Compromised Antminer L3+

[pusttiu]

hy, the same user 3BjMWfED7RJvtBPPikJpweDT6A9xRW952x
the model is antminer l3+, firmware is Antminer L3+ Blissz v1.02
i change the password , i put a strong one. after reboot is hacked.
pls help.
The miner is far from me, i have acces from the internet.

[philipma1957]

hy, the same user 3BjMWfED7RJvtBPPikJpweDT6A9xRW952x
the model is antminer l3+, firmware is Antminer L3+ Blissz v1.02
i change the password , i put a strong one. after reboot is hacked.
pls help.
The miner is far from me, i have acces from the internet.

blissz mines for the developer it switches for 2 hours every day.

don't use blissz  btw this is for ltc mining which is an alt coin question not a btc question

[pusttiu]

I now is not a BTC miner, and I now blisz has a deevfee , but is an antminer and all aperrate the same. This is not a deevfee, the mineri work fror e hacker at the nicehaspool.
I had 2 antminer s9 whith infection and after upgrade firmware it waz ok.
The anminer l3+ can change the firmware after up-grand from web, i have to put a SD card.
whiht regards, florin c.

[mikeywith]

i change the password , i put a strong one. after reboot is hacked.
pls help.
The miner is far from me, i have acces from the internet.

There is no point in changing the miner's password after it has been already hacked, the hacker doe not need the password anymore, he is already INSIDE.

in most cases and according to my experience with the same nicehash hacker, even a reset does not fix this, and when you attempt a firmware upgrade from the web, it will show "updated" but it won't, the hacker tricks you into thinking it was updated when it was not, I had luck fixing this issue on antminer S9 by using the IP report button method to reset the miner and then quickly before the miner loads I rush to change the firmware, and it worked perfectly, another option would be SDcarding a different firmware and then immediately change the password.

But you should be extra paranoid, assume that every device you have on the network is infected, especially those windows PCs, so to be extra safe, you should either use another PC/Laptop or a mobile phone to change the password for the first time after the new firmware and if you have a Linux based system will be great, if not any of the prior options is good enough.

[VoskCoin]

i change the password , i put a strong one. after reboot is hacked.
pls help.
The miner is far from me, i have acces from the internet.

There is no point in changing the miner's password after it has been already hacked, the hacker doe not need the password anymore, he is already INSIDE.

in most cases and according to my experience with the same nicehash hacker, even a reset does not fix this, and when you attempt a firmware upgrade from the web, it will show "updated" but it won't, the hacker tricks you into thinking it was updated when it was not, I had luck fixing this issue on antminer S9 by using the IP report button method to reset the miner and then quickly before the miner loads I rush to change the firmware, and it worked perfectly, another option would be SDcarding a different firmware and then immediately change the password.

But you should be extra paranoid, assume that every device you have on the network is infected, especially those windows PCs, so to be extra safe, you should either use another PC/Laptop or a mobile phone to change the password for the first time after the new firmware and if you have a Linux based system will be great, if not any of the prior options is good enough.

this is great advice ^

This is also why you need to be careful what firmware you use AND where you get that firmware.

[JayDDee]

The problem isn't clear to me. Did the Antminer itself get hacked/infected or did Nicehash get hacked
gving the hacker control over the Antminer?

If Nicehash was hacked fixing the Antminer won't help.

Either way the infected device(s) should be physically disconnected from the network for
thourough disinfecting.

[mikeywith]

The problem isn't clear to me. Did the Antminer itself get hacked/infected or did Nicehash get hacked
gving the hacker control over the Antminer?

If Nicehash was hacked fixing the Antminer won't help.

This has nothing to do with Nicehash getting hacked, Nicehash or any other pool ( i am assuming Nicehash is a pool for the sake of simplicity) only has control over the hashrate you direct to them, they have NO control over the miner itself, so even if Nicehash gets hacked 5 times a day your miner couldn't be infected.

In a nutshell, it's a simple matter of how the miner got infected, in most cases based on my experience with my personal gears or most of clients/friends gears it's a second hand aka used miner that came loaded with the hacker's firmware, the moment you plug it in, it will try to infect every other miner on the same network, here is where a strong password comes to rescue, although there is no guarantee that the infected firmware won't brute force or key-log the passwords of other miners, so even with a very complex password one infected miner may very well infect every other miner on the network, but based on my experience it's unlikely, in other words, the hacked/infected miner does not have the ability to actually infect a PC or a phone and then use those to infect other miners, it only targets miners with the default password or the easy once and miners with SSH access with default password is more hackable than those with SSH access disabled.
 
With the being said, you shouldn't count on the limitation of the hacker/s, technically one infected miner can spread itself to every other miner, you MUST be paranoid and treat the infected miner as if it has superpowers and could do everything.

[JayDDee]

in most cases and according to my experience with the same nicehash hacker,

This has nothing to do with Nicehash getting hacked.

Whatever you say.

[mikeywith]

in most cases and according to my experience with the same nicehash hacker,

This has nothing to do with Nicehash getting hacked.

Whatever you say.

 I think the confusion has to do with lack of knowledge regarding mining, by "nicehash hacker" I mean the famous hacker who uses the following Nicehash JP server and mines under the wallet 3BjMWfED7RJvtBPPikJpweDT6A9xRW952x, you can read about here and here.

In fact, even without reading a thing about it elsewhere, if you weren't reading out of context you would have understood that this whole thing has NOTHING to do with Nicehash itself being hacked and it simply implies a hacker who USES nicehash, this is the second time you do this and now I'm almost certain that you have poor reading comprehension, sadly I can't help you with that.

[JayDDee]

this is the second time you do this and now I'm almost certain that you have poor reading comprehension, sadly I can't help you with that.

So much for your tag line. Communication problems go both ways, it could also be your writing skills. You make assumptions,
introduce irrelevant information without context and then give "authoritative" advice based on your assumptions.

You previously criticized me for cherry picking your inconsistencies, which I let slide. If you were consistent there wouldn't be any
inconsistencies to pick.

You did post some useful information but it may not apply to this case. The problem is poorly defined. All we really know
is that the Antminer password was compromised and changing it remotely didn't fix the problem. Maybe the monitoring
PC is infected and stealing passwords. It doesn't have to be the Antminer.

[mikeywith]

Communication problems go both ways.

Let other people chime in and if anyone understood my words the way you did - then I will blame my writing, but I assure you that anyone who knows enough about mining would perfectly understand that "nicehash hacker" in the context above explicitly refers to a hacked firmware that uses nicehash to mine.

You make assumptions,

You see you don't get it, this topic was initially a comment in BTC mining topic which was describing the infection in great details, the mod moved this comment and all the replies to it here because pusttiu mentioned L3+ which does not fit into BTC mining, there are 0 assumptions made, I have all the details, I have PERSONALLY had this virus and FIXED it, you are assuming that I am making assumptions because you either have a personal problem with me or because of your "poor reading comprehension" or else you would have easily guessed that this topic is missing a ton of information because it was initially a single comment on the main thread, hence. the wordings

hy, the same user 3BjMWfED7RJvtBPPikJpweDT6A9xRW952x

heck there is even this part

btw this is for ltc mining which is an alt coin question not a btc question

This should have given you an idea that there are a lot more inputs than what appears to be there, but instead of wondering why would a topic start with such words, you left all that, went all the way to the bottom of the topic to cherry-pick my words.  

The problem is poorly defined.

it's not, in the initial topic the problem was thoroughly explained in deep details, it's YOU who have poorly identified the problem because you refuse to search, yes it's probably the mod's fault for moving a little part of the topic here, I admit it does create confusion, but I am neither responsible for that nor how you misunderstand my words.

If you were nice enough, I would have directed you the original topic and explained everything in details, but it seems to me like all you are trying to do is to make me look and sound "wrong", which even if you succeeded in doing - it does not add anything to the community when you don't actually correct me, I rather not waste time arguing with you or anyone else, this is the exact reason why I avoid Altcoins section, if you see me post here, it's safe to assume a mod moved the topic here.

With that being said, I am sorry that you don't seem to like or understand what I write, I have nothing against you and I wish you all the best.

[JayDDee]

With that being said, I am sorry that you don't seem to like or understand what I write, I have nothing against you and I wish you all the best.

I didn't realize the context was lost when the thread was moved. For that I apologize. Your posts make a lot more sense now.

However, you weren't very nice about it. Was it necessary to accuse me of having little mining knowledge, or being unable to read
when a simple clarification would do? Maybe you could dial the flame thrower down a notch or 2.

I also didn't start this round, I specifically avoided replying directly to you to avoid a confrontation.
Yet here we are.

I don't want to hijack the thread with a one on one, so...

The key for any infection is to disconnect from the network immediately and not reconnect until completely clean
and the source of the initial infection has been identified and prevented from reoccuring.

It seems now it's just a matter of execution, which is complicated by distance and the pandemic.

I'm now wondering if the hosting was part of the scam. If a pre-infected miner was bought second hand with an offer to host
it remotely it makes it more difficult for the owner to disinfect.

[adaseb]

This reminds me of when Claymore had to add passwords to his miner software because it was very easy to find people who were actually miners and had an open network and didn't use a password. So people would basically scan a network of IP addresses looking for the remote manager port and if they found someone they would quietly change the server info.

In 2017 this was a big deal because back then if a hacker took over someone's rig which had 5+ GPUs, that was maybe $20/day of profit per rig. So if it was unnoticed for a while looking at their pool stats the losses were pretty huge. But Claymore quickly took action and disabled any time of modifying from the remote manager unless a password was set.

So I am surprised there are these issues still arising these days.