-5-0-31-100.r05.lsanca03.us.ce.gin.ntt.net [
129.250.200.78]
 10    83 ms    96 ms    97 ms  ae-0-0-laxcs1-8-blacklotus.net [192.184.8.2]
 11    86 ms    85 ms   102 ms  ae-0-0-laxer4.blacklotus.net [208.64.120.66]
 12   138 ms   147 ms   206 ms  host-200-74-247-209.ccipanama.com [200.74.247.20
9]
 13   172 ms   167 ms   234 ms  host-200-74-247-3.ccipanama.com [200.74.247.3]
 14   153 ms   148 ms   136 ms  server.live-chat-studio.com [190.97.165.179]

Trace complete.

C:\Users\Administrator>

[HueDoge]

Hi everyone,

I am not on wafflepool but have been experiencing redirects too.

I'm on hashfaster's Dogecoin pool. I had my miner running SMOS and got redirected to wafflepool (but using my userpass from hashfaster) yesterday. I closed the program before checking but I believe it probably was not the right wafflepool stratum (like wafflepool.net instead of .com) especially given the fact that the user was not a BTC address.

I changed my install back to BAMT 1.3 thinking my rig was compromised, and I got redirected again today, this time to 190.97.165.179:3333. I found this pastebin including this address (it was deleted quickly but got archived by google) where there is that same difficulty 1024 line that was mentioned in previous posts.

http://webcache.googleusercontent.com/search?q=cache:wM5KnG5iVR0J:pastebin.com/zsWnEAsN+&cd=1&hl=en&ct=clnk&gl=ca

I don't know much about network protocols but have we thought about a malware infecting routers? I'm using a generic linksys/D-Link/some other router (I don't recall the brand and I'm not beside it) and I beleive that might be the perfect place to snoop and inject stratum instructions and would explain many aspects of the observed behaviors, especially the fact that a specific subset of miners is targeted (perhaps only a certain model/chipset of router)

Any thoughts?

[JHammer]

Something just happened..  All the sudden my GPU miners fail over to Cleaver.   Also did we just get another out of order payout for the day?

I rebooted my GPUs and they seem ok now


This is getting scary..

[GalacticMiningCorp]

Oh, thought I'd add one more thing: my rigs run behind a DD-WRT router NAT'd behind a Tomato router, both with very strict policies in place.

This looks more and more like a MITM attack instead of compromised mining software/malware.

[MrGrave]

Didn't post the IP in earlier post but it was 190.97.165.179 : 3333 that I was redirected to and I was mining on clevermining.  Don't have the info of where I was redirected to when I was on Wafflepool.

[MadHattr]

cgminer    5820     user   10u  IPv4 3470164      0t0  TCP GPUMiner001:57242->server.live-chat-studio.com:3333 (ESTABLISHED)

 a lie: my other rig that's a clean Ubuntu install was hijacked as well (it was mining DOGE on multipool)

I think a redirection feature must be disabled. Someone is firing redirection packages at will.

I've got a route to 127.0.0.1 in place now for that network now, so if they do hijack my rigs, my hash rate will go to zero, but they'll get no free mining time from me.

Hah I did the same.

[MinerP]

same thing is going on in clever... looks like all pools are being hijacked
redirected to the same 190.97.165.179 : 3333 address in panama..

[caution]

mine as well 190.97.165.179 diff 1.02K, using tomato firmware on my router, thinking about adding my pfsense box to the mix.  I'm sure it's not a hack of my router or malware (not used for anything besides updating OS & mining) as my s1's & a rig using crypo slax v0.1 has been unaffected, mining on a different pool.

[fcmatt]

If people think this is a mitm attack they should post traceroutes from them to the pool they were mining on to see what networks it goes through....

[JHammer]

ummmmm  Payouts sent a while back and still have not showed up in my wallet...  Are our payments now being Hijacked?

Or is there just a delay?

[GalacticMiningCorp]

If you're using cgminer, start it with 2>cgminer.log to enable logging to a file. I did this and found the following line in the log after two of my rigs were highjacked:

 [2014-03-23 11:34:15] Reconnect requested from pool 2 to 190.97.165.179:3333

If you've compiled your own cgminer source, you can disable the reconnect command. Open util.c and look for this around line 1668:

Code:

static bool parse_reconnect(struct pool *pool, json_t *val)
{
        char *url, *port, address[256];

Right below the opening curly bracket enter:

Code:

static bool parse_reconnect(struct pool *pool, json_t *val)
{
        return false;
        char *url, *port, address[256];

Recompile cgminer and re-run it. It should now ignore any client.reconnect messages from stratum.

Note: I'm still testing this out. This is fly-by-the-seat-of-my-pants work right now, so I'm not sure of the possible implications on how this might affect legit client.reconnect messages, although PW says wafflepool doesn't use this feature.

[bbbbbb2014]

mine as well 190.97.165.179 diff 1.02K, using tomato firmware on my router, thinking about adding my pfsense box to the mix.  I'm sure it's not a hack of my router or malware (not used for anything besides updating OS & mining) as my s1's & a rig using crypo slax v0.1 has been unaffected, mining on a different pool.

I blocked all communications of my rigs to all external network (Internet), except for:

eu.wafflepool.com 95.85.61.208
useast.wafflepool.com 162.243.89.19
uswest.wafflepool.com 192.241.211.125
litecoinpool.org 151.236.218.211 80.69.77.111
us.litecoinpool.org 142.4.202.112 107.170.24.54
us2.litecoinpool.org 192.214.197.116 198.251.80.29
us3.litecoinpool.org 107.170.24.54
us4.litecoinpool.org 198.251.80.29

There was one IP address I was not able to identify who it belongs to:
37.58.69.218-static.reverse.softlayer.com:3333 (ESTABLISHED)

It seems it's litecoinpools address - but was unsure so it got blocked.

Waffle -do something - as it seems a mass of hashrate is lost.

[ycsi]

If you're using cgminer, start it with 2>cgminer.log to enable logging to a file. I did this and found the following line in the log after two of my rigs were highjacked:

 [2014-03-23 11:34:15] Reconnect requested from pool 2 to 190.97.165.179:3333

Which pool is pool 2 in your case?