Bitcoin Forum
March 29, 2024, 01:40:14 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: what is child connection on cgminer  (Read 376 times)
john139 (OP)
Newbie
*
Offline Offline

Activity: 32
Merit: 0


View Profile
June 07, 2019, 02:31:46 PM
Last edit: June 09, 2019, 12:26:43 PM by frodocooper
 #1

Hello guys, Does anybody knows what is the "child connection" on cgminer system log ?

recently I have faced a problem , my miners ( whatsminer M3 v2 ) after 5, 6 hours of working, stop minning ( first 5 or 6 out of 60 stop , then gradually all of them stop working except 3 or 4 )  - I thought maybe it is infected by virus but its not hashing at all I touched the miner body It is cold ( impossible for M3 to be cold while mining ).
 
ambient  temp is ok , internet connection is ok , when I go to the administrator panel all parameters are empty , here is screen shot: http://i68.tinypic.com/33a4hs2.jpg.

I use Whatsminer tool to install firmware again then it will be ok and work for another 5 ,6 hours. I believe there is a problem with  my network but I don't really understand what is it ?  I tried connecting my hub-switch directly to modem or  separating half of miners to connect to another modem.
 
so i Checked system log codes I think here is the problem if u can approve it and come up with any solution ?

1. I think miner is trying to make a child connection but it cant ! what is child connection ?

2. those nicehash pool addresses I don't know where they come from at all  (doesn't belong to me)!! (  Can it be virus ? to be sure to clean the virus if there is one , I turned off all miners except one ,install its firmware then turn off it then go to the next miner repeating process )
here is the codes.

Code:
Fri Jan  2 09:01:24 1970 authpriv.info dropbear[1831]: Child connection from 192.168.2.46:54642
Fri Jan  2 09:01:28 1970 authpriv.info dropbear[1846]: Child connection from 192.168.2.15:57652
Fri Jan  2 09:01:31 1970 authpriv.warn dropbear[1846]: Bad password attempt for 'root' from 192.168.2.15:57652
Fri Jan  2 09:01:31 1970 authpriv.warn dropbear[1831]: Bad password attempt for 'root' from 192.168.2.46:54642
Fri Jan  2 09:01:31 1970 authpriv.warn dropbear[1831]: Bad password attempt for 'root' from 192.168.2.46:54642
Fri Jan  2 09:01:31 1970 authpriv.warn dropbear[1846]: Bad password attempt for 'root' from 192.168.2.15:57652
Fri Jan  2 09:01:32 1970 authpriv.warn dropbear[1831]: Bad password attempt for 'root' from 192.168.2.46:54642
Fri Jan  2 09:01:32 1970 authpriv.warn dropbear[1846]: Bad password attempt for 'root' from 192.168.2.15:57652
Fri Jan  2 09:01:32 1970 authpriv.info dropbear[1831]: Exit before auth (user 'root', 3 fails): Disconnect received
Fri Jan  2 09:01:32 1970 authpriv.info dropbear[1846]: Exit before auth (user 'root', 3 fails): Disconnect received
Fri Jan  2 09:01:34 1970 authpriv.info dropbear[1875]: Child connection from 192.168.2.33:43308
Fri Jan  2 09:01:38 1970 authpriv.warn dropbear[1875]: Bad password attempt for 'root' from 192.168.2.33:43308
Fri Jan  2 09:01:38 1970 authpriv.warn dropbear[1875]: Bad password attempt for 'root' from 192.168.2.33:43308
Fri Jan  2 09:01:38 1970 authpriv.warn dropbear[1875]: Bad password attempt for 'root' from 192.168.2.33:43308
Fri Jan  2 09:01:39 1970 authpriv.info dropbear[1875]: Exit before auth (user 'root', 3 fails): Disconnect received
Fri Jan  2 09:01:43 1970 authpriv.info dropbear[1916]: Child connection from 192.168.2.22:41762
Fri Jan  2 09:01:44 1970 authpriv.info dropbear[1944]: Child connection from 192.168.2.34:44860
Fri Jan  2 09:01:47 1970 local0.err cgminer[1495]: No servers were found that could be used to get work from.
Fri Jan  2 09:01:47 1970 local0.err cgminer[1495]: Please check the details from the list below of the servers you have input
Fri Jan  2 09:01:47 1970 local0.err cgminer[1495]: Most likely you have input the wrong URL, forgotten to add a port, or have not set up workers
Fri Jan  2 09:01:47 1970 local0.warn cgminer[1495]: Pool: 0  URL: stratum+tcp://sha256.hk.nicehash.com:3334#xnsub  User: 3CJgXokLQrRCQcEoftS7MbPDSXhXpX6P55  Password: x
Fri Jan  2 09:01:47 1970 local0.warn cgminer[1495]: Pool: 1  URL: stratum+tcp://sha256.hk.nicehash.com:3334#xnsub  User: 3CJgXokLQrRCQcEoftS7MbPDSXhXpX6P55  Password: x
Fri Jan  2 09:01:47 1970 local0.warn cgminer[1495]: Pool: 2  URL: stratum+tcp://sha256.hk.nicehash.com:3334#xnsub  User: 3CJgXokLQrRCQcEoftS7MbPDSXhXpX6P55  Password: x
Fri Jan  2 09:01:47 1970 local0.warn cgminer[1495]: Attempting to restart cgminer 4.9.2 git-6089112
Fri Jan  2 09:01:47 1970 kern.warn kernel: [   81.135138] cgminer(pid 2194) in cgminer exiting:0
Fri Jan  2 09:01:47 1970 kern.warn kernel: [   81.230103] cgminer(pid 2201) in cgminer exiting:256
Fri Jan  2 09:01:47 1970 kern.warn kernel: [   81.358248] start-stop-daem(pid 2209) sending sig 15 to cgminer in cgminer
Fri Jan  2 09:01:47 1970 kern.warn kernel: [   81.397305] cg@Completion(pid 2210) in cgminer exiting:0
Fri Jan  2 09:01:48 1970 local0.err cgminer[1495]: Shutdown signal received.

P.S : all my 60 miners  used to work normally last 2 months with same firmware and network  but i tried to add 2 more miners since then all this mess happened  I have unplug those 2 miners but  problem doesn't fix.
1711676414
Hero Member
*
Offline Offline

Posts: 1711676414

View Profile Personal Message (Offline)

Ignore
1711676414
Reply with quote  #2

1711676414
Report to moderator
In order to achieve higher forum ranks, you need both activity points and merit points.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711676414
Hero Member
*
Offline Offline

Posts: 1711676414

View Profile Personal Message (Offline)

Ignore
1711676414
Reply with quote  #2

1711676414
Report to moderator
1711676414
Hero Member
*
Offline Offline

Posts: 1711676414

View Profile Personal Message (Offline)

Ignore
1711676414
Reply with quote  #2

1711676414
Report to moderator
1711676414
Hero Member
*
Offline Offline

Posts: 1711676414

View Profile Personal Message (Offline)

Ignore
1711676414
Reply with quote  #2

1711676414
Report to moderator
philipma1957
Legendary
*
Online Online

Activity: 4074
Merit: 7591


'The right to privacy matters'


View Profile WWW
June 07, 2019, 02:50:17 PM
Last edit: June 09, 2019, 12:27:43 PM by frodocooper
 #2

Looks like you are hi-jacked.

Try flashing firmware.

Then try a different password.

Like admin2admin.

Lastly get a cheap router.

And do this

Modem - old router- cheap 4 port switch- cheap router - switches to your miner- miners all with new passwords.

You need the router to be different address.

Old router 192.168.0.1-254
New router 192.168.1.1-254

I don’t know your old router if it is .0.1-254 or .1.1-254 or .10.1-254.

But the new router need to be different.

When you monitor the gear. You need to plug the pc in after the cheap router.

One last suggestion borrow a completely different laptop or pc you have not been using to check you mining with.

Don’t mine on NiceHash try Ckpool.org to viabtc.com.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
NotFuzzyWarm
Legendary
*
Offline Offline

Activity: 3584
Merit: 2482


Evil beware: We have waffles!


View Profile
June 07, 2019, 03:43:34 PM
 #3

Do those 192.168.2.xxx addresses belong to other computers that are on your network that may be trying to make child connections? If those are your computers then those are what need to be checked for viruses because to me it looks like an outside device is trying to connect with the miner - not the miner initiating the connections.

- For bitcoin to succeed the community must police itself -    My info useful? Donations welcome! 1FuzzyWc2J8TMqeUQZ8yjE43Rwr7K3cxs9
 -Sole remaining active developer of cgminer, Kano's repo is here
-Support Sidehacks miner development. Donations to:   1BURGERAXHH6Yi6LRybRJK7ybEm5m5HwTr
john139 (OP)
Newbie
*
Offline Offline

Activity: 32
Merit: 0


View Profile
June 07, 2019, 04:03:47 PM
Last edit: June 09, 2019, 12:29:08 PM by frodocooper
 #4

Do those 192.168.2.xxx addresses belong to other computers that are on your network that may be trying to make child connections? If those are your computers then those are what need to be checked for viruses because to me it looks like an outside device is trying to connect with the miner - not the miner initiating the connections.

in fact they are other miners on the network .  Cry Cry. I am really tired of this I have tried everything.

Edit: I think it is normal for miners to make child connections, bcz i have seen it on normal working miners log but i dont know what is it for ? and here the problem is it can not authenticate.

Looks like you are hi-jacked...

I think you mean to create kind of quarantine , I tried to do so by turning off all devices on network except one which is being updated by firmware using whatsminer tool maybe I should try doing it with sd card do u think using sd card is better?

I am not using nicehash , i dont know where those pool addresses come from.
philipma1957
Legendary
*
Online Online

Activity: 4074
Merit: 7591


'The right to privacy matters'


View Profile WWW
June 07, 2019, 10:44:16 PM
Last edit: June 09, 2019, 12:30:00 PM by frodocooper
 #5

a cascaded second router really helps to isolate shit. a healthy sd card would also help.

on my biggest build  about 110 units. I run the fios-modem- router to a switch then I put all my sha-256  gear on three switches off the first switch.  I also put a cheap trendnet router on the first switch then a 48 port switch on that to all my  etc gear.

my ltc gear is on a router with 192.168.10.1-254 to switch and it is perfect zero drop outs.

my sha gear still has issues.  next time a do the setup I will do

fios - switch ------ router a ------- switch to all ltc
                  ------- router b ------ switch to all sha

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
vh
Hero Member
*****
Offline Offline

Activity: 699
Merit: 662


View Profile
June 08, 2019, 12:02:06 AM
Last edit: June 09, 2019, 12:31:22 PM by frodocooper
Merited by frodocooper (4), NotFuzzyWarm (1)
 #6

Edit: I think it is normal for miners to make child connections, bcz i have seen it on normal working miners log but i dont know what is it for ? and here the problem is it can not authenticate.

Not normal, just temporary functioning so that it's not too obvious.   You can go ahead and assume ALL miners have been compromised.

For sure any device with IP in this pattern:

Quote
Bad password attempt for 'root' from 192.168.2.15:57652

As soon as you flash the firmware and plug it into your network (to log in and change the password?), all other compromised miner immediately begins the hijack process, likely succeeds, and sit dormant before you even log in.

At some point later (soon or not) it changes and unchanges the pool settings at random interval so you won't notice.

A misc note regarding that address that the compromised devices will eventually route to: https://bitcointalk.org/index.php?topic=5036968.msg50011282#msg50011282.

Multiple networks as suggested above to work with is probably a good way to approach it while you try to solve the issue.

If you are able to, flash them all within a network before powering any on.

If you flash them all before you power any of them on and still have the same issue eventually, then:

1) the firmware is a very probable source of the evilness or
2) and external pc/laptop or hardware has been compromised.

In which case you'll need to take your best guess to swap out the possible culprit and repeat.

philipma1957
Legendary
*
Online Online

Activity: 4074
Merit: 7591


'The right to privacy matters'


View Profile WWW
June 08, 2019, 12:29:24 AM
Last edit: June 09, 2019, 12:31:53 PM by frodocooper
 #7

Yeah I think he is all Whatsminer. Gear

He should get a fresh pc
Take all miners off line.

Get a few cheap routers to isolate mining gear from all other gear.

I have 2:pcs for the big build and they do only mining monitoring.

Those cheap routers will help keep mining gear isolated.

▄▄███████▄▄
▄██████████████▄
▄██████████████████▄
▄████▀▀▀▀███▀▀▀▀█████▄
▄█████████████▄█▀████▄
███████████▄███████████
██████████▄█▀███████████
██████████▀████████████
▀█████▄█▀█████████████▀
▀████▄▄▄▄███▄▄▄▄████▀
▀██████████████████▀
▀███████████████▀
▀▀███████▀▀
.
 MΞTAWIN  THE FIRST WEB3 CASINO   
.
.. PLAY NOW ..
efudd
Member
**
Offline Offline

Activity: 504
Merit: 51


View Profile
June 08, 2019, 09:27:35 AM
Last edit: June 09, 2019, 12:33:43 PM by frodocooper
Merited by frodocooper (5), NotFuzzyWarm (1)
 #8

Yeah this is gonna be a pain for you. :/

The child connection simply means an ssh connection occurred. Likely this is the “antminers” mAlware I have posted about before that masquerades as ntpd. It tries to take over any antminer and then points it at nicehash, as you have seen.

Changing passwords will help prevent the spread, but you now need to clean it up from every machine simultaneously... ie you should assume every one is compromised.

It sits in /config as “.antminers”, and included a “.key” file. On startup it is coped over the original ntpd file and started up. It will attempt to spread and will replace the configuration at some point in time. I didn’t bother figuring out the conditions in which it changes the config when I was reverse engineering it.

My most recent firmwares do include protection against this infection, but you still need to do the clean up.

If you are able to write some simple shell script, it is a matter of basically sending this (or something like it) to all of your miners at once:

Code:
if [ -f /config/.antminers ]; then rm /config/.antminers && killall ntpd && sync && reboot

After they reboot, change all the passwords.

Hope this helps.

EDIT: there is another malware that uses the API to add/replace your pools on the fly. It seems to run from an infected computer on the network... I have not been able to capture it in the wild, however, so I don’t have a lot of extra information on it.

-j

kano
Legendary
*
Offline Offline

Activity: 4452
Merit: 1798


Linux since 1997 RedHat 4


View Profile
June 08, 2019, 12:08:35 PM
Last edit: June 09, 2019, 01:04:59 PM by kano
 #9

EDIT: there is another malware that uses the API to add/replace your pools on the fly. It seems to run from an infected computer on the network... I have not been able to capture it in the wild, however, so I don’t have a lot of extra information on it.

Not sure what you think is happening, but that's not possible on any current Bitmain original firmware.

The settings are:

Code:
"api-groups" : "A:stats:pools:devs:summary:version",
"api-allow" : "A:0/0,W:*",

Which means no one can do any API commands other than those listed - which are all REPORT commands, no ability to CHANGE anything.
The API pool change options are in the README I wrote of course - but they are not listed there in the API setting options in the miner.
(N.B. the W:* is an error and is ignored ...)

I guess the problem is people using hack firmware from MANY sources here on the forum.
You should only use original firmware supplied by the manufacturer.

If you are using a firmware that screws with the API settings and someone hacks your miner API because of that, I'd suggest you go after the firmware supplier Smiley

Of course if Whatsminer gear has that problem also in the original firmware, then go after them Smiley
I've no idea what they set the default to.

P.S. I designed and wrote the API used in miners.

Pool: https://kano.is - low 0.5% fee PPLNS 3 Days - Most reliable Solo with ONLY 0.5% fee   Bitcointalk thread: Forum
Discord support invite at https://kano.is/ Majority developer of the ckpool code - k for kano
The ONLY active original developer of cgminer. Original master git: https://github.com/kanoi/cgminer
john139 (OP)
Newbie
*
Offline Offline

Activity: 32
Merit: 0


View Profile
June 08, 2019, 12:42:24 PM
Last edit: June 09, 2019, 12:35:47 PM by frodocooper
 #10

I was using firmware from manufacturer since 2 months ago and it was totally ok untill I tried to add 3 more second hand M3 (seems they have infected my farm - ). these pools are not default ones ( default workers was microbt directing to f2pool )  and as  " efudd " mentioned this user (https://www.nicehash.com/miner/3CJgXokLQrRCQcEoftS7MbPDSXhXpX6P55)  on nicehash seems to be hijacker.

How can I clean this virus? Do you think if I unplug all of the miners from network and start updating their firmware with sd card will work ?
FFI2013
Hero Member
*****
Offline Offline

Activity: 906
Merit: 507


View Profile
June 08, 2019, 03:27:25 PM
Last edit: June 09, 2019, 12:36:12 PM by frodocooper
 #11

Wow that sucks this hijacker is bringing in 6000 a day I would also contact nicehash support and let them no maybe they can block this scumbag also whoever you bought those miners off of mostly likely new what was up.
efudd
Member
**
Offline Offline

Activity: 504
Merit: 51


View Profile
June 08, 2019, 06:19:54 PM
Last edit: June 09, 2019, 12:39:05 PM by frodocooper
Merited by frodocooper (2)
 #12

Not sure what you think is happening, but that's not possible on any current Bitmain original firmware...

I should have been a little more clear. Folk who use things like AwesomeMiner are susceptible if they have enabled write on the API. And I know that I need to make a change in my firmwares as well.

I’m going to disagree with your blanket statement on only using original firmwares for numerous reasons. Instead, use trusted firmwares.

I was using firmware from manufacturer since 2 months ago and it was totally ok untill I tried to add 3 more second hand M3 (seems they have infected my farm - ). these pools are not default ones ( default workers was microbt directing to f2pool )  and as  " efudd " mentioned this user (https://www.nicehash.com/miner/3CJgXokLQrRCQcEoftS7MbPDSXhXpX6P55)  on nicehash seems to be hijacker.

How can I clean this virus? Do you think if I unplug all of the miners from network and start updating their firmware with sd card will work ?

I told you how to fix/clean it in my response. I have used that to help a number of folk clean up their miners.

-j

john139 (OP)
Newbie
*
Offline Offline

Activity: 32
Merit: 0


View Profile
June 08, 2019, 07:13:23 PM
Last edit: June 09, 2019, 12:39:44 PM by frodocooper
 #13

I told you how to fix/clean it in my response. I have used that to help a number of folk clean up their miners.

-j

I appreciate that my dear friend Kiss but problem is I dont know how to use ssh to send command at once to all my miners do you have any help link?
kano
Legendary
*
Offline Offline

Activity: 4452
Merit: 1798


Linux since 1997 RedHat 4


View Profile
June 09, 2019, 12:05:38 AM
Last edit: June 09, 2019, 01:03:56 PM by kano
Merited by NotFuzzyWarm (1)
 #14

I’m going to disagree with your blanket statement on only using original firmwares for numerous reasons. Instead, use trusted firmwares.

No non-original firmware is trusted.

None of them prove that their firmware finds blocks before people use it.

Most of them have hacks in them to take hashes.

Almost all of them violate the cgminer license so cannot be trusted.

Pool: https://kano.is - low 0.5% fee PPLNS 3 Days - Most reliable Solo with ONLY 0.5% fee   Bitcointalk thread: Forum
Discord support invite at https://kano.is/ Majority developer of the ckpool code - k for kano
The ONLY active original developer of cgminer. Original master git: https://github.com/kanoi/cgminer
efudd
Member
**
Offline Offline

Activity: 504
Merit: 51


View Profile
June 09, 2019, 06:58:15 AM
Last edit: June 09, 2019, 12:41:55 PM by frodocooper
Merited by frodocooper (2)
 #15

No non-original firmware is trusted.

None of them prove that their firmware finds blocks before people use it.

Most of them have hacks in them to take hashes.

Almost all of them violate the cgminer license so cannot be trusted.

The intention behind your point is valid. Trust is earned, even with the OEM. My stuff exists because hardware from bitmain arrived on my door step in a crippled state; artificially limited in terms of hashrate by almost a factor of 50% (Antminer Z9). That didn't earn "trust points" in my book from bitmain.

I can't speak to other folk's work, but mine doesn't have "hacks in them" to take hashes; the functionality is documented and I provide the user with 3 different methods of using the firmware, all with full functionality. Paid license, sponsor paid license (i.e., use it on specific pool(s), it acts as a paid license with full funcionality), and a dev-fee supported mode (which, I guess could be 'taking hashes'), depending on your perspective... each of these modes exist at the request of portions of the user base.

Mine also does not violate the GPL for a variety of reasons, the simplest of which is that I do not modify cgminer on-disk and follow the proper linking _recommendations_ in the GPL FAQ in terms of how my additive functionality is implemented.

The key point of my response was I disagreed with the blanket statement and would instead encourage users to research, investigate, and make conscious choices.

</my viewpoints and opinions>

I appreciate that my dear friend Kiss but problem is I dont know how to use ssh to send command at once to all my miners do you have any help link?

No.... but I can offer the same I've offered to others in this state: contact me on discord (invite in my signature) and we can set up a time for me to try to help you remove this mess from your environment with teamviewer or whatever your choice of screen sharing is.

-j

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!