Bitcoin Forum
March 29, 2024, 07:15:04 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: I think I'm being attacked by unauthorized mining. Please help me identify it.  (Read 1658 times)
tobindax (OP)
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
September 17, 2011, 01:03:01 PM
 #1

I get on process explorer, once in a while, even after I kill it, almost 100% CPU time by an iexplore.exe process. Process explorer identifies it (fully) as ""C:\Program Files (x86)\Internet Explorer\bin\iexplore.exe" -a 1 -o http://mining.eligius.st:80 -u 1JLE6hkA8QbD64G8ZknbH6HT9orWQ7dKB3 -p pass"

I will not pretend I know what bitcoin is exactly. I just learned a brief about it 10 minutes ago. I have never used or tried to use bitcoin before finding out this process.

Please help to identify what is going on or at least remove it from re-running itself. Apparently my antiviruses don't find it.
1711696504
Hero Member
*
Offline Offline

Posts: 1711696504

View Profile Personal Message (Offline)

Ignore
1711696504
Reply with quote  #2

1711696504
Report to moderator
1711696504
Hero Member
*
Offline Offline

Posts: 1711696504

View Profile Personal Message (Offline)

Ignore
1711696504
Reply with quote  #2

1711696504
Report to moderator
Make sure you back up your wallet regularly! Unlike a bank account, nobody can help you if you lose access to your BTC.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711696504
Hero Member
*
Offline Offline

Posts: 1711696504

View Profile Personal Message (Offline)

Ignore
1711696504
Reply with quote  #2

1711696504
Report to moderator
1711696504
Hero Member
*
Offline Offline

Posts: 1711696504

View Profile Personal Message (Offline)

Ignore
1711696504
Reply with quote  #2

1711696504
Report to moderator
MrWizard
Sr. Member
****
Offline Offline

Activity: 252
Merit: 250


View Profile
September 17, 2011, 01:47:16 PM
 #2

I get on process explorer, once in a while, even after I kill it, almost 100% CPU time by an iexplore.exe process. Process explorer identifies it (fully) as ""C:\Program Files (x86)\Internet Explorer\bin\iexplore.exe" -a 1 -o http://mining.eligius.st:80 -u 1JLE6hkA8QbD64G8ZknbH6HT9orWQ7dKB3 -p pass"

I will not pretend I know what bitcoin is exactly. I just learned a brief about it 10 minutes ago. I have never used or tried to use bitcoin before finding out this process.

Please help to identify what is going on or at least remove it from re-running itself. Apparently my antiviruses don't find it.
You definitely have been hit by a bitcoin virus, botnet, or worm.  There is a chance that the following tool from Kaspersky Labs might help:

http://support.kaspersky.com/viruses/solutions?qid=208280684

"I walked into the room dripping in Bitcoins.  Yea dripping in Bitcoins."
(BTC) 168DCCeGmDy3xTWRimLVhvKtK3yEWbpsSg     (LTC) LbYS8VFqFSU7B9bfaHD11seQMtrtYEKpLe
(BBQ) bNVZErvwLzpEG7H3kt1fycWspzRQB1MJzL
BookLover
Hero Member
*****
Offline Offline

Activity: 533
Merit: 500


^Bitcoin Library of Congress.


View Profile
September 17, 2011, 02:05:34 PM
 #3

I don't know a lot about this kind of thing myself, but unless eligius promotes bot-net use, you should be able to contact the pool owner and tell him to ban the miner from his pool.

P.S. This is just a temporary fix until you can't figure out how to get rid of it.  This fix will only render the miner useless until some changes the setting so it can mine again.

Gabi
Legendary
*
Offline Offline

Activity: 1148
Merit: 1008


If you want to walk on water, get out of the boat


View Profile
September 17, 2011, 02:10:22 PM
 #4

Congratulations, you got a virus...

casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1135


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
September 17, 2011, 02:14:45 PM
 #5

I don't think the real Internet Explorer resides in a folder called "bin". The whole iexplore.exe binary is probably the miner named to look like IE.

We won't necessarily know how to kill it off. The normal legitimate miner doesn't behave like a virus but it is open source, so virus writers are able to include it in their payloads and modify what it does. The whole restarting after you kill it is something definitely added in.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
tobindax (OP)
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
September 17, 2011, 02:29:19 PM
Last edit: September 17, 2011, 02:46:02 PM by tobindax
 #6

 Smiley Wink
I identified it with the help of user Red_Wolf_2 in IRC channel of Eligius.

It appears to be a "bitcoin-miner 0.20  Copyright (c) 2011 Ufasoft" in ./bin/iexplore.exe

and something that does not return anything in ./src/iexplore.exe

the 2nd one is probably a launcher. maybe running dormant.


I have a zip file with them if anyone is interested. Send me an email etc.

That user in that IRC channel already has it.


--

Ah, yahoo email identified an unpassworded zip with them as a virus but both avira and antimalwarebytes anti-malware does not detect them.

--

They required some ninja moves in cmd to make the folders and files visible for copying.

--

I removed those files, and dirs, and I suppose it won't come back. If it does come back, tough, I guess they might have a "parent creator" (rare).

--

If I'm gone and can't find me for those files, that user I mentioned may have it. Last I heard he identified the ./src file as being in .Net.
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
September 17, 2011, 04:07:17 PM
 #7

Feel free to try to shutdown the botnet. I suggest reporting it to your local authorities. In most jurisdictions, computer intrusion is a crime and the operator can go to jail. Please feel free to pass on my email to any authorities with an offer to provide assistance in any way I can.

As for blocking it at Eligius (which I operate), there is not much I can do. I could certainly block the address, but the botnet operator could easily change to another unidentified one. I figure it's better to leave the identified botnet address functional than to have it unidentified. Plus, banning a botnet would be like asking for another DDoS-- I have enough of those to deal with already without inviting them.

Alex Fenner
Full Member
***
Offline Offline

Activity: 125
Merit: 100


View Profile
September 17, 2011, 07:11:31 PM
 #8

Good luck to you buddy
deslok
Sr. Member
****
Offline Offline

Activity: 462
Merit: 250


It's all about the game, and how you play it


View Profile
September 17, 2011, 07:41:07 PM
 #9

ok, you could kill the process rename the .exe to .old and see if it comes back after a reboot, you're on windows 64 bit from that are you running xp,vista or 7?

"If we don't hang together, by Heavens we shall hang separately." - Benjamin Franklin

If you found that funny or something i said useful i always appreciate spare change
1PczDQHfEj3dJgp6wN3CXPft1bGB23TzTM
Alex Fenner
Full Member
***
Offline Offline

Activity: 125
Merit: 100


View Profile
September 17, 2011, 08:20:08 PM
 #10

What OS do you have?
tobindax (OP)
Newbie
*
Offline Offline

Activity: 10
Merit: 0


View Profile
September 18, 2011, 04:02:34 PM
 #11

The files were just deleted and they don't appear to come back. Any other serious investigation will probably need someone to investigate the files.
Luke-Jr
Legendary
*
Offline Offline

Activity: 2576
Merit: 1186



View Profile
September 18, 2011, 05:14:23 PM
 #12

Did the pool shutdown this virus mining user account?
We don't have user accounts.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!