Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Pools (Altcoins)
Re: [ANN][POOL] Profit switching pool - wafflepool.com
by
comeonalready
on 26/03/2014, 06:28:57 UTC
Quote from: LuckyKey on March 26, 2014, 04:46:30 AM
Quote from: phzi on March 26, 2014, 04:23:52 AM
Quote from: LuckyKey on March 26, 2014, 04:08:23 AM
My hashing rate just went down by about 14% for a bit, although cgminer rate displayed was basically unchanged, so I did a netstat on my 3 rigs.  All of them had the following connection displayed:

ns236914:3333

It was only for a few minutes, going back up now.
You didn't get an ip for ns236914 ?

zomg!!! netstat -n !!!

Yeah, I did…but the reference for the name was more interesting.  lol

You gonna be ok?

ip 192.99.35.62

Tracert displays:

Tracing route to ns236914.ip-192-99-35.net [192.99.35.62]
over a maximum of 30 hops:

  1    <1 ms    <1 ms    <1 ms  phub.net.cable.rogers.com [192.168.0.1]
  2     *        *        *     Request timed out.
  3    10 ms    11 ms    10 ms  24.156.136.9
  4    15 ms    15 ms    15 ms  gi-0-1-3.gw01.grnsbr.phub.net.cable.rogers.com [24.153.7.1]
  5    13 ms    13 ms    15 ms  69.63.250.97
  6     *        *        *     Request timed out.
  7    51 ms     *       22 ms  mtl-2-6k.qc.ca [178.32.135.71]
  8    23 ms    23 ms    22 ms  bhs-g2-6k.qc.ca [198.27.73.7]
  9    22 ms    21 ms     *     bhs-4a-6k.qc.ca [198.27.73.224]
 10    23 ms    22 ms    21 ms  ns236914.ip-192-99-35.net [192.99.35.62]

Anything look odd in that route?

The results of this specific traceroute may or may not reveal anything regarding the nature of the redirection attack, and to make a determination as to whether it contains any useful information, you must first conclusively determine whether your miner received and processed a client.reconnect command message leading it to that server.  Here's why.  If your miner received and processed client.reconnect to another server, then you may now be connecting to that rogue server via an uncompromised route, with a transient compromised route only having been used to connect the first rogue server issuing that client.reconnect command message.  (i.e. attacker enabling and disabling redirection intermittently in order to make it more difficult to track down).  However, if your miner never received and processed a client.reconnect command message (which is within the realm of possibility because you are still mining on the original wafflepool tcp port 3333), then this traceroute result could actually be showing somewhere within it a redirection.  So, scour your logs if you have received reconnection requests, and enable verbose logs if you don't!