antminer s7 & s9 jihack

[pusttiu]

Hy my 2 antminer s9 mine for someone else.
my 2 antminer s7 mine only 75% for me, and a second boards 15asic mine for hacker .
pls help
thys is copy form tab monitor in s7, in kernel tab is empty.

Code:

Mem: 72224K used, 438328K free, 0K shrd, 0K buff, 39992K cached
CPU:   0% usr   9% sys   0% nic  90% idle   0% io   0% irq   0% sirq
Load average: 0.48 0.60 0.32 1/75 2200
PID  PPID USER     STAT   VSZ %VSZ %CPU COMMAND
1048  1047 root     S <   159m  32%   5% /usr/bin/cgminer --bitmain-dev /dev/bitmain-asic --bitmain-options 115200:32:8:5:200:0782:0725 --bitmain-checkn2diff --bitmain-hwerror --version-file /usr/bin/compile_time --queue 8192 --api-listen --default-config /config/cgminer.conf -T
2199  2198 root     R     2148   0%   5% top -b -n 1
397     1 root     S     3340   1%   0% /usr/bin/monitor-recobtn /usr/bin/factory_config_reset.sh
347     1 root     S     3324   1%   0% /usr/bin/ntpd -p /var/run/ntp.pid -g
362     1 root     S     3064   1%   0% /usr/sbin/lighttpd -f /etc/lighttpd.conf
355     1 avahi    S     2728   1%   0% avahi-daemon: running [antMiner-2.local]
356   355 avahi    S     2728   1%   0% avahi-daemon: chroot helper
1047     1 root     S     2616   1%   0% {screen} SCREEN -S cgminer -t cgminer -m -d /usr/bin/cgminer --bitmain-dev /dev/bitmain-asic --bitmain-options 115200:32:8:5:200:0782:0725 --bitmain-checkn2diff --bitmain-hwerror --version-file /usr/bin/compile_time --queue 8192 --api-listen --default-config /config/cgminer.conf -T
344     1 root     S     2272   0%   0% /usr/sbin/dropbear -r /config/dropbear_rsa_host_key -p 22
417     1 root     S     2148   0%   0% {miner-m.sh} /bin/sh /sbin/miner-m.sh
416     1 root     S     2148   0%   0% {monitorcg} /bin/sh /sbin/monitorcg
2198   362 root     S     2148   0%   0% /bin/sh /www/pages/cgi-bin/monitor.cgi
2200  2198 root     S     2148   0%   0% /bin/sh /www/pages/cgi-bin/monitor.cgi
1138   416 root     S     2016   0%   0% sleep 5m
2105   417 root     S     2016   0%   0% sleep 1m
414     1 root     S     1908   0%   0% /sbin/getty 115200 ttyO0
415     1 root     S     1908   0%   0% /sbin/getty 38400 tty1
1     0 root     S     1652   0%   0% init [5]
103     1 root     S     1640   0%   0% /usr/bin/monitor-ipsig
403     1 root     S     1632   0%   0% /usr/bin/test-btn /usr/bin/test.sh
21     2 root     SW       0   0%   0% [kworker/u:1]
10     2 root     SW       0   0%   0% [rcu_sched]
15     2 root     SW       0   0%   0% [kworker/0:1]
438     2 root     SW       0   0%   0% [kworker/u:2]
11     2 root     SW       0   0%   0% [watchdog/0]
149     2 root     SWN      0   0%   0% [jffs2_gcd_mtd9]
2     0 root     SW       0   0%   0% [kthreadd]
3     2 root     SW       0   0%   0% [ksoftirqd/0]
4     2 root     SW       0   0%   0% [kworker/0:0]
5     2 root     SW<      0   0%   0% [kworker/0:0H]
6     2 root     SW       0   0%   0% [kworker/u:0]
7     2 root     SW<      0   0%   0% [kworker/u:0H]
8     2 root     SW       0   0%   0% [migration/0]
9     2 root     SW       0   0%   0% [rcu_bh]
12     2 root     SW<      0   0%   0% [khelper]
13     2 root     SW       0   0%   0% [kdevtmpfs]
14     2 root     SW<      0   0%   0% [netns]
16     2 root     SW       0   0%   0% [bdi-default]
17     2 root     SW<      0   0%   0% [kintegrityd]
18     2 root     SW<      0   0%   0% [kblockd]
19     2 root     SW       0   0%   0% [khubd]
20     2 root     SW       0   0%   0% [irq/86-44e0b000]
24     2 root     SW       0   0%   0% [irq/23-tps65217]
27     2 root     SW       0   0%   0% [irq/46-4819c000]
36     2 root     SW<      0   0%   0% [rpciod]
38     2 root     SW       0   0%   0% [khungtaskd]
39     2 root     SW       0   0%   0% [kswapd0]
40     2 root     SW       0   0%   0% [fsnotify_mark]
41     2 root     SW<      0   0%   0% [nfsiod]
42     2 root     SW<      0   0%   0% [crypto]
45     2 root     SW<      0   0%   0% [pencrypt]
46     2 root     SW<      0   0%   0% [pdecrypt]
53     2 root     SW<      0   0%   0% [OMAP UART0]
54     2 root     SW       0   0%   0% [spi1]
57     2 root     SW       0   0%   0% [spi2]
60     2 root     SW<      0   0%   0% [kpsmoused]
61     2 root     SW       0   0%   0% [irq/150-mmc0]
73     2 root     SW<      0   0%   0% [deferwq]
314     2 root     SW       0   0%   0% [flush-mtd-unmap]
1052     2 root     SW<      0   0%   0% [bitmain-asic]

the miner beep all the time.
In s9 i don't have acces ,power is now off.

stratum+tcp://stratumtcp.com:3333

strtcp.059d07ec60e

stratum+tcp://sha256.jp.nicehash.com:3334#xnsub

3BjMWfED7RJvtBPPikJpweDT6A9xRW952x

this is the pool and the user from S9 miner
pls help

[1715505221]

1715505221

[1715505221]

1715505221

[1715505221]

1715505221

[1715505221]

1715505221

[BitMaxz]

Use a clean PC or fresh installed OS then use the program recovery for s9 from here Antminer s9 Control board program recovery
Do this offline after you download all files to make sure no connection between the miner to the internet.

After you flash it with SD card download the latest version of s9 firmware that has anti-virus capability you can find it from here below.

- Latest firmware for Antminer s9

Now, check again if someone still hijacking your hashrate.

About your s7 I don't think if there are issues like this that someone could hijack a few ASICs from your s7 miner.
Try to hard reset the miner by holding IP reporter/reset button for 15 to 20 seconds then release and let the miner restart automatically(remove the PSU from the socket if required)
Then after that change the root user and password before you connect it to the internet.

[pusttiu]

hy, appriciate for help.
You right the s7 have a burn out board, and the cable comunication burn. go to hell.
The s9 i make this :
ip report hard reset - after reboot the virus is there, no control to the configuration.
The miner is now orking only whiht sd-card in , and the jumper moved. If is remove the sd-card and put the jumper for normal ---the miner is stolen. (is the same firrmare instaled and the name is changed.
In one mine is have a bord whiht no SC card reder , i tried to chang the controler and is work but my controler it was c4 and now is xiling

thansk for help
i see on youtube russian tipe wiht a greet ideea , but not anderstend all the movie (i translate only writhing not sound )
 https://www.youtube.com/watch?v=BBeCFV4jejA&list=LLoFV9ggDefWSC1GBVC8K1Pg

[BitMaxz]

Do you mean that the s9 miner after flashed with sd card and put back the jp4 to normal your hashrate still hijacked?
Did you upgrade it to the latest version through WebGUI or through a browser?

If you did it already well maybe your router is infected.

Try to follow this guide: Viruses, malware and remote attacks on Antminers – How to prevent and remove them?

[mikeywith]

stratum+tcp://sha256.jp.nicehash.com:3334#xnsub

I am pretty sure I have seen the exact same hacked firmware that mines on Jp.nicehash , and I am pretty sure if you follow every single step I give you, you will be able to fix your miner.


1- Use the Ip-report button method to reset the miner ( no other method will work ) please make sure you read how to perform it and do it right.
2- Right after the miner turns back on from the reboot flash bitmain firmware ( prepare your DHCP table or AngryIP so that you log-in and flash the miner as fast as possible, try to do it in less than 10 seconds)
3- If the flash is successful ( you can tell from the firmware version displayed in the miner's status page) change the miner's log-in password ASAP

please follow these steps religiously, for the second step it's always best to have a tab with your IP range ready so that all you need to do is write the new IP address

Code:

http://192.168.1.xx/upgrade.html

and of course the firmware needs to be put in either downloads or desktop if you are using windows, it's best to have it in which ever folder opens first.

[Artemis3]

I don't understand why you come with this "as fast as possible, try to do it in less than 10 seconds" instruction. The correct way to get rid of malware, is not letting it in in the first place. If you boot a linux computer, disconnected from internet, and plug the miner DIRECTLY to it, you can perform this safely without expecting to win a race against malware.

Hoping that your LAN is somehow slow enough to not infect you in time is not wise at all.

OP should disinfect all miners this way, and not allow any non linux computers in the LAN.

[mikeywith]

I don't understand why you come with this "as fast as possible, try to do it in less than 10 seconds" instruction.

if you don't understand, then maybe you should ask  

The correct way to get rid of malware, is not letting it in in the first place.

I agree, but shit happens, and shit needs fixing.

If you boot a linux computer, disconnected from internet, and plug the miner DIRECTLY to it, you can perform this safely without expecting to win a race against malware.

it's not a race, and connecting the miner to a linux based system won't help, you don't get it, that's why you should ask.

Hoping that your LAN is somehow slow enough to not infect you in time is not wise at all.

I like how you used "not wise at all" i would have used  "plain stupid" if someone was actually trying to win such a race  

But,  this is not how it works , what does a slow lan has to do with this if you actually are able to access the miner? that miner itself is infected, it has nothing to do with the network, am not sure how you arrived to this conclusion.

you see I don't have access to the inside details of how this firmware works, but I have had a few second hand S9 miners came to me with that firmware, to my luck or perhaps paranoia, I had those gears run on a different network , everything worked just fine until i checked the pool and i noticed something strange, looked a bit deeper and found out all those miners were mining on Jp.nicehash for x amount of time , the firmware won't allow you to flash any other firmware, the flash will show "successful" but nothing actually happens, so the only option left was to SDcard those gears, but I decided to give it another go with a different firmware and it worked !

so i decided to use the same firmware on the other gears (was thinking that firmware was the fix), but it didn't work this time !! so i was asking myself, what did I do on that miner to make it work?? and then i figured out that , okay maybe I did it too fast and it worked lemme try again ( I was calling myself stupid for even thinking speed was the reason , but i wanted a lazy fix so why not ?) , I tried again and i rushed to flash the firmware and ,bingo!it worked !! I did that on all the other gears and it worked perfectly !!

I don't have the exact explanation on how or why, but i think that part of the code the don't let you flash the firmware does not execute the moment the miner starts, I don't know ! but long story short, I had to flash the firmware before the data on the miner's  status page show up, if I wait long enough for it to load up , the flash won't work ( I assume someone with a better understanding on S9 firmware will have a logical explanation).

... and not allow any non linux computers in the LAN.

Agreed, but first he needs to fix the problem , not allowing any non-linux pcs won't fix the existing problem now, it's a great security practice but only works before the miners get infected.

[philipma1957]

It must send a ping when it is cleared.

They may have thousands mining for them.  So it takes some time to correct  and infect again.

While it is best to not get infected.  Knowing how to end an infection is needed.

[Artemis3]

I don't have the exact explanation on how or why, but i think that part of the code the don't let you flash the firmware does not execute the moment the miner starts, I don't know ! but long story short, I had to flash the firmware before the data on the miner's  status page show up, if I wait long enough for it to load up , the flash won't work ( I assume someone with a better understanding on S9 firmware will have a logical explanation).

... and not allow any non linux computers in the LAN.

Agreed, but first he needs to fix the problem , not allowing any non-linux pcs won't fix the existing problem now, it's a great security practice but only works before the miners get infected.

This sounds interesting enough that doing it slowly while taking a look at the infected controller should give the reason. Perhaps the malware is running a script and is waiting for a condition to occur. You could populate /etc/hosts with 127.0.0.1 sha256.jp.nicehash.com (and friends) and let it never find where nicehash is. I wonder if you could then catch and examine the running process?

Chances are whatever infected the miner could still be running in the LAN, you have to get rid of it. And the malware itself could still be propagating from infected controllers and windows pcs.

Does Nicehash support some way of reporting rogue accounts? This malware account should be suspended immediately...

[mikeywith]

This sounds interesting enough that doing it slowly while taking a look at the infected controller should give the reason. Perhaps the malware is running a script and is waiting for a condition to occur.

That is a possibility, honestly i was not really worried about how the infected firmware actually worked , my main concern was to fix it, and I rushed doing so to get my gears to mine with less downtime as possible.

You could populate /etc/hosts with 127.0.0.1 sha256.jp.nicehash.com (and friends) and let it never find where nicehash is. I wonder if you could then catch and examine the running process?

Maybe op should try that , i think I did try blocking nicehash on the router firewall and that did not stop the miner from "not hashing to my pool"

Does Nicehash support some way of reporting rogue accounts? This malware account should be suspended immediately...

it is highly unlikely since it's a bit hard to prove anything ,  why would they care anyway?  plus, just because that particular worker is blocked, it does not mean your miner will hash on your pool , people should just try their best to protect their gears and network , and most importantly reset every second hand miner you buy or don't buy a used miner at all.

[pusttiu]

hy,
i have a board whith no sd card slot.
I virus ii dame, is stole my password and changed.
I fixet for a 1 week and today is stolent, the miner is not working again.
This board is for emergensy only, i hope to fix the bord inside the miner.
I reset whith ipreport (the board whiht no sd-card ) and update the new 2019 firmeweer form bitmain. is xiling board
hope to work. I don't have possibiliti to use a pc whiht linux, i work on the win xp laptop.
I hope not to be infected.
I put the miner in the network , stil whiht virus.

this is now after a time

Miner Type   Antminer S9
Hostname   antMiner
Model   GNU/Linux
Hardware Version   30.0.1.3
Kernel Version   Linux 3.14.0-xilinx-ga36f3af-dirty #90 SMP PREEMPT Thu Jun 20 15:01:47 CST 2019
File System Version   Tue Jul 30 20:37:39 CST 2019
Logic Version   V1.3.56
BMminer Version   2.0.0
Uptime   6
Load Average   0.79, 0.31, 0.11

[pusttiu]

hy, i fix it .
the img file for s9 is from asictuner.ru
after reflash i pus the firmavare form the same site.
now it is working for me
thanks all