Was running 1.3.1, this morning they're all pointed at a different pool.

Looks like every one of my 4 machines has been rooted, teamviewer and a few other things automatically installed (and ran)

02:35 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ ps -ef | grep eam
root       731     1  0 14:31 ?        00:00:00 /opt/teamviewer/tv_bin/teamviewerd -f

Can update local.conf, and has been forced to this wallet proxywallet 0x00351843e3e2fbaa8e1e87dd962c90b999acee60

Which appears to be mining now on various pools (I was nanopool) - suspect I am not the only one exploited

But if you check etherscan, a lot of payments coming from other pools.

And yes, my SSH login was secure.

I suspect this was caused by an exploit in ShellInABox  (easy to google it). A very old version comes packaged with ethOs.

02:38 PM ethos@49a38f 192.168.0.118 [miner started] /home/ethos $ /usr/bin/shellinaboxd --version
ShellInABox version 2.10 (revision 239)

I've stopped the hack by, sudo mv /opt/miners/claymore /opt/miners/clayno, which leaves my machines useless.

[killing the miner doesnt work, as auto reboots, cant change wallet config, as mounted read only, lots of horrible kit things also there].

Does anybody know where the EthOS dev's are?  

If you get bored, you can track the money to https://etherscan.io/address/0x003e36550908907c2a2da960fd19a419b9a774b7