Re: Claymore's Dual Ethereum AMD+NVIDIA GPU Miner v10.1 (Windows/Linux)
Recently, I was hacked using a bruteforce attack.
Somehow, someone found my ddns, my remote management port (it's not the default one) and he was able to bruteforce the password until he succeeded. The hacker was able to upload a epools dpools and custom config.txt file and restart the miner. A couple of minutes after, I noticed the hack and quickly erased those files because I don't use any of them and I've also disabled the remote management feature.
@Claymore, are there any anti-bruteforce measures implemented on your miner? If not, consider adding something like a lockdown after "x" invalid login attempts.
Also, it's possible to flood the miner if you start refreshing the rig stats too often. You can send http requests as many times as you want and that creates an overflow of refreshes on the miner stats. It's basically a DoS attack. It floods the log file, uses CPU time on the miner and some bandwidth. Consider adding an http login feature so that you can't check your miner's stats on your browser without the correct user/password combo.
Thanks
Somehow, someone found my ddns, my remote management port (it's not the default one) and he was able to bruteforce the password until he succeeded. The hacker was able to upload a epools dpools and custom config.txt file and restart the miner. A couple of minutes after, I noticed the hack and quickly erased those files because I don't use any of them and I've also disabled the remote management feature.
@Claymore, are there any anti-bruteforce measures implemented on your miner? If not, consider adding something like a lockdown after "x" invalid login attempts.
Also, it's possible to flood the miner if you start refreshing the rig stats too often. You can send http requests as many times as you want and that creates an overflow of refreshes on the miner stats. It's basically a DoS attack. It floods the log file, uses CPU time on the miner and some bandwidth. Consider adding an http login feature so that you can't check your miner's stats on your browser without the correct user/password combo.
Thanks