KanoPool since 2014 🐈 - PPLNS and Solo 0.5% fee - Worldwide - 2437 blocks

[Biffa]

Good evening fellow miners!  Just wanted to let you know that I’ve had another S9 hacked today and the controller is ruined and I ran out of the replacement controllers

Firewall is set to medium, if I set it to higher level then the miners don’t connect.  Not sure what else I can do to stop this guy from stealing my coins and braking my hardware.

If anyone is interested here is the address that this bastard puts instead of my pool settings and his wallet address.


35TVW8JXxnrPviwyZoRbtNfs2RD1vXNRu1


stratum+tcp://sha256.hk.nicehash.com:3334#xnsub

The controllers can not be hard reset, the address can not be changed.  BEWARE AND KEEP YOU NETWORK SAFE¡

Good night and mine on!  The block is coming soon!

Its more likely that the attack is coming from one of the computers on your internal network rather than from outside.

Unless you have forwarded ports to access your miners from outside your network, or worse, your miners have public IP addresses, the most likely cause of the hack is a compromised windows computer on your network.

[NomadGroup]

Good evening fellow miners!  Just wanted to let you know that I’ve had another S9 hacked today and the controller is ruined and I ran out of the replacement controllers

Firewall is set to medium, if I set it to higher level then the miners don’t connect.  Not sure what else I can do to stop this guy from stealing my coins and braking my hardware.

If anyone is interested here is the address that this bastard puts instead of my pool settings and his wallet address.


35TVW8JXxnrPviwyZoRbtNfs2RD1vXNRu1


stratum+tcp://sha256.hk.nicehash.com:3334#xnsub

The controllers can not be hard reset, the address can not be changed.  BEWARE AND KEEP YOU NETWORK SAFE¡

Good night and mine on!  The block is coming soon!

Its more likely that the attack is coming from one of the computers on your internal network rather than from outside.

Unless you have forwarded ports to access your miners from outside your network, or worse, your miners have public IP addresses, the most likely cause of the hack is a compromised windows computer on your network.

I was thinking about that bro and it probably was the case because I have the whole family connected to the same network and everyone is browsing different sites and places which are probably aren’t safe, and I can’t control all of them.  I have my modem setup pretty safe and the WiFi isn’t even visible and it doesn’t have any ports open as far as I know and isn’t controlled from the outside but I did have a not very secured 5G Netgear router hooked up to it which I disconnected and hopefully now I’ll be safe.  So far no more machines have been hacked.

And gladly it is just my home network where I just got several miners working and not my actual farm!!!

And no, nobody uses windows in my house, it’s all phones and tablets.

Thanks.

Mine on!  I can smell that block already!!!

[Artemis3]

Its more likely that the attack is coming from one of the computers on your internal network rather than from outside.

Unless you have forwarded ports to access your miners from outside your network, or worse, your miners have public IP addresses, the most likely cause of the hack is a compromised windows computer on your network.

I was thinking about that bro and it probably was the case because I have the whole family connected to the same network and everyone is browsing different sites and places which are probably aren’t safe, and I can’t control all of them.  I have my modem setup pretty safe and the WiFi isn’t even visible and it doesn’t have any ports open as far as I know and isn’t controlled from the outside but I did have a not very secured 5G Netgear router hooked up to it which I disconnected and hopefully now I’ll be safe.  So far no more machines have been hacked.

And gladly it is just my home network where I just got several miners working and not my actual farm!!!

And no, nobody uses windows in my house, it’s all phones and tablets.

Thanks.

Mine on!  I can smell that block already!!!

Your network is definitely compromised. What about the miners? Did you set up (different) passwords on each? With 2018 or earlier firmware you had to set up both web and ssh passwords, not too sure about 2019 where you are not supposed to log in with ssh, but an earlier version (May?) has an exploit in the web server that re enables ssh access...

Also, rather than losing controllers, try the recovery procedure from (micro)SD, and if that doesn't cure it try booting BraiinsOS from the sd card and see if they work that way its better to sacrifice a cheap (small) sd card than a controller (if S9s until the i model).

Perhaps you could isolate your miners from your family network, you could have them on different network segments (both physically or logically). Ideally the miners would have their own router firewall, i would setup a white list that only lets them connect to the intended pool (and maybe Bitmain, i think the things phone home iirc before they start hashing), and having a local caching dns server is wise (dnscrypt-proxy does wonders).

A proper firewall is generally choosing what is allowed and what is not, ports and sites. Usually something like single button "medium" setting is nearly useless, especially for things whoever designed the firewall didn't think of (such as Bitmain asic miners getting malware).

While i commend you for not using Windows, be aware that both Android and iOS/OSX are not perfectly safe, Apple may be a little better but don't blind trust them, especially when your device gets too old and is put out of support. You are essentially doing a sysadmin work in your home like you would in a company...

[NotFuzzyWarm]

and if that doesn't cure it try booting BraiinsOS from the sd card and see if they work that way its better to sacrifice a cheap (small) sd card than a controller

Do be aware that for several reasons using non-OEM firmware is not allowed here.

Use Braiins as a test, fine, but prolonged usage will get you kicked from the pool.

[vickersja]

so... about that block.... anytime now......

[Artemis3]

and if that doesn't cure it try booting BraiinsOS from the sd card and see if they work that way its better to sacrifice a cheap (small) sd card than a controller

Do be aware that for several reasons using non-OEM firmware is not allowed here.

Use Braiins as a test, fine, but prolonged usage will get you kicked from the pool.

So either he can leave the pool, or lose the miners. Nice. I'd like Kano to write here that using bOS with his pool leads to banning, just so things are official and people can take an informed decision.

The reason for the bOS test is because there is apparently some malware that damages the nand storage, so you can no longer boot from it but could still boot from SD. Obviously there is no Bitmain firmware that runs directly from SD, it only tries copying itself into nand, but bOS can run fine without installing it into nand.

While i have known before that Kano dislikes third party firmware, i have yet to read that he is explicitly banning bOS, so lets have that clarified and straightened out of the way please. The current bOS from June 2019 still uses classic cgminer, versions from 2020 will move to bosminer; both are Free and Open Source software that you can audit to your heart content, unlike the typical dev fee mod.

[NotFuzzyWarm]

Um, look at the Kanopool home page. The ban on 3rd party is in big bold red letters and has been a long standing policy for a few years.
A couple reasons for it:
a. Most violate the CGminers' Open Source license by refusing to provide their source code. If bOS provide their code, fine but that still does not address the next point,

b. Despite many requests for it - NO 3rd party firmware provider has ever given*any* proof that the firmware finds BTC blocks nor given any proof of testing for more than it does not crash but does do what they claim (control of clocking, voltage adj, fans etc)

[Artemis3]

Um, look at the Kanopool home page. The ban on 3rd party is in big bold red letters and has been a long standing policy for a few years.
A couple reasons for it:
Most violate the CGminers' Open Source license
Despite many requests for it - NO 3rd parts firmware provider has ever given*any* proof that the firmware finds BTC blocks nor given any proof of testing for more than it does not crash but does what they claim (control of clocking, voltage adj, fans etc)

Then it wouldn't apply to bOS since the source is available and you could test it yourself. For this reason i don't believe it unless Kano himself says so.

[NotFuzzyWarm]

^^ Posted to Discord for him to pop in on it. He has talked about this several times there.

No matter what given that all claim to have many many users, why is it so hard for someone - anyone - that uses 3rd party firmware to post proof it has found a BTC block? Most GUI's have a spot for it and a record of blocks found since last reboot  is part of the API so can be checked even outside of the miner GUI.

On the pool side of things, when shares are sent/received information about the miner is provided as well to let the pool/miner work together. Plus when a block is found the block header generated includes information about the actual individual miner that found it. That info is more than just 'running cgminer vxxx'' and is easily logged by a pool if they care to keep detailed logs, for a start

[2019-12-17 09:55:22.719+11] _bloks_add(): BLOCK! Status: 1-Confirm, Block: 608428/...000012e6e6870bff Diff 14.9T Reward: 12.557647, Worker: Fuzzy.Avalon841_2, ShareEst: 21049113647971.0 21T 163.46% UTC:2019-12-16 22:55:22.618675+00

is part of the header from the block I found on Dec 16. From what Kano has said, a pool operator can extract more information as well if they care to. It should be common sense to link together miner data with block header info to track performance metrics.

Since Slush is behind the bOS projects, why not provide simple, verifiable proof the stuff finds blocks? They certainly have a large enough data set to see what miners (or, ahem, large proxy) find blocks and compare that against expected finds vs hashrate. So, if responsible pool operators want verifiable proof firmware works - give it to them.

Oh, their Stratum redeux freely gives a pool, sorry - they call it 'Service' -that info and knowing in-depth what a miner is running and can do is a large part of what it relies on to do the voodoo they plan on it doing.

Then there is #xnsub being part of it... While not an issue per se #xnsub opens up a rather large security hole and exists (so far) only for the benefit of Nicehash and DevFee firmware. It is how NH is able to change work done w/o having to restart a miner. It is also used by DevFee firmware to mine at their payment pools in the background without the miner needing to change pools & restart. Yes a lot of miners support #xnsub and yes BM had to reinstate support for it again after folks bitched about not being able to use their newest miners on NH. That still does not make it a good thing...

[kano]

The wording is VERY clear:

"Only use firmware provided by the miner manufacturer."

[NomadGroup]

Its more likely that the attack is coming from one of the computers on your internal network rather than from outside.

Unless you have forwarded ports to access your miners from outside your network, or worse, your miners have public IP addresses, the most likely cause of the hack is a compromised windows computer on your network.

I was thinking about that bro and it probably was the case because I have the whole family connected to the same network and everyone is browsing different sites and places which are probably aren’t safe, and I can’t control all of them.  I have my modem setup pretty safe and the WiFi isn’t even visible and it doesn’t have any ports open as far as I know and isn’t controlled from the outside but I did have a not very secured 5G Netgear router hooked up to it which I disconnected and hopefully now I’ll be safe.  So far no more machines have been hacked.

And gladly it is just my home network where I just got several miners working and not my actual farm!!!

And no, nobody uses windows in my house, it’s all phones and tablets.

Thanks.

Mine on!  I can smell that block already!!!

Your network is definitely compromised. What about the miners? Did you set up (different) passwords on each? With 2018 or earlier firmware you had to set up both web and ssh passwords, not too sure about 2019 where you are not supposed to log in with ssh, but an earlier version (May?) has an exploit in the web server that re enables ssh access...

Also, rather than losing controllers, try the recovery procedure from (micro)SD, and if that doesn't cure it try booting BraiinsOS from the sd card and see if they work that way its better to sacrifice a cheap (small) sd card than a controller (if S9s until the i model).

Perhaps you could isolate your miners from your family network, you could have them on different network segments (both physically or logically). Ideally the miners would have their own router firewall, i would setup a white list that only lets them connect to the intended pool (and maybe Bitmain, i think the things phone home iirc before they start hashing), and having a local caching dns server is wise (dnscrypt-proxy does wonders).

A proper firewall is generally choosing what is allowed and what is not, ports and sites. Usually something like single button "medium" setting is nearly useless, especially for things whoever designed the firewall didn't think of (such as Bitmain asic miners getting malware).

While i commend you for not using Windows, be aware that both Android and iOS/OSX are not perfectly safe, Apple may be a little better but don't blind trust them, especially when your device gets too old and is put out of support. You are essentially doing a sysadmin work in your home like you would in a company...

Thanks a lot for the information you provided!  I really appreciate it!  And yes I’ve had one of the worst days in BTC mining this morning when I woke up I found out that the hacker was able to ruin 14 more S9’s!!!!!  14 machines gone in a minute!  Apparently he works somewhere in China in the day time when it is night here and I wake up to a surprise!  Today’s surprise was SHOCKING!

I have already contacted Bitmain for an advice on what to do and if there is a way that I can repair the controllers by uploading a newer firmware because these machines were from 2017-2018.  So I will be waiting for their reply as soon as they start their workday.

At first he hacked 3 so I just disconnected the router connected to my modem thinking that it was causing the problem, since the SSID wasn’t hidden unlike my modem SSID.  But when I realized that 14 more are mining for him this morning I started to dig in the log of the modem itself and found about 22 of these Dos Smurf attacks!!! From February second to today’s morning!

2020-02-04 09:00:49 [Error][Alarm-Log] AlarmID:303500,AlarmLevel:Error,DoS attack. Type: smurf. Source IP address: 192.168.1.102. Destination IP address: 192.168.1.255. Source MAC address:


So I contacted the the ISP provider and they confirmed me that I was hacked by WiFi although I’m not sure how since the SSID was hidden.  Remotely they have reset everything and I’ve changed all of the passwords.  Even on the miners themselves!  But I did that yesterday and apparently that didn’t help.  Also the modem  had a specific check box for preventing these Dos smurf attacks but apparently that didn’t work.

I’m closely monitoring the network tonight to see if there will be any more attacks on my modem, because now I just have a few miners running 

Maybe someone had clicked a wrong link from one of the devices who knows.

And I did noticed that the only ones that he wasn’t able to hack (so far) are the last ones that I got so they must have had a newer firmware protecting them from being hacked like that.

All my hope is on Bitmain now and that they answer soon and maybe be able to find a solution for me.  Start them with a preloaded firmware on a sd card or just try to upload it through my network on them, I really don’t know but I am afraid to even turn the power on the ones that have been compromised now, thinking that if it was hacked then maybe he can hack my whole new reseted network again and I will loose the rest of the miners?  Do you think it is safe to connect one of them to my fresh network or I shouldn’t even try?  Or what do you think?

If the Bitmain won’t be able to help me with a firmware upgrade then I really don’t care what I have to load on a Sd card and where it will mine as long as they just don’t sit around like furniture.  Now 17-18 have been ruined! 

Please let me know your thoughts guys I’d really appreciate if someone with the knowledge be able to give an advice   

[NomadGroup]

Biffa and Artemis3 and all of you guys, thank you again for taking your time trying to help me this problem!!! Just want you to know that I really appreciate it! 

I’m sure anyone can become an easy target like me and this is just wrong to do that to people!  Especially if they ruin the hardware!

If I won’t be able to fix these machines in the next few days, I will go ahead and buy at least 10 of the 17TH machines that bitmain has in stock so I can partly compensate for the damage done by this hacker, and have my TH somewhat higher than now.

All I can say for sure is that he isn’t getting anything from the miners that he has hacked anymore and that makes me feel a little better!

Mine on Comrades!

[os2sam]

So I contacted the the ISP provider and they confirmed me that I was hacked by WiFi although I’m not sure how since the SSID was hidden. 

Hiding an SSID is NOT a security feature.  It just keeps the casual person from seeing your network easily.  Clients still need to know the SSID and that information is passed in the clear over the air.  So anyone sniffing for WiFi can easily see your SSID even though it is hidden.

I seriously doubt that a hacker in China was connecting via your WiFi.

Make sure your using, at least, WPA2 with a very good and complex key.  Disable uPNP and Bonjour and reboot it.  If your using a Ubiquity router make sure you disable Ubi Discovery.

[MoparMiningLLC]

...

is this the problem you were having? if so, I think they detail how to fix it - https://bitcointalk.org/index.php?topic=5224777.0

[NomadGroup]

So I contacted the the ISP provider and they confirmed me that I was hacked by WiFi although I’m not sure how since the SSID was hidden. 

Hiding an SSID is NOT a security feature.  It just keeps the casual person from seeing your network easily.  Clients still need to know the SSID and that information is passed in the clear over the air.  So anyone sniffing for WiFi can easily see your SSID even though it is hidden.

I seriously doubt that a hacker in China was connecting via your WiFi.

Make sure your using, at least, WPA2 with a very good and complex key.  Disable uPNP and Bonjour and reboot it.  If your using a Ubiquity router make sure you disable Ubi Discovery.

By the time frame that these attacks were done I’m pretty sure that It was done in another time zone.  Is there any other way how they could have hacked my modem, by not actually physically being in the radius of its reach?

Or that is the only way someone could have hacked it?  Because if that’s the case then I even have a local, love to hack people’s wifi suspect around here!

And ok, I will try to find and disable what you have told me.  After the reset so far no intrusions have been made this night and the log is clean.

Also Bitmain have answered to me and send me instructions on how to flash the controllers with their newest firmware by the means of an SD card and then they told me to upload some antivirus which they have send me as well.

I’m praying that this will work for me, will start to work on all of the hacked miners today!

Thanks for the output!

[NomadGroup]

...

is this the problem you were having? if so, I think they detail how to fix it - https://bitcointalk.org/index.php?topic=5224777.0

I’m not sure if it’s the same problem I was having because I could not find the IP address that he mentioned in his post but sounded like a simular problem.

Thanks for the information!

[NomadGroup]

So I contacted the the ISP provider and they confirmed me that I was hacked by WiFi although I’m not sure how since the SSID was hidden. 

Hiding an SSID is NOT a security feature.  It just keeps the casual person from seeing your network easily.  Clients still need to know the SSID and that information is passed in the clear over the air.  So anyone sniffing for WiFi can easily see your SSID even though it is hidden.

I seriously doubt that a hacker in China was connecting via your WiFi.

Make sure your using, at least, WPA2 with a very good and complex key.  Disable uPNP and Bonjour and reboot it.  If your using a Ubiquity router make sure you disable Ubi Discovery.

Os2Sam,  I wanted to ask you.  How can I check my network for the level of security?  What type of software do I need to load up to be able to try to hack my own network even when the SSID is hidden?  I thought that it makes it pretty safe when I hide the SSID

What other modern safety measures people take these days to protect their network?  Thanks!

[os2sam]

So I contacted the the ISP provider and they confirmed me that I was hacked by WiFi although I’m not sure how since the SSID was hidden. 

Hiding an SSID is NOT a security feature.  It just keeps the casual person from seeing your network easily.  Clients still need to know the SSID and that information is passed in the clear over the air.  So anyone sniffing for WiFi can easily see your SSID even though it is hidden.

I seriously doubt that a hacker in China was connecting via your WiFi.

Make sure your using, at least, WPA2 with a very good and complex key.  Disable uPNP and Bonjour and reboot it.  If your using a Ubiquity router make sure you disable Ubi Discovery.

Os2Sam,  I wanted to ask you.  How can I check my network for the level of security?  What type of software do I need to load up to be able to try to hack my own network even when the SSID is hidden?  I thought that it makes it pretty safe when I hide the SSID

What other modern safety measures people take these days to protect their network?  Thanks!

You can download wireshark to scan your network traffic.  WPA/2/3 with, a good, high entropy key is important for wifi.  uPNP and Bonjour allow apps in your network to open ports in your router, whether its wired or wifi, and gives you NO notification that that was done.

Also you can check TCP hardness of your router by using ShieldsUp at grc.com and scanning "All Service Ports" and verifying that all ports are at least closed at best stealthed.

[Biffa]

2020-02-04 09:00:49 [Error][Alarm-Log] AlarmID:303500,AlarmLevel:Error,DoS attack. Type: smurf. Source IP address: 192.168.1.102. Destination IP address: 192.168.1.255. Source MAC address:

These IP addresses are internal to your network. The 102 address is a machine on your network, the 255 address is the broadcast address of your internal network (the address that something scanning your network for vulnerable hosts would use)

What machine on your internal network has the IP address 192.168.1.102

[Artemis3]

The wording is VERY clear:

"Only use firmware provided by the miner manufacturer."

With that cleared out lets move into something else:

Just to confirm, Are native segwit bech32 addresses still invalid on KanoPool?

Never got an answer, but i tried setting up one recently and it apparently works now. Can anybody else confirm using bech32 (bc1q+) addresses with this pool are working correctly and receiving payments?