Eligius: 0% Fee BTC, 105% PPS NMC, No registration, CPPSRB

[Tursk]

So it looks like today's manual NMC payout went to a thief.

My NMC address was changed too.

[1715662767]

1715662767

[1715662767]

1715662767

[1715662767]

1715662767

[1715662767]

1715662767

[1715662767]

1715662767

[1715662767]

1715662767

[gallery2000]

How long does it take to get pay?  I got 0.9 BTC but have not been paid for two days.

[MrTeal]

How long does it take to get pay?  I got 0.9 BTC but have not been paid for two days.

After an orphan WK has to do a manual payout, which he usually does once per day. There's some traveling going on right now though, so expect a delay. I also wouldn't be surprised if there was a delay related to the NMC kerfuffle.

[wizkid057]

Investigating issue with stats/My Eligius exploit.

Taking stats offline temporarily to investigate and compare database with the most recent backups and to parse through some logs.

I will put them back online as soon as I have pulled the majority of the data to a secondary server for verification.  Shouldn't take more than an hour.

There has been no compromise of the pool or its servers.  

Yes, most of the NMC payouts went to some rogue address today.  This, honestly, is my fault, because I generally at the very least do a cursory parse through the NMC payout list before submitting it to the network.  In my haste I did not today and seems that was a mistake on my part which will not happen again.  There is enough NMC buffer to cover the loss and I will make sure everyone gets paid properly once I correct the issues.

I will post more details as soon as I finish my audits of the stats code.

-wk

[wizkid057]

Are we ok to continue mining?

Yes, there has been no compromise of any server.  This just affects stats and NMC.

The security model of how the pool servers are partitioned from the web server prevents any issue like this from affecting the pool itself.

[praeluceo]

Investigating issue with stats/My Eligius exploit.

Taking stats offline temporarily to investigate and compare database with the most recent backups and to parse through some logs.

I will put them back online as soon as I have pulled the majority of the data to a secondary server for verification.  Shouldn't take more than an hour.

There has been no compromise of the pool or its servers.  

Yes, most of the NMC payouts went to some rogue address today.  This, honestly, is my fault, because I generally at the very least do a cursory parse through the NMC payout list before submitting it to the network.  In my haste I did not today and seems that was a mistake on my part which will not happen again.  There is enough NMC buffer to cover the loss and I will make sure everyone gets paid properly once I correct the issues.

I will post more details as soon as I finish my audits of the stats code.

-wk

Could you inform us of the address(es) that the thief inserted for the payouts since it'll probably be fixed by the time you bring MyStats back online? I would be...interested in tracking that wallet's historic and future transactions.

edit: didn't realize I was on the wrong page and had lost a page of comments! My mistake, oops, sorry!
Apparently we're watching for this guy: http://explorer.namecoin.info/a/N4CVwS13ELKimdJNEChgMJnLZiA7L6MU5F

[freebit13]

How often are NMC payments made? I'm not sure I've ever gotten one.

Edit: I passed on the situation via support ticket and IRC. I figure that's more useful than just complaining here.

I suggest checking if the exchange wallet you are using supports mined coins, apparently there are some that don't.

[roy7]

How often are NMC payments made? I'm not sure I've ever gotten one.

Edit: I passed on the situation via support ticket and IRC. I figure that's more useful than just complaining here.

I suggest checking if the exchange wallet you are using supports mined coins, apparently there are some that don't.

I was referring only to NMC. NMC coins aren't mined directly to the payment addresses I believe. For my BTC I mine to my normal Electrum wallet.

[ajw7989]

good to hear that the mining was not compromised I noticed a 2-3 times today that my miner failed to connected to the pool for a few minutes. Is there something going on with the mining server too?

[wizkid057]

good to hear that the mining was not compromised I noticed a 2-3 times today that my miner failed to connected to the pool for a few minutes. Is there something going on with the mining server too?

I've gone through all of the servers just as a precaution and everything is fine.  Connectivity has been solid, and all pool servers are functional.

[not.you]

I guess I don't understand how everyone's NMC address was changed to the same thing if there was no hack.  I also haven't seen an NMC payout since the 9th.  Do we need to go back and change our NMC addresses to what they should be or will they be restored from backup?

[wizkid057]

I guess I don't understand how everyone's NMC address was changed to the same thing if there was no hack.  I also haven't seen an NMC payout since the 9th.  Do we need to go back and change our NMC addresses to what they should be or will they be restored from backup?

It was an exploit of the stats code (open source), not a hack of the actual server(s).

And, no, I will fix everyone's NMC addresses using the verified data on the core server, which is not affected by this (since the new options/signatures didn't pass the re-verification).

I will also get the proper payouts out to everyone.

[bolverk]

Pay attention to what was said:  the pool servers are fine, they didn't get hacked.  The portal, however, is a different story.  Wiz is on it.

Wiz:  I hope you're logging IP addresses, and have some back logs to troll.  I'd be interested in knowing if the jack wagon changing the NMC address did so from the same IP as one of your registered users.  He'd be a poor hacker if he did, but half these script kiddies don't understand how network services work, anyway.

[wizkid057]

Pay attention to what was said:  the pool servers are fine, they didn't get hacked.  The portal, however, is a different story.  Wiz is on it.

Wiz:  I hope you're logging IP addresses, and have some back logs to troll.  I'd be interested in knowing if the jack wagon changing the NMC address did so from the same IP as one of your registered users.  He'd be a poor hacker if he did, but half these script kiddies don't understand how network services work, anyway.

The IP of the attacker is 178.252.115.200, but this obviously isn't all that useful.  This IP is actually associated with some attempted low-hashrate mining with the following addresses: 141Ui93eV83HSnpyDcvdtGtR3UqwYss5q7, 17hpCt7vWLCksCpUgQpFURjWHjZDhNDYhz, 1MsMx8hfYW6tS1Y9oGZhAbSqvrD8DDgNzN.  But, no earnings to speak of on these, really.

Note: I have no issues publicly revealing private data like this on attackers.

[not.you]

I guess I don't understand how everyone's NMC address was changed to the same thing if there was no hack.  I also haven't seen an NMC payout since the 9th.  Do we need to go back and change our NMC addresses to what they should be or will they be restored from backup?

It was an exploit of the stats code (open source), not a hack of the actual server(s).

Oh I see.  You were being more precise in your terminology than I was, which is weird because usually I am the most pedantic person in any conversation I have.  Thanks for the clarification.

[joolzg]

YEAH got my 1st BTC from my new T-IV machine, only need another 8.3 to break even :-)

joolz

[sikke]

Pay attention to what was said:  the pool servers are fine, they didn't get hacked.  The portal, however, is a different story.  Wiz is on it.

Wiz:  I hope you're logging IP addresses, and have some back logs to troll.  I'd be interested in knowing if the jack wagon changing the NMC address did so from the same IP as one of your registered users.  He'd be a poor hacker if he did, but half these script kiddies don't understand how network services work, anyway.

The IP of the attacker is 178.252.115.200, but this obviously isn't all that useful.  This IP is actually associated with some attempted low-hashrate mining with the following addresses: 141Ui93eV83HSnpyDcvdtGtR3UqwYss5q7, 17hpCt7vWLCksCpUgQpFURjWHjZDhNDYhz, 1MsMx8hfYW6tS1Y9oGZhAbSqvrD8DDgNzN.  But, no earnings to speak of on these, really.

Note: I have no issues publicly revealing private data like this on attackers.

Yeh. thx for sharing

Russian IP from Saint Petersburg based home internet. fun to know at least  

[Luke-Jr]

How often are NMC payments made? I'm not sure I've ever gotten one.

Edit: I passed on the situation via support ticket and IRC. I figure that's more useful than just complaining here.

I suggest checking if the exchange wallet you are using supports mined coins, apparently there are some that don't.

I was referring only to NMC. NMC coins aren't mined directly to the payment addresses I believe.

I would advise against assuming this, even though it is currently correct...

[Kivela]

Hi,

Will you restore our NMC addresses to a time before the attack or do we need to track this thread
to receive a go to be able to change it ourselves ?

Cheers and thanks for all your effort !

[wizkid057]

Hi,

Will you restore our NMC addresses to a time before the attack or do we need to track this thread
to receive a go to be able to change it ourselves ?

Cheers and thanks for all your effort !

I will fix them.