Antminer Hacked

[Rovernelson]

So I woke up to a bitch of a morning today it seems someone has managed to hack into my Antminer S4's and program a 4th unseen pool and make it the priority pool. I've reset the miners but minutes later they are hacked again, any ideas how to stop this?

[notlist3d]

Is this a miner at your house or data center?

To think it happens so quick are you sure you stopped it?

[Rovernelson]

It's at a data center using static network settings on public IP's but it is password protected. I've reset the miners and it'll work for awhile and then one by one it seems (I'm guessing the guy is notified of the problem immediately) and the hacked pool is put back up. Not sure at all how to solve this.

[Bazeman]

Had it also, my S4 was not behind a router or firewall and ssh password was not changed. Get the S4 image from the 2nd post on the S4 forum, open the S4, get out the mSD an put the image on it by computer. mSD card back in S4, restart and it is ready for you again. Change settings.Change WebGUI and SSH password and have your Antminer behind a decent router/firewall.

[Rovernelson]

Thanks for the help guys, I really hate hackers. They are more cowardly than thieves.
I'll get these SD cards re-flashed and change the password and I'll have the data center I'm at put up a firewall for my IP connections.
Any other preventative steps y'all know of?

I re-started my miners earlier and the hacked pool settings disappeared and then two hours later they were back, I almost thought I beat it out of dumb luck for a second ... not so

[Rovernelson]

Well the very second after I had re-flashed the SD card successfully and reconfigured the network settings under a new password, the hacked pool #4 mining at eligius popped back up.
I've figured out (simple because it's eligius) the Eligius profile which is hacking me - http://eligius.st/~wizkid057/newstats/userstats.php/1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M

Every one of his spikes in hashing power is the hacked units of Antminer S4's that are mine,  five of them to be exact.

https://i.imgur.com/ehg13Oh.png
https://i.imgur.com/ehg13Oh.png

[MinerFTW]

close api also

[Rovernelson]

I'm not sure what you mean?

[josef2000]

Are you using a wifi or internet connection without password?

[notlist3d]

It's at a data center using static network settings on public IP's but it is password protected. I've reset the miners and it'll work for awhile and then one by one it seems (I'm guessing the guy is notified of the problem immediately) and the hacked pool is put back up. Not sure at all how to solve this.

That is a scary situation.  Go to the data center and talk to them.  They should watch it and close holes.

[kano]

This is a problem with many miners that I have brought up on many occasions and the idiots who make the miners have ignored it.

Bitmain sets the cgminer api to --api-allow W:0/0

This means ANYONE who has network access to your miner can change anything in the settings.

I guess in this case you'll have to login to it and edit the settings manually for --api-allow
I'd suggest you use the settings that my modified S2 firmware defaults to: --api-allow W:127.0.0.1,R:0/0

Of course you could also read the cgminer README about how the API works
https://github.com/ckolivas/cgminer/blob/master/API-README

... and anyone wondering ... I wrote the cgminer API.

[n3rvi0zz0]

Few months ago i was checking this exactly, with a simple dork to discover the antminers ( i will not write here ) and access to a network with few of them you can open your mine without worries for electricity costs   .

Yes you're not the only one who has told this to Bitmain, this is like the critical updates in the source code of bitcoin, happend after a big hack  


edited: the browser used for the test was shodan.

[crazyearner]

I would be going down to the data centa and looking at their security and also filing claim with them for losses and damages for each time it has happened and the amount of down-time it is causing you. I would even look at using another data location if they do not do anything. Is not good for a place to have their servers compromised. Maybe an inside job who knows end of the day it is not good.

[notlist3d]

Few months ago i was checking this exactly, with a simple dork to discover the antminers ( i will not write here ) and access to a network with few of them you can open your mine without worries for electricity costs   .

Yes you're not the only one who has told this to Bitmain, this is like the critical updates in the source code of bitcoin, happend after a big hack  


edited: the browser used for the test was edit

Why wold you include the browser that you used? No good will come of putting it out there.

I suggest taking it down, pass on findings to Bitmain.  Proper reporting is important.  Going public is not best plan till it is fixed (assuming you found a security issue)

[BTI4LIFE]

Few months ago i was checking this exactly, with a simple dork to discover the antminers ( i will not write here ) and access to a network with few of them you can open your mine without worries for electricity costs   .

Yes you're not the only one who has told this to Bitmain, this is like the critical updates in the source code of bitcoin, happend after a big hack  


edited: the browser used for the test was edit

Why wold you include the browser that you used? No good will come of putting it out there.

I suggest taking it down, pass on findings to Bitmain.  Proper reporting is important.  Going public is not best plan till it is fixed (assuming you found a security issue)

shodan - ninja : now will this help us take down the greedy centralized mining operators? lol ;-)

[notlist3d]

Few months ago i was checking this exactly, with a simple dork to discover the antminers ( i will not write here ) and access to a network with few of them you can open your mine without worries for electricity costs   .

Yes you're not the only one who has told this to Bitmain, this is like the critical updates in the source code of bitcoin, happend after a big hack  


edited: the browser used for the test was edit

Why wold you include the browser that you used? No good will come of putting it out there.

I suggest taking it down, pass on findings to Bitmain.  Proper reporting is important.  Going public is not best plan till it is fixed (assuming you found a security issue)

shodan - ninja : now will this help us take down the greedy centralized mining operators? lol ;-)

I guess hes not going to take it down.  But it is like a google but for security.  It scan's the internet for items and documents them where they are searchable.  I know this as I am actually a security major in my degree.  I got a shiny certificate when I graduated.  It is on my wall and is highest piece of paper Ive ever had .   I am one of the ethical ones.  I have a very clean record (which is needed when looking for jobs in this field in most cases).

But anyone reading this should really lock down your routers.  As the router is between the internet and your devices.  Do not leave router with default password.  I personally turned off a lot of items after the forum was hacked, it spurred me to harden my network.

[n3rvi0zz0]

Few months ago i was checking this exactly, with a simple dork to discover the antminers ( i will not write here ) and access to a network with few of them you can open your mine without worries for electricity costs   .

Yes you're not the only one who has told this to Bitmain, this is like the critical updates in the source code of bitcoin, happend after a big hack  


edited: the browser used for the test was edit

Why wold you include the browser that you used? No good will come of putting it out there.

I suggest taking it down, pass on findings to Bitmain.  Proper reporting is important.  Going public is not best plan till it is fixed (assuming you found a security issue)

shodan - ninja : now will this help us take down the greedy centralized mining operators? lol ;-)

I guess hes not going to take it down.  But it is like a google but for security.  It scan's the internet for items and documents them where they are searchable.  I know this as I am actually a security major in my degree.  I got a shiny certificate when I graduated.  It is on my wall and is highest piece of paper Ive ever had .   I am one of the ethical ones.  I have a very clean record (which is needed when looking for jobs in this field in most cases).

But anyone reading this should really lock down your routers.  As the router is between the internet and your devices.  Do not leave router with default password.  I personally turned off a lot of items after the forum was hacked, it spurred me to harden my network.

are you the owner of bit-x?

I know this as I am actually a security major in my degree.  I got a shiny certificate when I graduated.  It is on my wall and is highest piece of paper Ive ever had .   I am one of the ethical ones.  I have a very clean record (which is needed when looking for jobs in this field in most cases).

youre totally wrong this is one of the task of shodan the other 5 task are the good ones.
Im not have a degree like you but the way you talk im sure you can not compile your own exploit so, lets say you have knowledge about security that it.

the problem will note fisish jus with the api, they must change the headers, i will still know where are the miners cos they SCREAM in a  ANTMINER

[notlist3d]

are you the owner of bit-x?

No I am not, just part of signature campaign. In no way own/work for Bit-X. You will see some account's with them I won't go off topic to much.  But look over in services as far as what they are.

[crazyearner]

I wonder how the OP is getting on with fixing this as not posted back maybe fixed or still in process. Hope OP gets problem resolved and fixed and nice secure again.

[notlist3d]

I wonder how the OP is getting on with fixing this as not posted back maybe fixed or still in process. Hope OP gets problem resolved and fixed and nice secure again.

I'm thinking he did ok.  His last login: Last Active:    May 27, 2015, 11:29:31 PM

With it happening once it is pretty good chance they saved IP.   So I'm thinking once data center hardened it's connection he was fine.   Leaving it open with no firewall is a bad idea for any device.

But hopefully hes back to normal mining.