search

trailofbits / algo

Set up a personal VPN in the cloud
https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
GNU Affero General Public License v3.0
28.55k stars 2.31k forks source link

GCP - shutdown for cryptocurrency mining ? #14159

Open jspasiuk opened 3 years ago

jspasiuk commented 3 years ago

Anyone has this issue? This is the second time that Google shut down the VM created with the script:

We've detected that your Google Cloud Project Simple S (id: XXXX) IP XXXX is violating the Supplemental Terms and Conditions For Google Cloud Startup Program by engaging cryptocurrency mining, resulting in the suspension of all project resources displaying this behavior.

Any idea what is causing this?

davesdere commented 3 years ago

This is a bit eerie. I hope this repo wasn't victim of a supply chain attack...

kdavidson007 commented 3 years ago

I encountered this same issue as well with Google—three times in the last 24 hours.

jspasiuk commented 3 years ago

More info about this issue:

This activity took place from IP add_source_ip 35.xxx.xxx.xx which contacted the following IP’s 54.37.7.208 between 2021-02-23 07:49 and 2021-02-23 08:32 (Pacific Time).

And the IP 54.37.7.208 is from https://web.xmrpool.eu/

davidemyers commented 3 years ago

If they're basing mining detection on who your server connects to then any of your VPN clients could be the cause of this issue.

kdavidson007 commented 3 years ago

@davidemyers In my case, I'm only using this for personal use—there are no other VPN clients. Any idea what might be causing this? It's happening repeatedly, and I'm no longer able to use GCE without it being shut down.

If they're basing mining detection on who your server connects to then any of your VPN clients could be the cause of this issue.

davidemyers commented 3 years ago

I think you need to review the software on whatever client you're using to see if you can find an application that's behaving unexpectedly.

If you deployed your AlgoVPN with ad blocking enabled you can try putting the suspect domain name in /etc/dnscrypt-proxy/black.list, then running sudo /usr/local/sbin/adblock.sh.

If you didn't deploy with ad blocking, you can try editing /etc/dnscrypt-proxy/dnscrypt-proxy.toml and using the [blacklist] feature to block the suspect domain.

Or you can give up on GCE and try another provider.

Jean-Cote commented 2 years ago

You might ask Google directly about this. They might help you. Please let us know here. Thanks. I do not have this issue in a Google Cloud or DigitalOcean instance by the way.

magicknight commented 1 year ago

Same here. Google closed my whole project.

divakar-dubey-softfix commented 2 weeks ago

I encountered this same issue as well with Google—two times times in the last 7 days.