TheCoinFinder
Legendary
 Offline
Activity: 938
Merit: 1001
|
 |
March 24, 2014, 09:51:16 PM |
|
Looking through the code, I can only seem to find "client.reconnect" referenced in the stratum-mining-proxy rather than in the stratum itself. Could someone confirm this?
|
|
|
|
|
|
|
|
|
|
|
"In a nutshell, the network works like a distributed
timestamp server, stamping the first transaction to spend a coin. It
takes advantage of the nature of information being easy to spread but
hard to stifle." -- Satoshi
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
Thirtybird
|
|
March 24, 2014, 09:58:41 PM |
|
So....
did anyone investigate the possibility that the API for pool manipulation was being abused? If can modify peoples pool settings to create a pool with specific settings and then switch to that pool - which probably points at an http URL which then sends the stratum reconnect command to point to whatever the wallet address is at the time...
this, in theory could be done via javascript in your browser, miner monitoring software, malware, etc.
this tactic seems much easier than a large-scale man in the middle attack.
anyone whose miner is currently redirected and is running the curses interface, hit "S" for settings, then hit "W" for write. Write it out to some config file and view it. If it has more information in it than you put into it, post it here for people to evaluate.
From reviewing the code, it appeared to me that the client.reconnect message must have been received on an active stratum connection that had already passed the mining.subscribe, mining.authorize messages. So at the very least the server to which it was connected must have been able to emulate a stratum mining server up to that point. As for gathering the rest of that type of information from miners, it's not much unlike herding cats. I had posted a list of information for affected miners to supply in order to help narrow down the cause, but not a single reply was posted. Perhaps some might have sent directly to poolwaffle? (I really wanted to see it happen on one of my miners!) Yes, basic stratum functionality can be emulated by anything that does TCP/IP & sockets. Just accept everything and say that it's good regardless of what they send you. Also, consider this, a pool can redirect from http to stratum, so I wouldn't rule out basic http as the genesis just yet, but I haven't gone through to see where that occurs in the chain. Ya, not a single one of my miners - 4 rigs in two locations got redirected. None of them using SGMiner or CGMiner - From what another user told me, the api functions from cgwatcher or cgmonitor did not work against YACMiner until it was renamed cgminer. |
|
|
|
bbbbbb2014
Member
Offline
Activity: 93
Merit: 10
|
|
March 24, 2014, 10:01:31 PM |
|
If anyone has packet captures of work packets sent after their client was hijacked, could you post or send them? I'd be curious to see what they were mining. If it's DOGE, I'm also set up to extract the payout address from the coinbase parameters. A packet should look like this (I think this was an old packet capture from Clevermining): {"id":null,"method":"mining.notify","params":["3a61","34d9b767ab5f9e4270ca11e6f823da99af2b6da089d7cb21490c3cce4831ac63","01000000010000000000000000000000000000000000000000000000000000000000000000ffffffff2703780702062f503253482f0436221c5308","0d2f6e6f64655374726174756d2f0000000001241b6d23db1200001976a914312f0edfb1647e2f9ddbc6a0faacf3c3c8d1d21588ac00000000",["e8c40423f1291090ace9ac3a88469cf61561ad9b0f06de877f9309b846264b9b","446dea3005104d328824ae1d93b6b26d6c18c69ed6cf3d5aa8a585eeebea534a","032c4da808bf500177768605095431ee58b2773e6397db02e93eae0db86952a4","d5e6cc3bc5dc96786f97cf42a07dff996ac4b9e572844300a0065c719d9ef186","5d7d235e26d856e1bb70ea2b669fa50b6ecf3256fc26ff0ac52d2ea2de4f5c08","2ab06ed0f757226b38213aeeaca5281d013f38259cc22ae04721ab35534d83fe","f66308601f97700e503e8cea31e8d1b57f34530054a222b4bb6f99015fd462a3"],"00000002","1b33c012","531c2247",true]}And how the hijacker knew to what address the packet must be sent to and other parameters (TCP, UDP)? Systematic probing, sniffin' trafic somewhere? Waffle told before that they are investigating the issue - but now is everything silent. |
|
|
|
|
bbbbbb2014
Member
Offline
Activity: 93
Merit: 10
|
|
March 24, 2014, 10:10:13 PM |
|
People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...
Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits. I expect DDOSes will continue to be executed. I'm not saying it's a conspiracy, but one and one only profit switching pool is up: http://poolpicker.eu/What do you think? |
|
|
|
|
Rock6.3
Member
Offline
Activity: 70
Merit: 10
|
|
March 24, 2014, 10:15:46 PM |
|
I think Waffle is back online  |
|
|
|
|
|
utahjohn
|
|
March 24, 2014, 10:19:43 PM |
|
People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...
Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits. I expect DDOSes will continue to be executed. I'm not saying it's a conspiracy, but one and one only profit switching pool is up: http://poolpicker.eu/What do you think? us-west2.multipool.us is still up |
|
|
|
|
|
gtraah
|
|
March 24, 2014, 10:25:10 PM |
|
What the hell is going on I had 3 fail-overs, and 2 Clevermining failovers all in the one batch file, 1st failovers were 3 Waffle pool servers, Useast, USwest & Sea And then I had Sf.clevermining & ny.clevermining... I am now at work for the next 7 hrs and have no control over the miner (DAMMIT) Yes I know I should of setup teamviewer I did have it setup before just never got around to do it again for this machine. anyway I been checking clevermining stats and all was good untill I arrive at work I check again and clever stats reporting 0Mh/s so I checked waffle and this is report 1.1mh which is Ridiculous i should be on 5.5-6Mhs on this 1 rig. Can someone explain how failover works and why it swtiched back to waffle and is mining shit all? EDIT: Hmm Seems I did good with my failovers , waffle is now showing 5.5Mhs |
|
|
|
|
libbyporit
Newbie
Offline
Activity: 16
Merit: 0
|
|
March 24, 2014, 10:27:00 PM |
|
Can someone explain how failover works and why it swtiched back to waffle and is mining shit all?
CGWatcher is your friend. |
|
|
|
|
|
utahjohn
|
|
March 24, 2014, 10:28:50 PM |
|
A few shares getting thru to uswest.wafflepool.com from here but nowhere like normal  Worker 15m Hashrate 15m Stalerate 1HANJQygp3jHuzutceBgMT7wfCgEug6h4L_gpu2 105.56 kH/s 0.00% Seems to be picking up a bit ... Hash Rate: 269.88 kH/s (15min approximated) Worker 15m Hashrate 15m Stalerate 1HANJQygp3jHuzutceBgMT7wfCgEug6h4L_gpu2 269.88 kH/s 0.00% |
|
|
|
|
suchmoon
Legendary
Offline
Activity: 3654
Merit: 8909
https://bpip.org
|
|
March 24, 2014, 10:35:28 PM |
|
People ddos for many reasons, this is likely a competitor trying to drive miners away from waffle. They probably figure if they frustrate the miners enough, then they will jump ship. This used to be a very common tactic when doge was beginning to get super popular...
Or most likely - the global hash rate increases - thus pushing profits down. If someone mines at the right pool (not necessary a profit switching one) - everyone else is in shit, but the smart guy mines some extra profits. I expect DDOSes will continue to be executed. I'm not saying it's a conspiracy, but one and one only profit switching pool is up: http://poolpicker.eu/What do you think? Not true. Hasco.ws, CleverMining, and ScryptGuild were and are up. Middlecoin seems to be accepting shares, although website is down, not sure about that. |
|
|
|
|
|
utahjohn
|
|
March 24, 2014, 10:38:17 PM |
|
My hashrate consistently going up ... maybe waffle is back online? Yep! 15 minute hashrate still increasing ... how long who long who knows LOL |
|
|
|
|
ElMariachi
Newbie
Offline
Activity: 51
Merit: 0
|
|
March 24, 2014, 10:38:27 PM |
|
EU pool working fine again for over (behold!) 15 minutes now for me.
|
|
|
|
|
|
oktay50000
|
|
March 24, 2014, 10:50:03 PM |
|
IT SEEMS WE ARE BACK ONLINE  |
BTC : bc1qqz9hvv806w2zs42mx4rn576whxmr202yxp00e9
feel free to buy me a bear
|
|
|
SnowLeopard
Newbie
Offline
Activity: 21
Merit: 0
|
|
March 24, 2014, 10:51:12 PM |
|
The nefarious stratum server on 190.97.164.179:3333 is no longer answering. It was not running standard stratum server pool -- normally the client sends data first (like HTTP) but this server was sending mining.notify immediately (more like SMTP). The mining.notify includes the hash of the previous block, but it's endianess is opposite of what any block explorer expects, but someone with more patience than myself should be able to find what coin it was mining. These are a few hashes I collected: 67272dab30992028ef77ee8d027a52a1e95582234e11ea9052a11626181c2ad4 --> 181c2ad452a116264e11ea90e9558223027a52a1ef77ee8d3099202867272dab
a5ed793ec7847f3b1904c3194d6bcec6977dc97b354a9f91c5c8985fb6344bb9 --> b6344bb9c5c8985f354a9f91977dc97b4d6bcec61904c319c7847f3ba5ed793e
21cf02e69c9a41875ee6ea26dae7e9a1a993b2dc37b1fe0f829ae5172451612a --> 2451612a829ae51737b1fe0fa993b2dcdae7e9a15ee6ea269c9a418721cf02e6
d0f67fec0722ba7f4ed0e10703a9afcbc86564316187944426906b5267345f62 --> 67345f6226906b5261879444c865643103a9afcb4ed0e1070722ba7fd0f67fec
430719e64f1653d0adb10b79ecb0a6bbcc8bfca77ab18713e123c66c03274404 --> 03274404e123c66c7ab18713cc8bfca7ecb0a6bbadb10b794f1653d0430719e6
First column is the hash from the mining.notify, second is the same swabbed around. |
|
|
|
|
|
oktay50000
|
|
March 24, 2014, 11:20:12 PM |
|
we are on new servers or ddos stopped???
it seems work better than before
|
BTC : bc1qqz9hvv806w2zs42mx4rn576whxmr202yxp00e9
feel free to buy me a bear
|
|
|
|
|
SnowLeopard
Newbie
Offline
Activity: 21
Merit: 0
|
|
March 24, 2014, 11:32:52 PM |
|
Good find! And no need to cut-n-paste the others and they're already linked as Previous Block. |
|
|
|
|
paul.miner
Newbie
Offline
Activity: 7
Merit: 2
|
|
March 24, 2014, 11:42:18 PM |
|
Since it seems to be just mining Worldcoin, I decoded the payout address from the cb2 parameter that was posted on Reddit ("...001976a914 6c09db316ad2a67b39aa6b904bc175f5a3aabbb688ac000...") Decoded, that address is WYXHfU5mGmWrb33QVRq1pRpCrzzMMfZw1P. Which makes frequent deposits to address Wgsk3MDRAUzGkUvWv2M9csVcNbLZpdehze. EDIT: You should note that the prevHash referenced is not necessarily a block mined by that miner, it's just the hash of whatever the current block was at the time of the packet capture. |
|
|
|
|
|
WaffleMaster
|
|
March 25, 2014, 12:11:44 AM |
|
U.S. west is still down  |
|
|
|
|
|
utahjohn
|
|
March 25, 2014, 12:18:41 AM |
|
U.S. west is still down Just looked and my hashrate dropped to Nil again Recent Shifts ID Ended Shares (yours / total) Blocks Found 15643 OPEN 0 / 18895360 1 15642 2014-03-25 00:13:46 0 / 50270208 1 15641 2014-03-25 00:04:21 0 / 50136576 1 15640 2014-03-24 23:55:21 1024 / 50039296 0 15639 2014-03-24 23:46:51 5120 / 50228224 0 |
|
|
|
|
|
