poolwaffle (OP)
|
|
March 23, 2014, 06:27:32 PM |
|
We don't
|
|
|
|
|
|
|
|
|
You get merit points when someone likes your post enough to give you some. And for every 2 merit points you receive, you can send 1 merit point to someone else!
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
MrGrave
Newbie
Offline
Activity: 4
Merit: 0
|
|
March 23, 2014, 07:19:21 PM |
|
Hey Guys, joined waffle a week or so ago and love the dedication some of you guys have, that made me want to mine here. Let me warn you that I am not very knowledgeable about alot of the technical stuff that has been discussed in the last few hundred posts. I believe that I was one of the "hijack" victims of the other night. My miner was hashing but nothing being received at my intended destination, wafflepool(stratum+tcp://useast.wafflepool.com:3333) for a total of 9 1/2 hours. I switched over to cleverming in an attempt to see if a new pool was going to fix my problem, knowing full well that I would be way over my head trying to solve or help solve a problem by lending information that i new little about. What I can tell you, and will because I believe that you are further ahead in solving this that anyone at clever and i want to mine here and try to contribute in some way.
Basically, I was mining at clever for approx. 23 hours and when I was browsing I heard the fan slow, so I open my cgminer and took a look. I believe it showed that I was disconnected from the pool and it reconnected to an IP address instead of my intended destination which was stratum+tcp://ny.clevermining.com:3333. and the worksize changed to 1024 instead of 512.
If you believe that this may be the same type of situation some of us had at waffle, let me know what I can do to help. Let me warn you again, you will have to dumb it down for me, but I will catch on.
|
|
|
|
bbbbbb2014
Member
Offline
Activity: 93
Merit: 10
|
|
March 23, 2014, 08:27:08 PM Last edit: March 23, 2014, 08:50:25 PM by bbbbbb2014 |
|
Basically, I was mining at clever for approx. 23 hours and when I was browsing I heard the fan slow, so I open my cgminer and took a look. I believe it showed that I was disconnected from the pool and it reconnected to an IP address instead of my intended destination which was stratum+tcp://ny.clevermining.com:3333. and the worksize changed to 1024 instead of 512.
If you believe that this may be the same type of situation some of us had at waffle, let me know what I can do to help. Let me warn you again, you will have to dumb it down for me, but I will catch on.
Hi there! I have 20+ years of networking experience in terms of security. While I dont know about inner workings of cgminer, to me - it seems: - there is no malware installed directly on machines - causing the redirect - as clients and operating systems are too different - that google DNS hijacking could be the cause - but it was corrected - so it is not the cause - as hijcking is still in progress Questions which should be asked - are: a) how the man in the middle knows IP numbers, where miners are? b) is it possible to send a spoofed package from a distant network (with fake source IP) - to cause the redirection c) there is no widespread abuse - to me it seems - there are some random elements in the package, which must be guessed - is it possible that there are many redirect requests but only a few are successful? d) as victims have no common point - perhaps someone is firing redirection packages at will to IP addresses - hoping that they will catch miners Perhaps source IPs are not faked, but someone is just firing redirection packages. Most ISPs have filters to block if a source IP leaving the net is from the ISP's blocks. But not all ISPs are so careful. But in any case - it does not matter - if the resolution of this problem will be found or not. There are plenty of ways for man in the middle attack. Security within all this should be upgraded in a way that the client (cgminer) can always check if the stratum server is a pristine one. One solution would be that a server public key is stored at client's side (fingerprint of the key can be checked), and a client sends a cleartext challenge, and the server responds with a signed response - which can be ckecked with a client. As a quick intermediate fix would be implementing a command line switch '-noredir' - ignoring any redirect requests. If I understand Waffle, this redir command is never issued from his side. Then, afterall, this redir is not needed. I know that many pools implemented a feautre that you point the miner to one location only, and they redirect hashing to the right server. Another situation where a redir is needed is perhaps for some pool balancing or something. But there is no such situation if I understand the situation correctly. So a client can always check if it's communicating with a right server. I'd also like to warn all of you, that some hashing distributions - for example SMOS 1.2 - stop your hashing and start their own hashing for 15 mins. Many miners didn't know that.
|
|
|
|
GalacticMiningCorp
Newbie
Offline
Activity: 31
Merit: 0
|
|
March 23, 2014, 08:42:43 PM |
|
Not sure if this is helpful for investigation, but I noticed one of my rigs' hashrate dropped to zero on WP stats, did a lsof -i and got:
cgminer 5820 user 10u IPv4 3470164 0t0 TCP GPUMiner001:57242->server.live-chat-studio.com:3333 (ESTABLISHED)
(definitely not WP's IP)
Restarted cgminer and went back to:
cgminer 319 user 4u IPv4 3543219 0t0 TCP GPUMiner001:51742->192.241.211.125:3333 (ESTABLISHED)
This rig is running BAMT / cgminer 3.7.2
I've been working on another rig that's a clean Ubuntu 13 install with cgminer compiled from source, and so far it's not been affected (AFAIK)
Edit: tell a lie: my other rig that's a clean Ubuntu install was hijacked as well (it was mining DOGE on multipool)
|
|
|
|
utahjohn
|
|
March 23, 2014, 08:52:20 PM |
|
heres what that url http://server.live-chat-studio.com:3333/ produced, I would definitely say this could be our suspect ... notice the set difficulty to 1024 which was noted in other posts {"error": null, "id": 1, "result": [["mining.notify", "ae6812eb4cd7735a302a8a9dd95cf71f"], "f8010684", 4]} {"error": null, "id": 1, "result": true} {"params": [1024], "id": null, "method": "mining.set_difficulty"} {"params": ["969", "ec16f44c81715aadfdac1a0ec0a968048c72900d7fa3a2195f7ae05e0ad23eae", "01000000010000000000000000000000000000000000000000000000000000000000000000fffff fff27036c5502062f503253482f046b482f5308", "0d2f7374726174756d506f6f6c2f0000000001327f71e3bc1600001976a9148d6906222b82cd2b4 b99d14bee6182084cab17fe88ac00000000", ["bc8ca418194fa3377125405c78378fd37754348b0796b8f0e07c95ebc80a1ad7", "5c35a1e02d5f91d7466742d084f9a3898d22559eaa6fc8587f97afde26ea982d", "02a3971e0304baf69a6cddd27b38e1f3dd28f872709b73780363b4beaf5952db", "527494b77a6f7f077ede7c8f8cd98c4d642c5c0dd92b1f360c1f4f94180cd0e1", "961c78a492fd6780ad9cb44c0a2395bc3390cefecaf5c531dfe0790f34c7cea9"], "00000002", "1b379193", "532f486b", true], "id": null, "method": "mining.notify"} {"params": ["d382", "fc0a299002df7c021ff504df9ac5b0da1a3e9d93ff095960b906443517bdc2b5", "01000000010000000000000000000000000000000000000000000000000000000000000000fffff fff27036d5502062f503253482f04a2482f5308", "0d2f7374726174756d506f6f6c2f000000000197b97bfcbc1600001976a9148d6906222b82cd2b4 b99d14bee6182084cab17fe88ac00000000", ["720f0b434cfda1989ce0e2032bdc03552bce4821e33dd6111d79f57fcc1b6153", "4e792db70a7de00d59f50c4f4ad9af411159367aae8bf195a620274ec4ab2fbb", "3abfadeeee44badb3bd0be87ca935a7e7a56ae4b2506a64bb79c423215a663de", "3b8f8db2565514851ebbef8be3456ab987f69e2e914061cb34c6a51abd0513b2", "bb274aaa592286733602a040ef063b075595009f35ae240ad901bb72db1dbb7f"], "00000002", "1b32f01c", "532f48a2", true], "id": null, "method": "mining.notify"} {"params": ["e1a0", "84455d8195856659f447aadcef1d9134e62b293547ef40421a9e93c6728988d9", "01000000010000000000000000000000000000000000000000000000000000000000000000fffff fff27036e5502062f503253482f04b1482f5308", "0d2f7374726174756d506f6f6c2f000000000180f532cabc1600001976a9148d6906222b82cd2b4 b99d14bee6182084cab17fe88ac00000000", ["013b417a04a58304d5fee774c50972bd4ef060af665af3fef9a5da82e5c7320d", "9f4823a2cbae2a001defa6633f10922ea5ea97bd5eacf51ff3e7a4725462cbfc", "bd88d51e90821ed6fc4762fd3fa2763d9a3362ed7d212a0dc7cb1be9549f1734"], "00000002", "1b372ec9", "532f48b1", true], "id": null, "method": "mining.notify"}
|
|
|
|
bbbbbb2014
Member
Offline
Activity: 93
Merit: 10
|
|
March 23, 2014, 08:53:01 PM |
|
cgminer 5820 user 10u IPv4 3470164 0t0 TCP GPUMiner001:57242->server.live-chat-studio.com:3333 (ESTABLISHED)
a lie: my other rig that's a clean Ubuntu install was hijacked as well (it was mining DOGE on multipool)
I think a redirection feature must be disabled. Someone is firing redirection packages at will.
|
|
|
|
GalacticMiningCorp
Newbie
Offline
Activity: 31
Merit: 0
|
|
March 23, 2014, 09:01:40 PM |
|
cgminer 5820 user 10u IPv4 3470164 0t0 TCP GPUMiner001:57242->server.live-chat-studio.com:3333 (ESTABLISHED)
a lie: my other rig that's a clean Ubuntu install was hijacked as well (it was mining DOGE on multipool)
I think a redirection feature must be disabled. Someone is firing redirection packages at will. I've got a route to 127.0.0.1 in place now for that network now, so if they do hijack my rigs, my hash rate will go to zero, but they'll get no free mining time from me.
|
|
|
|
utahjohn
|
|
March 23, 2014, 09:18:22 PM |
|
Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\Administrator>nslookup server.live-chat-studio.com Server: google-public-dns-a.google.com Address: 8.8.8.8
Non-authoritative answer: Name: server.live-chat-studio.com Address: 190.97.165.179
C:\Users\Administrator>tracert server.live-chat-studio.com
Tracing route to server.live-chat-studio.com [190.97.165.179] over a maximum of 30 hops:
1 7 ms 2 ms 2 ms modem.Home [10.42.0.1] 2 61 ms 53 ms 48 ms 67.41.239.68 3 33 ms 29 ms 26 ms 67-41-234-25.slkc.qwest.net [67.41.234.25] 4 70 ms 82 ms 39 ms sjp-brdr-04.inet.qwest.net [67.14.34.38] 5 77 ms 49 ms 75 ms 63.146.27.214 6 54 ms 52 ms 44 ms ae-6.r20.snjsca04.us.bb.gin.ntt.net [129.250.5.1 2] 7 136 ms 66 ms 69 ms ae-4.r21.lsanca03.us.bb.gin.ntt.net [129.250.6.1 0] 8 89 ms 79 ms 85 ms ae-2.r05.lsanca03.us.bb.gin.ntt.net [129.250.5.8 6] 9 72 ms 100 ms 84 ms xe-0-5-0-31-100.r05.lsanca03.us.ce.gin.ntt.net [ 129.250.200.78] 10 83 ms 96 ms 97 ms ae-0-0-laxcs1-8-blacklotus.net [192.184.8.2] 11 86 ms 85 ms 102 ms ae-0-0-laxer4.blacklotus.net [208.64.120.66] 12 138 ms 147 ms 206 ms host-200-74-247-209.ccipanama.com [200.74.247.20 9] 13 172 ms 167 ms 234 ms host-200-74-247-3.ccipanama.com [200.74.247.3] 14 153 ms 148 ms 136 ms server.live-chat-studio.com [190.97.165.179]
Trace complete.
C:\Users\Administrator>
|
|
|
|
HueDoge
Newbie
Offline
Activity: 1
Merit: 0
|
|
March 23, 2014, 09:22:24 PM |
|
Hi everyone, I am not on wafflepool but have been experiencing redirects too. I'm on hashfaster's Dogecoin pool. I had my miner running SMOS and got redirected to wafflepool (but using my userpass from hashfaster) yesterday. I closed the program before checking but I believe it probably was not the right wafflepool stratum (like wafflepool.net instead of .com) especially given the fact that the user was not a BTC address. I changed my install back to BAMT 1.3 thinking my rig was compromised, and I got redirected again today, this time to 190.97.165.179:3333. I found this pastebin including this address (it was deleted quickly but got archived by google) where there is that same difficulty 1024 line that was mentioned in previous posts. http://webcache.googleusercontent.com/search?q=cache:wM5KnG5iVR0J:pastebin.com/zsWnEAsN+&cd=1&hl=en&ct=clnk&gl=caI don't know much about network protocols but have we thought about a malware infecting routers? I'm using a generic linksys/D-Link/some other router (I don't recall the brand and I'm not beside it) and I beleive that might be the perfect place to snoop and inject stratum instructions and would explain many aspects of the observed behaviors, especially the fact that a specific subset of miners is targeted (perhaps only a certain model/chipset of router) Any thoughts?
|
|
|
|
JHammer
Member
Offline
Activity: 112
Merit: 10
|
|
March 23, 2014, 09:23:59 PM |
|
Something just happened.. All the sudden my GPU miners fail over to Cleaver. Also did we just get another out of order payout for the day?
I rebooted my GPUs and they seem ok now
This is getting scary..
|
|
|
|
GalacticMiningCorp
Newbie
Offline
Activity: 31
Merit: 0
|
|
March 23, 2014, 09:27:14 PM |
|
Oh, thought I'd add one more thing: my rigs run behind a DD-WRT router NAT'd behind a Tomato router, both with very strict policies in place.
This looks more and more like a MITM attack instead of compromised mining software/malware.
|
|
|
|
MrGrave
Newbie
Offline
Activity: 4
Merit: 0
|
|
March 23, 2014, 09:48:01 PM |
|
Didn't post the IP in earlier post but it was 190.97.165.179 : 3333 that I was redirected to and I was mining on clevermining. Don't have the info of where I was redirected to when I was on Wafflepool.
|
|
|
|
MadHattr
Newbie
Offline
Activity: 7
Merit: 0
|
|
March 23, 2014, 09:48:42 PM |
|
cgminer 5820 user 10u IPv4 3470164 0t0 TCP GPUMiner001:57242->server.live-chat-studio.com:3333 (ESTABLISHED)
a lie: my other rig that's a clean Ubuntu install was hijacked as well (it was mining DOGE on multipool)
I think a redirection feature must be disabled. Someone is firing redirection packages at will. I've got a route to 127.0.0.1 in place now for that network now, so if they do hijack my rigs, my hash rate will go to zero, but they'll get no free mining time from me. Hah I did the same.
|
|
|
|
MinerP
|
|
March 23, 2014, 09:50:43 PM |
|
same thing is going on in clever... looks like all pools are being hijacked redirected to the same 190.97.165.179 : 3333 address in panama..
|
|
|
|
caution
Member
Offline
Activity: 65
Merit: 10
|
|
March 23, 2014, 09:53:30 PM |
|
mine as well 190.97.165.179 diff 1.02K, using tomato firmware on my router, thinking about adding my pfsense box to the mix. I'm sure it's not a hack of my router or malware (not used for anything besides updating OS & mining) as my s1's & a rig using crypo slax v0.1 has been unaffected, mining on a different pool.
|
|
|
|
fcmatt
Legendary
Offline
Activity: 2072
Merit: 1001
|
|
March 23, 2014, 09:56:41 PM |
|
If people think this is a mitm attack they should post traceroutes from them to the pool they were mining on to see what networks it goes through....
|
|
|
|
JHammer
Member
Offline
Activity: 112
Merit: 10
|
|
March 23, 2014, 10:00:25 PM |
|
ummmmm Payouts sent a while back and still have not showed up in my wallet... Are our payments now being Hijacked?
Or is there just a delay?
|
|
|
|
GalacticMiningCorp
Newbie
Offline
Activity: 31
Merit: 0
|
|
March 23, 2014, 10:01:51 PM |
|
If you're using cgminer, start it with 2>cgminer.log to enable logging to a file. I did this and found the following line in the log after two of my rigs were highjacked: [2014-03-23 11:34:15] Reconnect requested from pool 2 to 190.97.165.179:3333 If you've compiled your own cgminer source, you can disable the reconnect command. Open util.c and look for this around line 1668: static bool parse_reconnect(struct pool *pool, json_t *val) { char *url, *port, address[256];
Right below the opening curly bracket enter: static bool parse_reconnect(struct pool *pool, json_t *val) { return false; char *url, *port, address[256];
Recompile cgminer and re-run it. It should now ignore any client.reconnect messages from stratum. Note: I'm still testing this out. This is fly-by-the-seat-of-my-pants work right now, so I'm not sure of the possible implications on how this might affect legit client.reconnect messages, although PW says wafflepool doesn't use this feature.
|
|
|
|
bbbbbb2014
Member
Offline
Activity: 93
Merit: 10
|
|
March 23, 2014, 10:02:50 PM |
|
mine as well 190.97.165.179 diff 1.02K, using tomato firmware on my router, thinking about adding my pfsense box to the mix. I'm sure it's not a hack of my router or malware (not used for anything besides updating OS & mining) as my s1's & a rig using crypo slax v0.1 has been unaffected, mining on a different pool.
I blocked all communications of my rigs to all external network (Internet), except for: eu.wafflepool.com 95.85.61.208 useast.wafflepool.com 162.243.89.19 uswest.wafflepool.com 192.241.211.125 litecoinpool.org 151.236.218.211 80.69.77.111 us.litecoinpool.org 142.4.202.112 107.170.24.54 us2.litecoinpool.org 192.214.197.116 198.251.80.29 us3.litecoinpool.org 107.170.24.54 us4.litecoinpool.org 198.251.80.29 There was one IP address I was not able to identify who it belongs to: 37.58.69.218-static.reverse.softlayer.com:3333 (ESTABLISHED) It seems it's litecoinpools address - but was unsure so it got blocked. Waffle -do something - as it seems a mass of hashrate is lost.
|
|
|
|
ycsi
Member
Offline
Activity: 84
Merit: 10
|
|
March 23, 2014, 10:03:43 PM |
|
If you're using cgminer, start it with 2>cgminer.log to enable logging to a file. I did this and found the following line in the log after two of my rigs were highjacked:
[2014-03-23 11:34:15] Reconnect requested from pool 2 to 190.97.165.179:3333
Which pool is pool 2 in your case?
|
|
|
|
|