Bitcoin Forum
March 29, 2024, 09:00:19 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Need Antminer s9 serial connect to eliminate NEW VIRUS!!!  (Read 688 times)
TATO17 (OP)
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
June 03, 2019, 08:15:09 PM
 #1

Hello guys!
We have virus which decreasing hash rate and steal it.

Can anybody help how to connect to Bitmain Antminer S9 Miner via CP2102 USB/Serial bridge? (Virus is blocking SD card flashing)
How to erase existing infected software on board and flash it with new firmware?

Thank you in advance for help! Hope this virus will avoid you!
1711702819
Hero Member
*
Offline Offline

Posts: 1711702819

View Profile Personal Message (Offline)

Ignore
1711702819
Reply with quote  #2

1711702819
Report to moderator
The block chain is the main innovation of Bitcoin. It is the first distributed timestamping system.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711702819
Hero Member
*
Offline Offline

Posts: 1711702819

View Profile Personal Message (Offline)

Ignore
1711702819
Reply with quote  #2

1711702819
Report to moderator
1711702819
Hero Member
*
Offline Offline

Posts: 1711702819

View Profile Personal Message (Offline)

Ignore
1711702819
Reply with quote  #2

1711702819
Report to moderator
Artemis3
Legendary
*
Offline Offline

Activity: 1988
Merit: 1556


CLEAN non GPL infringing code made in Rust lang


View Profile WWW
June 04, 2019, 01:51:45 AM
Last edit: June 09, 2019, 11:53:50 AM by frodocooper
 #2

How did this virus infect your miners? Did you ever change the web and ssh passwords?

I don't think a virus can block jp4 jumper to boot from sdcard. Did you ever try booting Braiins OS? This should work without fail.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Braiins Pool
BitMaxz
Legendary
*
Offline Offline

Activity: 3206
Merit: 2907


Block halving is coming.


View Profile WWW
June 04, 2019, 07:59:56 AM
Last edit: June 09, 2019, 11:54:23 AM by frodocooper
 #3

Or you control board is not reading SD card because your SD card slot from the control board is full of dust. Try cleaning it with lacquer flo and remove the dust and resold the SD card terminal this mostly solve my issue in other devices. So possible it might also work in s9 miner.

Never heard that there is a virus that can prevent you from flashing even other devices through SD card.

Anyway, since you mention about usb and serial maybe this thread is what you're looking for check this https://bitcointalk.org/index.php?topic=2386296.0.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
mikeywith
Legendary
*
Offline Offline

Activity: 2184
Merit: 6316


be constructive or S.T.F.U


View Profile
June 05, 2019, 06:53:49 AM
Last edit: June 09, 2019, 11:55:20 AM by frodocooper
 #4

(Virus is blocking SD card flashing)

I doubt the accuracy of this statement , not specifically denying the problem just doubting the cause.

In most cases any miner virus won't be really able to lock you from SD flashing , have you flashed any miner with an SD card before ? Just want to make sure that you are not making any mistakes.

You should also check your pc for viruses, there is a good chance that whichever virus affecting it sits on one of the pcs on your network.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Artemis3
Legendary
*
Offline Offline

Activity: 1988
Merit: 1556


CLEAN non GPL infringing code made in Rust lang


View Profile WWW
June 05, 2019, 01:40:10 PM
Last edit: June 09, 2019, 11:55:41 AM by frodocooper
 #5

Indeed, not virus but the controller's nand flash storage can get damaged. This is why its useful to test with Braiins OS booting from the sd card with jp4 jumper moved.

Bitmain solution simply tries to (blindly) reflash back the firmware. If this nand storage is damaged no amount of reflashes would do anything.

██████
███████
███████
████████
BRAIINS OS+|AUTOTUNING
MINING FIRMWARE
|
Increase hashrate on your Bitcoin ASICs,
improve efficiency as much as 25%, and
get 0% pool fees on Braiins Pool
tim-bc
Full Member
***
Offline Offline

Activity: 538
Merit: 175


View Profile
June 06, 2019, 12:37:27 AM
 #6

Do you already have the CP2102 bridge and have you wired it correctly? GND = GND, but TX and RX need to be switched. Also be careful.. GND is the middle pin on the xilinx board but not on the USB.

I used to have the chinese version of the program. I can try to find it if you really need it, but you can most likely fix your issue with the suggestions provided above.

Ignore scammers on Skype, Telegram, etc. I will only ever contact you via forum PMs. See profile for fingerprint.
psarchi
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
June 06, 2019, 10:14:13 AM
Last edit: June 09, 2019, 11:57:07 AM by frodocooper
 #7

i can confirm this is virus.

first of all:  SD flash, restting in any way doesn't helps. all infected miners try to communicate with each other with 123 port. all infected miners goes to F2pool, antpool and btc.com AND  35.186.233.235:443 which is google drive IP, (first miner goes here). bmminer hash isn't changed.

i don't know how to remove the virus, but you can get back your hashrate with two solutions:

1. get into miner (over ssh or comport) , change the name of bmminer and run manually.

2. block all IPs that miner goes to from firewall, (this solution build up the ram so you have to restart the miner every hour or so).

3. there is asicdip custom software which says it blocks the access for this virus, but didn't tested it and it takes 2 %, and its not for me.

will update if I will find solution.
BitMaxz
Legendary
*
Offline Offline

Activity: 3206
Merit: 2907


Block halving is coming.


View Profile WWW
June 06, 2019, 12:35:42 PM
Last edit: June 09, 2019, 11:57:39 AM by frodocooper
 #8

No there's no virus for s9 miner possible there is someone can remotely access to your miner if your miner has open ports and never change the SSH root and password there is a possibility that they can remotely access your miner. That is why Bitmain release a 2019 firmware to prevent these issues.

If you have this problem the only solution that I know to remove this is by flashing it through SD card and the change your SSH root and password so that no one can access your miner.

If hackers have access to your miner they can manually update the firmware to their modified firmware where even hard reset the miner the result will be the same as yours.

So you should change everything from your port to SSH access credentials before you connect it to the internet.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
psarchi
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
June 06, 2019, 01:29:35 PM
Last edit: June 09, 2019, 11:58:45 AM by frodocooper
 #9

when you get the virus, it doesn't allow you SD flash, you can change the password for ssh, but it doen't matter, it's there even after flashing software from web.

ssh wasn't a problem to begin with, in my network only one IP can access to 22 port.

there IS virus for s9 right now.

steps i've done so far:

1) i isolated the one miner from other miners, tried flashing with SD card, doesn't work. tried flashing with different firmware from web-interface, doesn't help, Hard reset either.

2) blocked all internet access from firewall, tried step 1. opened internet access, virus is still there.

3) took miner to different location with different ISP/IP different network configuration(thought network was infected), tried step 2, opened internet access, virus is still there.

and one more thing, every infected miner have same issue with flashing with SD card, it just doesn't work. Leds never blink, and from onboard 3 green leds only 1 is on always. it doesn't matter its official firmware, brains-OS , any other firmware, it doesn't flash.

and half of miners infected were on latest firmware.
tim-bc
Full Member
***
Offline Offline

Activity: 538
Merit: 175


View Profile
June 06, 2019, 01:48:08 PM
 #10

Just to make sure, when you are trying to flash from SD, you're moving the jp4 jumper into the other position?

On a side note, check on size and hash for /usr/bin/ntpd , some viruses I've seen overwrite that file with the payload.

You can also run "top" to see which processes are taking cpu/memory and compare those size/hash against the normal.

Ignore scammers on Skype, Telegram, etc. I will only ever contact you via forum PMs. See profile for fingerprint.
psarchi
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
June 06, 2019, 02:40:10 PM
Last edit: June 09, 2019, 11:59:35 AM by frodocooper
 #11

yea, i can flash uninfected miners without any problem, with same SD card, with same firmware.

running processes hashes main ones i checked and hashes aren't changed.

Bmminer, single-board-test,dropbear,lighttpd, monitorcg,ntpd

it opened some kind of socket, when opened netstat, killed all socket connections and run bmminer, virus was still there. flashed with web-interface, with no internet access, killed all sockets, run bmminer miner, opened internet, virus is still there.

this all is happening on newest firmware, with serial connection.
spypy
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
June 16, 2019, 06:13:22 AM
Last edit: June 17, 2019, 10:20:39 AM by frodocooper
 #12

im having the same issue with a hacked miner ... it infected my other 18 mining s9 .....

have you managed to solve this issue ?

if you did ... please give me a solution Cry

thanks
mikeywith
Legendary
*
Offline Offline

Activity: 2184
Merit: 6316


be constructive or S.T.F.U


View Profile
June 16, 2019, 11:52:02 AM
 #13

Is it possible that they changed something on a hardware level  before shipping the miners? I mean something to block you from Sdcard flashing a firmware? By all means it is hard to believe that on a software level you can't replace the firmware, what happens when you hard reset it using the IP report?

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
BitMaxz
Legendary
*
Offline Offline

Activity: 3206
Merit: 2907


Block halving is coming.


View Profile WWW
June 16, 2019, 10:32:57 PM
 #14

im having the same issue with a hacked miner ... it infected my other 18 mining s9 .....

have you managed to solve this issue ?

if you did ... please give me a solution Cry

thanks

If you flash the miner without blinking it means that the control board can't detect the SD card or the flashing couldn't start or maybe you are using a fake SD card with fake capacity.

You should use a working SD card 4gb or higher to make the flashing work. There's sometimes that everytime you make a program recovery the program you make from SD card is corrupted because your PC might be infected. So try to make SD card recovery on a fresh PC or clean PC to avoid corrupted program recovery.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
ccseric06
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
July 07, 2019, 08:39:56 AM
 #15

My farm 9/10 miners got infected this virus too,
Have you all found any solutions to unlock the sd card nand flash?
Pls help
DaCryptoRaccoon
Hero Member
*****
Offline Offline

Activity: 1187
Merit: 568


OGRaccoon


View Profile
July 07, 2019, 10:23:31 AM
Merited by frodocooper (2), BitMaxz (1)
 #16

This may actually be a legit issue recently an attack tool for miners has been released it scans shodan with the API for miners with open ports then brutes the miners allowing the attacker access to the machines it may be possible you have weak credentials on your machines and they have been compromised via brute force attempt.

Once attackers gain access they can update your miners it could be possible they have custom firmware that might make it difficult to recover the miner but you should be able to use the above guides to flash the miners with clean firmware.


Raccoon Stuff
mikeywith
Legendary
*
Offline Offline

Activity: 2184
Merit: 6316


be constructive or S.T.F.U


View Profile
July 07, 2019, 03:57:21 PM
 #17


I have had this experience before , and to confirm the brute force theory only miners with default root/root got infected. But a simple reset using IP report button method and then imiedtly change the password to a complex one solved the issue.

Hate to say this but maybe locking SSH access in the new firmware update does makes a lot of sense in terms of security, provided that if you only change the root pass using the web browser, the virus can still access it via SSH, and changing the SSH password is not something everyone can do despite the fact that it only takes a couple seconds.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
philipma1957
Legendary
*
Offline Offline

Activity: 4074
Merit: 7591


'The right to privacy matters'


View Profile WWW
July 07, 2019, 04:10:40 PM
Last edit: July 08, 2019, 12:19:51 AM by frodocooper
 #18

A simple trick is

Root
Root

Needs to be

Root
Root12345a

Not 12345 but any 5 digit number.
With any single letter. Upper or lower case.

It takes a long time to brute force that.

Yet is fairly easy to remember .

There are other ways to protect.

Modem
router a
five port switch
Router 1 to switch to bitmain sha 256
Router 2 to switch to bitmain script
Router 3 to switch to other miners

I have found the above to work well.
It also lets me find and examine miner status a bit easier.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
mikeywith
Legendary
*
Offline Offline

Activity: 2184
Merit: 6316


be constructive or S.T.F.U


View Profile
July 07, 2019, 05:47:25 PM
Merited by frodocooper (2)
 #19

Phill, i was a little paranoid i used a password that i even tend to forget ( wrote that on a piece of paper of course) the word Root with other five numbers is relatively easy to brute force.

In most cases length is less important than what combination you use, all brute force attacks use a "dictionary" which is a .txt file with a dozen words in it, the password combination you suggested is highly likely to be there in the .txt files they use.

You need to come up with something that nobody/software can come up with, some stupid shit like

Code:
Mygear23*ismiNgBtC

You can put all your gears on a Vlan and it will be very hard to get to them, but remember it takes one mistake to allow the virus to get to them.

it would be best if you have a PC that never goes online,and only that PC is set up on the same LAN the gears use.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
BitMaxz
Legendary
*
Offline Offline

Activity: 3206
Merit: 2907


Block halving is coming.


View Profile WWW
July 07, 2019, 09:20:03 PM
Last edit: July 08, 2019, 12:20:54 AM by frodocooper
 #20

I think you can try to generate a root password from this site https://passwordsgenerator.net/ to use it for your SSH root password.

This password below is harder to brute-force than a simple world

Sample

Code:
h;6Rmk!*$6wCT6>&mBhh

Just make sure that you save this password or make a backup so that you can use the password when you need to access or remotely use the miner.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!