Bitcoin Forum
January 17, 2020, 07:33:38 PM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: My EthOS instances, hacked  (Read 386 times)
aar
Member
**
Offline Offline

Activity: 67
Merit: 16


View Profile
September 24, 2018, 07:44:40 PM
Last edit: September 24, 2018, 07:56:35 PM by aar
Merited by suchmoon (4), not.you (2)
 #1

Was running 1.3.1, this morning they're all pointed at a different pool.

Looks like every one of my 4 machines has been rooted, teamviewer and a few other things automatically installed (and ran)

02:35 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ ps -ef | grep eam
root       731     1  0 14:31 ?        00:00:00 /opt/teamviewer/tv_bin/teamviewerd -f

Can update local.conf, and has been forced to this wallet proxywallet 0x00351843e3e2fbaa8e1e87dd962c90b999acee60

Which appears to be mining now on various pools (I was nanopool) - suspect I am not the only one exploited

But if you check etherscan, a lot of payments coming from other pools.

And yes, my SSH login was secure.

I suspect this was caused by an exploit in ShellInABox  (easy to google it). A very old version comes packaged with ethOs.

02:38 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ /usr/bin/shellinaboxd --version
ShellInABox version 2.10 (revision 239)

I've stopped the hack by, sudo mv /opt/miners/claymore /opt/miners/clayno, which leaves my machines useless.

[killing the miner doesnt work, as auto reboots, cant change wallet config, as mounted read only, lots of horrible kit things also there].

Does anybody know where the EthOS dev's are?  

If you get bored, you can track the money to https://etherscan.io/address/0x003e36550908907c2a2da960fd19a419b9a774b7

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1579289618
Hero Member
*
Offline Offline

Posts: 1579289618

View Profile Personal Message (Offline)

Ignore
1579289618
Reply with quote  #2

1579289618
Report to moderator
melpheos
Jr. Member
*
Online Online

Activity: 483
Merit: 4


View Profile
September 25, 2018, 12:23:38 PM
 #2

Whoa that's big.
The hackers already received (at least) 614 eth probably thru various hack and he started a bit more than a year ago.
I wonder why i'm working
EthOs dev should look this issue ASAP.
Xazax310
Member
**
Offline Offline

Activity: 210
Merit: 18


View Profile
September 25, 2018, 04:25:04 PM
 #3

Was running 1.3.1, this morning they're all pointed at a different pool.

Looks like every one of my 4 machines has been rooted, teamviewer and a few other things automatically installed (and ran)

02:35 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ ps -ef | grep eam
root       731     1  0 14:31 ?        00:00:00 /opt/teamviewer/tv_bin/teamviewerd -f

Can update local.conf, and has been forced to this wallet proxywallet 0x00351843e3e2fbaa8e1e87dd962c90b999acee60

Which appears to be mining now on various pools (I was nanopool) - suspect I am not the only one exploited

But if you check etherscan, a lot of payments coming from other pools.

And yes, my SSH login was secure.

I suspect this was caused by an exploit in ShellInABox  (easy to google it). A very old version comes packaged with ethOs.

02:38 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ /usr/bin/shellinaboxd --version
ShellInABox version 2.10 (revision 239)

I've stopped the hack by, sudo mv /opt/miners/claymore /opt/miners/clayno, which leaves my machines useless.

[killing the miner doesnt work, as auto reboots, cant change wallet config, as mounted read only, lots of horrible kit things also there].

Does anybody know where the EthOS dev's are?  

If you get bored, you can track the money to https://etherscan.io/address/0x003e36550908907c2a2da960fd19a419b9a774b7



I've told many people to stay away from ETHos, main Dev abandoned the project a year ago, terrible interface to change any settings, extremely costly (If you actually bought ONE per rig $40??). Here's how to not get hacked. Get rid of that PoS "mining operating system" and move to something like Simple-miningOS or better than simple mining HiveOS. If you don't like either of those (for some weird reason) you can always use NV-OC or RX-OC which are free and decent. I actually purchased ETHos in my review/quest for a miningOS's. I didn't like it, clunky to change settings in claymore, how to monitor the miner remotely, etc none of it was simple. Moved to SMOS which as better. I used that for a few months before jumping into HiveOS. HiveOS is by far and large best Linux mining OS. Constant updates. 1-3 days for new miner released to get added in. Easy to see all your rigs what failed etc. In the end I'm actually using Windows and Awesome-miner because for my medium-sized farm is actually cheaper paying one time fees than monthly fees and windows has far superior power saving features compared to linux.
Agozyen
Sr. Member
****
Offline Offline

Activity: 644
Merit: 252

Until the end


View Profile
September 25, 2018, 04:43:42 PM
 #4

That's brutal.  I have Windows 10 on my mining rigs and considered EthOS.  I have been hacked before with Teamviewer and won't install that on my rigs, or any other remote enabling software.  I don't even check email on them.  I'd follow the previous suggestions and maybe see if it is possible to lock your ports down.  Not sure if that will help to prevent this in the future.

In my case they were able to gain access to my Teamviewer account.
hagbase
Sr. Member
****
Offline Offline

Activity: 406
Merit: 252



View Profile
September 25, 2018, 05:29:17 PM
 #5

Was running 1.3.1, this morning they're all pointed at a different pool.

Looks like every one of my 4 machines has been rooted, teamviewer and a few other things automatically installed (and ran)

02:35 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ ps -ef | grep eam
root       731     1  0 14:31 ?        00:00:00 /opt/teamviewer/tv_bin/teamviewerd -f

Can update local.conf, and has been forced to this wallet proxywallet 0x00351843e3e2fbaa8e1e87dd962c90b999acee60

Which appears to be mining now on various pools (I was nanopool) - suspect I am not the only one exploited

But if you check etherscan, a lot of payments coming from other pools.

And yes, my SSH login was secure.

I suspect this was caused by an exploit in ShellInABox  (easy to google it). A very old version comes packaged with ethOs.

02:38 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ /usr/bin/shellinaboxd --version
ShellInABox version 2.10 (revision 239)

I've stopped the hack by, sudo mv /opt/miners/claymore /opt/miners/clayno, which leaves my machines useless.

[killing the miner doesnt work, as auto reboots, cant change wallet config, as mounted read only, lots of horrible kit things also there].

Does anybody know where the EthOS dev's are?  

If you get bored, you can track the money to https://etherscan.io/address/0x003e36550908907c2a2da960fd19a419b9a774b7



So did you change default passwords for root and user at first or were you running default passwords?
nsummy
Full Member
***
Offline Offline

Activity: 770
Merit: 115


View Profile
September 29, 2018, 04:32:15 AM
 #6

Was running 1.3.1, this morning they're all pointed at a different pool.

Looks like every one of my 4 machines has been rooted, teamviewer and a few other things automatically installed (and ran)

02:35 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ ps -ef | grep eam
root       731     1  0 14:31 ?        00:00:00 /opt/teamviewer/tv_bin/teamviewerd -f

Can update local.conf, and has been forced to this wallet proxywallet 0x00351843e3e2fbaa8e1e87dd962c90b999acee60

Which appears to be mining now on various pools (I was nanopool) - suspect I am not the only one exploited

But if you check etherscan, a lot of payments coming from other pools.

And yes, my SSH login was secure.

I suspect this was caused by an exploit in ShellInABox  (easy to google it). A very old version comes packaged with ethOs.

02:38 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ /usr/bin/shellinaboxd --version
ShellInABox version 2.10 (revision 239)

I've stopped the hack by, sudo mv /opt/miners/claymore /opt/miners/clayno, which leaves my machines useless.

[killing the miner doesnt work, as auto reboots, cant change wallet config, as mounted read only, lots of horrible kit things also there].

Does anybody know where the EthOS dev's are?  

If you get bored, you can track the money to https://etherscan.io/address/0x003e36550908907c2a2da960fd19a419b9a774b7



I've told many people to stay away from ETHos, main Dev abandoned the project a year ago, terrible interface to change any settings, extremely costly (If you actually bought ONE per rig $40??). Here's how to not get hacked. Get rid of that PoS "mining operating system" and move to something like Simple-miningOS or better than simple mining HiveOS. If you don't like either of those (for some weird reason) you can always use NV-OC or RX-OC which are free and decent. I actually purchased ETHos in my review/quest for a miningOS's. I didn't like it, clunky to change settings in claymore, how to monitor the miner remotely, etc none of it was simple. Moved to SMOS which as better. I used that for a few months before jumping into HiveOS. HiveOS is by far and large best Linux mining OS. Constant updates. 1-3 days for new miner released to get added in. Easy to see all your rigs what failed etc. In the end I'm actually using Windows and Awesome-miner because for my medium-sized farm is actually cheaper paying one time fees than monthly fees and windows has far superior power saving features compared to linux.

Amen to this, but anyone using these linux-based mining OSes are living on borrowed time.  The one theme I see with them is they all tout the mining updates they provide, but they also have zero documentation on what packages are installed, what kernel is installed, and if there is a security update mechanism.  I mean this is the documentation:  http://ethosdistro.com/source/   Ubuntu 14.04, really?  I think its safe to assume that no one that is running this is applying security updates with any frequency.  If you want to run linux, do it right and get Ubuntu or something similar and do it yourself.  If that is too daunting, then Awesome miner on windows is the best choice. 
Azamikio
Copper Member
Newbie
*
Offline Offline

Activity: 20
Merit: 0


View Profile
September 29, 2018, 08:29:20 AM
 #7

so bad if you have a big farm and one day hacker come a take it from your farm man. someone know how to survive from the hacker guys?
Agozyen
Sr. Member
****
Offline Offline

Activity: 644
Merit: 252

Until the end


View Profile
September 29, 2018, 02:36:11 PM
 #8

so bad if you have a big farm and one day hacker come a take it from your farm man. someone know how to survive from the hacker guys?

Best way to protect yourself is to have an image of your OS with all your configurations in place.  If this happens again at that point all that has to be done is re-load the image and you are ready to go.  In order to prevent this from happening again though you would need to determine where exactly the breach was and fix/patch it, and then re-image the newly patched OS.

I had a laptop that I had at work one time, open on my desk, not work related, and I noticed activity on the screen.  The mouse was moving around and someone was able to remote in with TeamViewer and they started to transfer my bitcoin wallet.  They got nothing however as it was passworded and empty at the time.  For a long time I suspected a co-worker because I left my laptop open while I was not around, however I was eventually able to determine that my TeamVIewer credentials were compromised.  I don't install remote access software anymore on any of my coin/mining-related machines.

Use complex passwords and change them frequently, patch known vulnerabilities, don't become lazy or assume your coins are safe today because no one hacked you yesterday.
not.you
Legendary
*
Offline Offline

Activity: 1729
Merit: 1018


View Profile
September 29, 2018, 04:30:29 PM
 #9

That's brutal.  I have Windows 10 on my mining rigs and considered EthOS.  I have been hacked before with Teamviewer and won't install that on my rigs, or any other remote enabling software.  I don't even check email on them.  I'd follow the previous suggestions and maybe see if it is possible to lock your ports down.  Not sure if that will help to prevent this in the future.

In my case they were able to gain access to my Teamviewer account.

I had read about that teamviewer account hack a while back.  You can lock down teamviewer so it only accepts incoming connections from specific computers.  That's what I started doing after hearing about that hack.  I know it isn't exactly relevant to this discussion but thought I would throw it out there.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!