Bitcoin Forum
December 04, 2016, 12:02:44 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Anyone Getting Notices from Comcast due to Bitcoin Mining?  (Read 3137 times)
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218


Michael, send me some coins before I hitman you


View Profile
February 12, 2012, 07:01:40 PM
 #1

ISP scares the Hell out of me. I only use it because I've moved in with family in the past month while house sells. Have mining rigs set up. Never had any problems with TWC, but Comcast seems determined to monitor EVERYTHING that goes through them.

About a month ago, Comcast insisted there was malware installed on computers in this house (family member tends to have malware on her computer, but was odd that this first came just after I set the rigs up). I checked all the computers -- nothing unusual going on, no concerning network traffic, no p2p-software (outside Bitcoin) was/is running. This morning, Comcast sent another email saying they were blocking port 25 due to "detected virus-like activity from your modem." Checked, and there's no network traffic using :25. Is this all due to Bitcoin mining traffic? Anyone have similar experiences? Becoming concerned they're going to try imposing fees or canceling service.

Don't mix your coins someone said isn't legal
1480809764
Hero Member
*
Offline Offline

Posts: 1480809764

View Profile Personal Message (Offline)

Ignore
1480809764
Reply with quote  #2

1480809764
Report to moderator
1480809764
Hero Member
*
Offline Offline

Posts: 1480809764

View Profile Personal Message (Offline)

Ignore
1480809764
Reply with quote  #2

1480809764
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480809764
Hero Member
*
Offline Offline

Posts: 1480809764

View Profile Personal Message (Offline)

Ignore
1480809764
Reply with quote  #2

1480809764
Report to moderator
1480809764
Hero Member
*
Offline Offline

Posts: 1480809764

View Profile Personal Message (Offline)

Ignore
1480809764
Reply with quote  #2

1480809764
Report to moderator
1480809764
Hero Member
*
Offline Offline

Posts: 1480809764

View Profile Personal Message (Offline)

Ignore
1480809764
Reply with quote  #2

1480809764
Report to moderator
kjlimo
Legendary
*
Offline Offline

Activity: 1498


View Profile WWW
February 12, 2012, 07:12:24 PM
 #2

Interesting.  I wonder if the internet service providers can somehow become overlords of the bitcoin system?

Is that a potential point of failure for the bitcoin system?

Are there ways to simply change the "port reference" to something else to keep the system going?

I'm clearly not a programmer, but I feel like this is a good discussion to vet just be sure of where the points of failure are for interested parties to attack the system.

The more we brainstorm, the better prepared we can be for any inevitable situations.

CampBX for buying BTCs, Coinbase for selling BTCs or Vircurex or Cryptsy for trading alternate cryptocurrencies like DOGEs

PM me with any questions on these sites!  Happy to help!

Bitcoin Poker at Seals                  Strike Sapphire Casino  Free games every hour & day!
  Get Free Bitcoins here.

Spondoolies-Tech or KnC Miner for the fastest mining hardware available!

Bitpay to help your business accept bitcoin payments!
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218


Michael, send me some coins before I hitman you


View Profile
February 12, 2012, 07:15:56 PM
 #3

Interesting.  I wonder if the internet service providers can somehow become overlords of the bitcoin system?

Is that a potential point of failure for the bitcoin system?

Are there ways to simply change the "port reference" to something else to keep the system going?

I'm clearly not a programmer, but I feel like this is a good discussion to vet just be sure of where the points of failure are for interested parties to attack the system.

The more we brainstorm, the better prepared we can be for any inevitable situations.
fwiw, Bitcoin doesn't use :25. Very easy to change port Bitcoin client uses, also easy to change with miners, though you're limited to whichever ports your pool op has open unless you're going solo (dunno about p2pool). I was just curious if Comcast was bumbling around with a paintbrush to say the large amount of small data exchanges between miners & pool was virus-like activity.

ETA @ Mike & AB -- I think y'all are right. Every computer I run has a relatively fresh install with only mining essentials installed. There are three exceptions. On PC acts as a TV and it's possible it's infected -- I haven't checked it well. This PC acts as my general use computer... pretty confident it isn't infected, and I checked traffic with Peerblock (nothing unexpected), checked to make sure no unknown services/programs were running... no CPU clocks going to anything unknown. Other is a retired laptop, which isn't doing it. Asked relative about he own laptop, she said she ran A/V software on it, and I didn't press to check it. Getting curious, but I have other stuff to do. Will update if I find anything.

Don't mix your coins someone said isn't legal
Mike Hearn
Legendary
*
Offline Offline

Activity: 1526


View Profile
February 12, 2012, 08:00:33 PM
 #4

Doubtful. You most likely have a virus on a system but aren't able to detect it.

Try getting a known-clean (new?) system and do a wire trace for 24-48 hours on the connection, see if anything comes up. And/or reformat/reinstall all your systems.
ZodiacDragon84
Sr. Member
****
Offline Offline

Activity: 266


The king and the pawn go in the same box @ endgame


View Profile
February 12, 2012, 08:41:49 PM
 #5

P2P is a way that botmasters can communicate with their bots. But as everyone else said, port 25 is not usually a BTC port. And remember this, a new virus is created every 3 seconds. (from what I have seen, most of them are the same viruses, they have just been crypted differently with each new iteration). On a side note, what are the odds of a malicious attacker sending bot instruction messages embedded in the block chain?

Looking for a quick easy mining solution? Check out
www.bitminter.com

See my trader rep at Bitcoinfeedback.com
!
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
February 14, 2012, 01:27:07 AM
 #6

If you have a switch that has port mirroring you can monitor all the traffic with TCPDump, limit to port 25 since you've been alerted to that.
For Linux you can use Linux Malware Detect and for Windows WinMHR. They both use the Malware Hash Registry by Team Cymru which includes samples of almost all known infectors. LMD also looks for hex patterns in addition to hashes. Other options are firewall with IDS, Backtrack in a VM in bridge mode to scan your network.

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
jago25_98
Hero Member
*****
Offline Offline

Activity: 871


http://moneybutnofixedabode.blogspot.com


View Profile WWW
February 14, 2012, 04:00:05 PM
 #7

If you have a switch that has port mirroring you can monitor all the traffic with TCPDump, limit to port 25 since you've been alerted to that.
For Linux you can use Linux Malware Detect and for Windows WinMHR. They both use the Malware Hash Registry by Team Cymru which includes samples of almost all known infectors. LMD also looks for hex patterns in addition to hashes. Other options are firewall with IDS, Backtrack in a VM in bridge mode to scan your network.

Kudos to this slick answer.

Easiest is probably to monitor upstream, like on the modem/router if you can't port mirror. In a more simple way you could turn all computers on, disable auto updates etc and reset the data send/receive counters on the modem. Then leave for a day and see what traffic is sent.

DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
February 14, 2012, 04:26:47 PM
 #8

Another possibility is your wireless is compromised and someone is using their computer and your wireless to spam.

Port 25 block = spam and for you to get a block it is likely massive (as in tens of millions of emails).

Please tell me you aren't using WEP and if using WPA you changed the router SSID (rainbow tables with tens of millions of passwords exist for the 1000 or so most common/default SSIDs).
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218


Michael, send me some coins before I hitman you


View Profile
February 14, 2012, 06:10:00 PM
 #9

Another possibility is your wireless is compromised and someone is using their computer and your wireless to spam.

Port 25 block = spam and for you to get a block it is likely massive (as in tens of millions of emails).

Please tell me you aren't using WEP and if using WPA you changed the router SSID (rainbow tables with tens of millions of passwords exist for the 1000 or so most common/default SSIDs).
The primary wireless router's open!  Shocked  Shocked  Shocked

It'd be surprising if any of the neighbors were able to get a signal, though, they're a good distance away. WinMHR suggested all computers (including relative's) are clean. Repeater router (which is protected) still not reporting any traffic on :25. Putting curiosity to rest, for now... Won't have to deal with Comcast for more than a couple more months, anyway.

Don't mix your coins someone said isn't legal
Rassah
Legendary
*
Offline Offline

Activity: 1624


Director of Bitcoin100


View Profile
February 14, 2012, 06:42:11 PM
 #10

Only issues I got from them were "excessive data usage." 250gig a month limits suck.
If you're using Windows, Start > Applications > System Tools > Resource Monitor lets you track all network activity on your computer at process and individual connections level. Figured that out when trying to track down what was using up 10 gigs of data a day. (Turned out to be java.exe... for no reason... AVG and Mallwarebytes didn't find anything, so I just force close it with task manager on boot)

stcupp
Full Member
***
Offline Offline

Activity: 196


View Profile
February 14, 2012, 08:34:06 PM
 #11

Only issues I got from them were "excessive data usage." 250gig a month limits suck.
If you're using Windows, Start > Applications > System Tools > Resource Monitor lets you track all network activity on your computer at process and individual connections level. Figured that out when trying to track down what was using up 10 gigs of data a day. (Turned out to be java.exe... for no reason... AVG and Mallwarebytes didn't find anything, so I just force close it with task manager on boot)

I have suddenlink and their talking about putting a 80GB limit and charging extra if you use more Cry

They said 80 GB is the average that is used in a month!?!? WTF Huh

lol I use more like 800GB a month

anyway port 25 is a SMTP email port so you most likely have a virus sending shit tons of spam

Some nasty viruses hook into your kernal at boot and will feed you anti virus fake info so it doesn't get detected
heres one for example: http://resources.infosecinstitute.com/tdss4-part-1/

They call it the "Indestructible Botnet"

If you have something like that it will survive even after wiping your hard drive and reinstalling your OS

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
February 14, 2012, 10:08:11 PM
 #12

Only issues I got from them were "excessive data usage." 250gig a month limits suck.
If you're using Windows, Start > Applications > System Tools > Resource Monitor lets you track all network activity on your computer at process and individual connections level. Figured that out when trying to track down what was using up 10 gigs of data a day. (Turned out to be java.exe... for no reason... AVG and Mallwarebytes didn't find anything, so I just force close it with task manager on boot)

I have suddenlink and their talking about putting a 80GB limit and charging extra if you use more Cry

They said 80 GB is the average that is used in a month!?!? WTF Huh

lol I use more like 800GB a month

anyway port 25 is a SMTP email port so you most likely have a virus sending shit tons of spam

Some nasty viruses hook into your kernal at boot and will feed you anti virus fake info so it doesn't get detected
heres one for example:http://resources.infosecinstitute.com/tdss4-part-1/

They call it the "Indestructible Botnet"

If you have something like that it will survive even after wiping your hard drive and reinstalling your OS
My bullshit-o-meter almost exploded when I read that.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
P4man
Hero Member
*****
Offline Offline

Activity: 504



View Profile
February 14, 2012, 10:21:14 PM
 #13

My bullshit-o-meter almost exploded when I read that.

Actually, if you follow his link, then it depends how you define wiping the drive (dd'ing will definitely do it, but a quickformat might not) and depending if windows upon reinstallation always rewrites the bootloader if there is already one. Im not 100% certain about that.

That said, there are possibilities to infect machines that resist any hdd wipe or even replacement. If you have an intel machine with "Vpro" / VT-d, then its theoretically possible to have a rootkit in the Vpro controller. Really scary stuff:

http://invisiblethingslab.com/press/itl-press-2009-03.pdf
http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf

Gets even scarier if you consider the possibility intel just hands over the private keys to 3 letter agencies, which could thereby obtain full remote access to your machine with no way for you to detect it or prevent it. The VPro controller has access to your network, hdd, display buffer, ram, heck even webcam. Like I said, scary.

stcupp
Full Member
***
Offline Offline

Activity: 196


View Profile
February 15, 2012, 12:40:28 AM
 #14

My bullshit-o-meter almost exploded when I read that.

Actually, if you follow his link, then it depends how you define wiping the drive (dd'ing will definitely do it, but a quickformat might not) and depending if windows upon reinstallation always rewrites the bootloader if there is already one. Im not 100% certain about that.

That said, there are possibilities to infect machines that resist any hdd wipe or even replacement. If you have an intel machine with "Vpro" / VT-d, then its theoretically possible to have a rootkit in the Vpro controller. Really scary stuff:

http://invisiblethingslab.com/press/itl-press-2009-03.pdf
http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf

Gets even scarier if you consider the possibility intel just hands over the private keys to 3 letter agencies, which could thereby obtain full remote access to your machine with no way for you to detect it or prevent it. The VPro controller has access to your network, hdd, display buffer, ram, heck even webcam. Like I said, scary.

TDL4 will live through a simple format and reinstallation of the OS... I've done a lot of research on this and even wrote a kernal level boot loader for proof of concept in ASM and C....

Heres a good article on the bootloader if your interested:

http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4#2

and another very detailed article on how everything works:

http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

Quote
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.


TDL4 is probably the most advanced trojan i've ever seen

rjk
Sr. Member
****
Offline Offline

Activity: 420


1ngldh


View Profile
February 15, 2012, 06:02:51 PM
 #15

My bullshit-o-meter almost exploded when I read that.

Actually, if you follow his link, then it depends how you define wiping the drive (dd'ing will definitely do it, but a quickformat might not) and depending if windows upon reinstallation always rewrites the bootloader if there is already one. Im not 100% certain about that.

That said, there are possibilities to infect machines that resist any hdd wipe or even replacement. If you have an intel machine with "Vpro" / VT-d, then its theoretically possible to have a rootkit in the Vpro controller. Really scary stuff:

http://invisiblethingslab.com/press/itl-press-2009-03.pdf
http://www.invisiblethingslab.com/resources/2011/Software%20Attacks%20on%20Intel%20VT-d.pdf

Gets even scarier if you consider the possibility intel just hands over the private keys to 3 letter agencies, which could thereby obtain full remote access to your machine with no way for you to detect it or prevent it. The VPro controller has access to your network, hdd, display buffer, ram, heck even webcam. Like I said, scary.

TDL4 will live through a simple format and reinstallation of the OS... I've done a lot of research on this and even wrote a kernal level boot loader for proof of concept in ASM and C....

Heres a good article on the bootloader if your interested:

http://www.securelist.com/en/analysis/204792157/TDSS_TDL_4#2

and another very detailed article on how everything works:

http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot

Quote
According to these databases, in just the first three months of 2011 alone, TDL-4 infected 4,524,488 computers around the world.


TDL4 is probably the most advanced trojan i've ever seen

Interesting, another MBR/BCD virus. So yes, a simple reinstall might not wipe it out, but deleting all partitions and then starting fresh ought to work, right? In any case, those articles indicate that there are ways to detect it, and Kaspersky already has a tool to remove it.

Mining Rig Extraordinaire - the Trenton BPX6806 18-slot PCIe backplane [PICS] Dead project is dead, all hail the coming of the mighty ASIC!
Herodes
Hero Member
*****
Offline Offline

Activity: 868


View Profile
February 15, 2012, 08:09:53 PM
 #16

ISP scares the Hell out of me. I only use it because I've moved in with family in the past month while house sells. Have mining rigs set up. Never had any problems with TWC, but Comcast seems determined to monitor EVERYTHING that goes through them.

About a month ago, Comcast insisted there was malware installed on computers in this house (family member tends to have malware on her computer, but was odd that this first came just after I set the rigs up). I checked all the computers -- nothing unusual going on, no concerning network traffic, no p2p-software (outside Bitcoin) was/is running. This morning, Comcast sent another email saying they were blocking port 25 due to "detected virus-like activity from your modem." Checked, and there's no network traffic using :25. Is this all due to Bitcoin mining traffic? Anyone have similar experiences? Becoming concerned they're going to try imposing fees or canceling service.

It's possible that your computer is infected by malware that sends out spam. As mentioned in this thread, port 25 is used for sending e-mail. Even if you check with anti-virus programs, there's a small possibility that the malware in question goes under the radar. Also, you'd had to constantly monitor that port to ensure there's no activity on it. For all you know, the activity may happen when you're not acitvely using your computer. Another possibility is that Comcast somehow have target you in error, this may happen as well. Anyway, if you get port 25 blocked, unless you need it to send e-mail (perhaps you could use another port, or another service), you should be fine. Bitcoin doesn't use port 25.

Another possibility is that your miner is infected with malware, if you run binary version you downloaded from the web, you really don't know what's inside that binary, but if you download from a 'trusted' source, you should generally be fine.

In summary, there could be many reasons for this happening, and don't freak out in regards to the bitcoin mining, I don't think this is what they're targetting here.

If you wanted to monitor all network traffic, you must set up a program that can monitor all ports around the clock and which programs are causing the traffic.

Perhaps you could call their tech department, and tell them that you've received their notification, but you couldn't find any suspicious activity on your pc. Then they could (if they want) tell you what they're detecting on their side. No need to mention the bitcoin mining to them at all if calling in, I'm pretty sure that's not the culprint here.
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
February 15, 2012, 10:15:26 PM
 #17

Quote from: rjk
Interesting, another MBR/BCD virus. So yes, a simple reinstall might not wipe it out, but deleting all partitions and then starting fresh ought to work, right?
The malware partition is outside of the OS written directly to the drive. What value is there in deleting the partition table?
Wiping with a zero write solution is the only way to delete this type of malware. Reinstall from clean backups.

There is another type of malware that can be written to the network ROM, usually a card with boot from network ROM, with additional jump instruction in the BIOS to initiate the infector at boot.

DualComm has a cheap Port Mirroring solution USB Powered.
5 ports 1 hardwired for port mirroring:
DCSW-1005  $59.95
http://dual-comm.com/port-mirroring-LAN_switch.htm

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Rassah
Legendary
*
Offline Offline

Activity: 1624


Director of Bitcoin100


View Profile
February 15, 2012, 11:05:02 PM
 #18

When I install (or reinstall) Windows, I usually wipe all partitions before installing. The partition manager shows all partitions on the disk, including system, mbr, and any strange ones. I assume any virus partitions  would still show up and get wiped on reinstall?

P4man
Hero Member
*****
Offline Offline

Activity: 504



View Profile
February 15, 2012, 11:22:28 PM
 #19

When I install (or reinstall) Windows, I usually wipe all partitions before installing. The partition manager shows all partitions on the disk, including system, mbr, and any strange ones. I assume any virus partitions  would still show up and get wiped on reinstall?

The partition would be hidden. Not in the sense that it has the H attribute in the partition table, but that its not in the partition table and would appear to be unpartitioned space. But unless the virus has infected your bios or some other eeprom, having such unpartitioned space should be pretty harmless by itself. It still requires an infected bootloader to actually be able to read and execute whats on there. IOW, the crucial part is probably erasing the MBR and bootloader (and praying your bios, nic, and VT-d are clean). But why take chances, just zero fill the drive.

check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
February 16, 2012, 03:58:10 AM
 #20

It would be sad to see "Trashing the Motherboard" as a viable option for malware remediation.  Cry

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!