[ANN][AUTO-SWITCH] Profit-switch auto-exchange pool: CleverMining.com

[Terk]

Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.

For a short time. Yesterday there was a totally different IP used where WP and MP users were hijacked. My guess is tomorrow it might be another one.

[1714704394]

1714704394

[1714704394]

1714704394

[1714704394]

1714704394

[hi]

clevermining's servers have been hacked.

The peeps running cleverminings servers apparently are not that tech savvy.  All my miners were being routed to 190.xxx and this is from 5 different subnets from 3 different ISP providers.

lol..amateur hour @clevermining.

The miner connects and gets instructions to where to send shares--apparently a rogue hacker has infiltrated clevermining and had all the miners point to 190.xxx.

Only two things it can be.

1. clevermining did this

2. clevermining was hacked

either way this is not good.  

I will be pointing my miners to a different pool until this is fixed.


UPDATE: when you close miner and reopen it..it points to correct clevermining dns entry.  Therefore, the attackers (if clevermining is not doing this themselves) are logging in and running a script to point N miners to the new IP...lol.


UPDATE 2:  they have been hacked. Here is URL for IP lookup..it is going to Panama...hahahaha.  Make sure you get paid boys!

http://whatismyipaddress.com/ip/190.97.165.179   <--- this is IP where the miners are being pointed to..hahaha.

[neogen]

On the other hand the router idea isn't that likely. I am googling these two IPs (today's and yesterday's where users of Wafflepool and Multipool were redirected) and I find only coin-switching pool threads (I limit search to last 7 days only to filter out junk).

Are any of affected users using any mining-related software on anything other than their rigs and their main computer? Maybe an Android phone and some 3rd party app showing your mining stats?

Your main computer is not likely infected, as you would have your coins stolen too. I would look for something nearby, within the same local network (a smartphone fits perfectly) and something what is related to coin-switching pools (a 3rd party mining stats, a 3rd party rigs monitoring software which you found in some coin-switching thread/subreddit/community, etc). Just wild guessing based on what's known about the problem.

Don't know how much this help or frustrate you, I'm the only one that mine in the house, all mobile device does not have any mining related program as I am on iOS, mining alt-coin and we are very limited as to what app is available (free app) I just use the the actual web site I am mining at for stats.

[cloudrck]

For safety, everyone should consider doing this on any windows rig:

route -p add 190.97.165.179 {your computer ip}


Also we should flood that IP address with invalid responses and DDoS him  

That doesn't help. People who have been affected needs to contact the owner and host of the IP with the evidence.

Why wouldn't that help?

Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.

No it would not. You serious don't know how this type of stuff works. You're assuming this IP address isn't a breach server. You're assuming he can't simply change IP addresses and/or server location.

DDoS this guy's servers is childish, aside from being illegal,, Looking up the IP address, it appears to be hosted by an ISP, you're liable to get your IP filtered, then blocked and/or reported.

Report the IP to the ISP it routes to. I would also report it to ARIN. ARIN does not like their IP space being use for malicious activity, especially with the shortage of IPv4 blocks.

clevermining's servers have been hacked.

The peeps running cleverminings servers apparently are not that tech savvy.  All my miners were being routed to 190.xxx and this is from 5 different subnets from 3 different ISP providers.

You don't know what you are talking about, you should read the posts by Kalroth over at the Wafflepool thread

[nem2k]

I have no idea if this is even related, but its strange given that I see these threads pop up now and I saw a similar issue when I woke up this morning

Im currently mining at coinshift and about 6 hours ago all of my hashrate disappeared from the pool stat page but my 2 rigs were still hashing away like normal. This happened until I woke up and restarted cgminer - everything seems normal now.

The really weird thing, and again, Im not suggesting anything but just telling what Ive observed, my hashrate at ghash went UP. I mined with these guys during their 2x week and havent touched them since. This is weird because on both of my machines ghash (LTC) is at the bottom of my failover pool list and I imagine it would be highly unlikely that there was 0 response from any of my 5-6 pools that were higher up in the list. Maybe its just a weird coincidence but its strange that id be hashing at ghash, on 2 rigs, without having touched the pool in a number of days

If it helps anyone, I'm running windows 7 with sgminer, and my other rig is running SMOS (bee edition) with cgminer-kalroth. I have no other monitoring software besides what smos offers, and the smos machine has nothing else installed on it. Since the day it was put together I haven't installed anything new on to it.

The only thing I have running on my smartphone is the Mining Pool Status app, but I only just got that and haven't added any pools to it yet.

[Meeho]

Add an outgoing firewall rule to only allow verified pool IPs for your miner and/or update to the latest Kalroth's cgminer.

[Telek]

Doesn't help to determine why it's happening or who's doing it, but it will prevent it from happening.

For a short time. Yesterday there was a totally different IP used where WP and MP users were hijacked. My guess is tomorrow it might be another one.

Valid point!  I had assumed that it was a fixed IP, however either way can't hurt at the moment.

[hi]

cloudrck,

You only cherry picked my post and then called me stupid.  I guess, the hackers are doing man in the middle attacks on the entire interwebs..lol...fukkin idiot. Lot of the pools use same codebase and that lovely PHP crap.

This was a hack plain an simple. Quit trying to cover it up.  The pools affected were popped and no ones routers were compromised or other stupidity that this thread is trying to divert attention to.

[Terk]

clevermining's servers have been hacked.

The peeps running cleverminings servers apparently are not that tech savvy.  All my miners were being routed to 190.xxx and this is from 5 different subnets from 3 different ISP providers.

lol..amateur hour @clevermining.

The miner connects and gets instructions to where to send shares--apparently a rogue hacker has infiltrated clevermining and had all the miners point to 190.xxx.

Only two things it can be.

1. clevermining did this

2. clevermining was hacked

either way this is not good.  

I will be pointing my miners to a different pool until this is fixed.


UPDATE: when you close miner and reopen it..it points to correct clevermining dns entry.  Therefore, the attackers (if clevermining is not doing this themselves) are logging in and running a script to point N miners to the new IP...lol.


UPDATE 2:  they have been hacked. Here is URL for IP lookup..it is going to Panama...hahahaha.  Make sure you get paid boys!

http://whatismyipaddress.com/ip/190.97.165.179   <--- this is IP where the miners are being pointed to..hahaha.

CleverMining has not been hacked. Redirection to 190.xxx doesn't come from the pool - rather something is hijacking your miners and redirects them to a malicious pool. We still have thousands users mining at the pool and we just hit our highest hashrate ever yesterday with 22.5 GH/s average hashrate during the day.

If it was a pool issue, it would affect thousands of users and the pool hashrate would significantly drop instead of rising. The problem affects only small number of users and affects users of several coin-switching pool - it is not limited/related to CleverMining. I am trying to help investigate this issue but at this point there is nothing suggesting that any of the pools were hacked.

[Telek]

No it would not. You serious don't know how this type of stuff works. You're assuming this IP address isn't a breach server. You're assuming he can't simply change IP addresses and/or server location.

I know exactly how this stuff works, and just because I posted a solution which isn't perfect (but still helps in this particular situation) doesn't mean that you have to insult me or others.

DDoS this guy's servers is childish, aside from being illegal

Notice the   after my comment?





... and additional random stuff at the end to convince the forum that I didn't already post this when it refused my post because I tried to repost after being refused because the thread had been updated.  This forum's auto-filters need some tweaks :-/

[cloudrck]

cloudrck,

You only cherry picked my post and then called me stupid.  I guess, the hackers are doing man in the middle attacks on the entire interwebs..lol...fukkin idiot. Lot of the pools use same codebase and that lovely PHP crap.

This was a hack plain an simple. Quit trying to cover it up.  The pools affected were popped and no ones routers were compromised or other stupidity that this thread is trying to divert attention to.

You seem to see and believe what you want, because no one called you stupid. So it's no reason to argue with you. You're right man, you figured it out detective.

[Telek]

CleverMining has not been hacked. Redirection to 190.xxx doesn't come from the pool - rather something is hijacking your miners and redirects them to a malicious pool. We still have thousands users mining at the pool and we just hit our highest hashrate ever yesterday with 22.5 GH/s average hashrate during the day.

If it was a pool issue, it would affect thousands of users and the pool hashrate would significantly drop instead of rising. The problem affects only small number of users and affects users of several coin-switching pool - it is not limited/related to CleverMining. I am trying to help investigate this issue but at this point there is nothing suggesting that any of the pools were hacked.

Not trying to insinuate anything, but just suggesting...  I apologize if any of these ideas have already been covered, just trying to help.


Is it possible that clevermining was hacked, or at least one of the servers was, but the hack is smart enough to only siphon off a small amount of hash?  Otherwise it would be immediately noticeable when it was implemented.

Granted it appears that other pools were affected as well.  Is it possible that they're using similar backend software that may have been compromised?

Otherwise we appear to have a paradoxical situation.

- it isn't the pool because multiple pools are affected
- it isn't cgwatcher because those without it are affected
- it isn't the miner because people's miners that haven't been touched in weeks or longer are affected (unless it's a virus on the network)
- DNS hijacking seems unlikely, as that's a pretty massive thing to implement, and if you have that ability you're probably going after bigger fish.

I think malware does seem most likely, as if cgminer is open to remote control there is no authentication.  Any computer or device anywhere on the network could scan for and redirect miners.  This way even miners that haven't been touched in a year could still be affected.

Do we have a thread with full details on everyone who has been affected?  All software installed and versions, OS, patches, windows updates on/off, last time any configuration was modified, router, ISP, location, etc?

Do we have any way to reproduce this?  Does anyone with logging enabled have a record of the request?  Is it happening frequently enough to run a network monitor?  Do we know what coin is being maliciously mined?

[hi]

QUICK FIX:

This doesn't require running any test code that was written in 10 mins.

1. Block offending IP in iptables or win firewall

2. nslookup your clevermining pool server and add that IP to your miner in your firewall and only allow the miner to connect to that IP remotely via outbound connection in the firewall.

I have tested this and it is working.



TERK,

run a script on your mining database and tell us how many miners were/are point to that 190.xxx ip 

[cloudrck]

CleverMining has not been hacked. Redirection to 190.xxx doesn't come from the pool - rather something is hijacking your miners and redirects them to a malicious pool. We still have thousands users mining at the pool and we just hit our highest hashrate ever yesterday with 22.5 GH/s average hashrate during the day.

If it was a pool issue, it would affect thousands of users and the pool hashrate would significantly drop instead of rising. The problem affects only small number of users and affects users of several coin-switching pool - it is not limited/related to CleverMining. I am trying to help investigate this issue but at this point there is nothing suggesting that any of the pools were hacked.

Not trying to insinuate anything, but just suggesting...  I apologize if any of these ideas have already been covered, just trying to help.


Is it possible that clevermining was hacked, or at least one of the servers was, but the hack is smart enough to only siphon off a small amount of hash?  Otherwise it would be immediately noticeable when it was implemented.

Granted it appears that other pools were affected as well.  Is it possible that they're using similar backend software that may have been compromised?

Otherwise we appear to have a paradoxical situation.

- it isn't the pool because multiple pools are affected
- it isn't cgwatcher because those without it are affected
- it isn't the miner because people's miners that haven't been touched in weeks or longer are affected (unless it's a virus on the network)
- DNS hijacking seems unlikely, as that's a pretty massive thing to implement, and if you have that ability you're probably going after bigger fish.

I think malware does seem most likely, as if cgminer is open to remote control there is no authentication.  Any computer or device anywhere on the network could scan for and redirect miners.  This way even miners that haven't been touched in a year could still be affected.

Do we have a thread with full details on everyone who has been affected?  All software installed and versions, OS, patches, windows updates on/off, last time any configuration was modified, router, ISP, location, etc?

Do we have any way to reproduce this?  Does anyone with logging enabled have a record of the request?  Is it happening frequently enough to run a network monitor?  Do we know what coin is being maliciously mined?

In my opinion it varies too greatly to be malware. Various OS's, software and routers. It's possible that if they use similar software for it to be exploited, but I'm unaware of whether they use custom or off-the shelf solutions. But MITM attacks have been very popular lately.

DNS hijacking seems unlikely, as that's a pretty massive thing to implement, and if you have that ability you're probably going after bigger fish.

As far as I know, CM and WP are the two largest profit switching pools. So who are bigger fish that I'm unaware of?

[Meeho]

Do we have a thread with full details on everyone who has been affected?  All software installed and versions, OS, patches, windows updates on/off, last time any configuration was modified, router, ISP, location, etc?

Do we have any way to reproduce this?  Does anyone with logging enabled have a record of the request?  Is it happening frequently enough to run a network monitor?  Do we know what coin is being maliciously mined?

The last dozen pages on Wafflepool thread have more info.

[Terk]

Just a question to everyone who was affected: what backup mining pool(s) do you have configured in your miners?

[Telek]

In my opinion it varies too greatly to be malware. Various OS's, software and routers. It's possible that if they use similar software for it to be exploited, but I'm unaware of whether they use custom or off-the shelf solutions. But MITM attacks have been very popular lately.

DNS hijacking seems unlikely, as that's a pretty massive thing to implement, and if you have that ability you're probably going after bigger fish.

As far as I know, CM and WP are the two largest profit switching pools. So who are bigger fish that I'm unaware of?

But since it can be any network connected device that was infected and remotely controlled the mining machines, there could be a common OS between all infected networks.  I agree that it seems unlikely, but occam's razor here.  The rest of the options seem more unlikely.

In regards to DNS hijacking - if you can do that, you're probably going to go after email systems, banking or credit card, or actual websites including hosted wallets.  It's like being given a space based laser and using it to open your can of tuna :-)

[hi]

no backup pools on my miners....

Also, did you run that script and get the info on how many were affected?  That is pretty easy to do and would be helpful to understand how many were affected.

[black007miner]

Just a question to everyone who was affected: what backup mining pool(s) do you have configured in your miners?

ltc.ghash.io
mine.coinshift.com


1 of my 6 rigs redirected to 190.X, another stopped mining at ny.clevermining.com and went to backup pool: ltc.ghash.io

[superman3486]

are you guys all using teamviewer? it disconnects and goes to this 190.x server