Virus - BOT

miner

#21

Hard to say
Maybe open ports of VNC or ShellInabox
maybe something els dowloaded repo, autofan, or custom miner
it started one or two weeks befor Hiveos 2.0 for me


#22

exactly the same happened for me. I’ve written above my problem in separate topic… The sad things is that I got basically 0 % response from devs and I see a lot of people having problems with this stuff…


#23

I can try to help if you are actually “in problem”. So next time it happen let me know, I can give you some hints. Maybe it will be hard to synchronize (I’m in canada), but I’ll keep this discussion opened.

Steps to do to begin, when you have the problem:
1- Do this command: netstat -na | grep ESTA
2- Take the ports on “strange” connections (the number after the : before the ESTA)
3- Do this command: lsof -i:PORTNUMBER where PORTNUMBER is the port from #2
4- You will see a process name and a PID number, keep them in note.
5- You can do: ps -ef | grep PID #to see the running process
6- You can do: lsof -p PID #to see all open files, sockets
7- You can do: cat /proc/PID/cmdline #like #5, you can see a bit more sometimes

From there you can have a lot of info, or none (if you have rootkits/obfuscated miners)


#24

Wow Bagster,
great thing you did.
but for me is it a bit hard when i am rookie in Linux at all :slight_smile:


#25

As long as you know how to start teleconsole/shellinabox, you can do it on console + notepad on your pc.


#26

If router firewall not good enough


#27

Any update? Still having the problem every day?


#28

Could be an issue with the ISP doing a man-in-the-middle attack. Or Mining Pool.
As i’ve been operating pools before there are many ways this can happen, Poolside, ISP or even Pool-host issues.
(my pool is lyra2z.com) You can try this and see if the problem remains, best would be to test all factors separately so you can rule out things.


#29

If it were mitm, his hashrate would have stayed the same, but not on the pool. Locally in hiveos interface he see’s hashrate going down, like if a 2nd miner took some processing power.


#30

Latest update:
i have changed time zone of rigs - i can now reboot them in day time, not in night 2:30.
second i have installed fresh copy of hiveos (new SSD) and now second day everything is OK

for looking strange connection and PROC for me is to hard work :slight_smile:


#31

Humm, so with your new fresh copy, try to harden it a bit. Change passwords, don’t forward unnecessary ports from router (I hope your hive ip is not facing internet directly)


#32

yes, sure
i changed all all passwords, turned off VNC, disabled sheinabox, closed all ports :slight_smile: i guest that will be enought


#33

what time zone did you change your rigs ? (+12 hours so you can do this at lunch ?)
I still got my problem which is close to yours I’ve posted link above , dont want to go in full details but basically my rigs become offline everynight and HTTP test fails as curl hive os servers… Strange is cards stay at about 70 % and draw not low power but miner seems not to run. Only manual restart works , watchdog doesnt restart them etc… I tried adding on rig to proxy today but after that it fails to connect to hive os servers and even though it’s mining (everything running fine) it appears offline on hive os page and I cannot control it by any means…


#34

I live in +3 time zone so i change to -4, than it happens in morning 9:30 a.m.
Why you do not want to try to new fresh installation - new USB or SSD?


#35

i will do it as soon as I get physical to my rigs because they are 30 mins by car. I will reinstall them


#36

Did you change the password to the terminal? I noticed that root and user have the same password after installation and you should change them both. I once left a rig with unchanged password and it was silently taken over in under 2h.

There are bots out there that are programmed to try and get in your system if you left default login information and they’re quick about installing rootkits or just their own miner software, which was the case for me.

I started seeing my hashrate go down and load on the system skyrocketing so I went in and started digging, you may find these particular commands useful:

last - Shows you last successful logins to the system and by whom
lastb - Shows you last attempts to login to your system and user

top - Shows you system utilization, however, I prefer atop but it’s a 3rd party install

I found someone logged in as “user” as obviously password wasn’t changed and installed Ravencoin Miner under ~/home/user in dot directory.

If your system’s been compromised and this way for a long time, I would reinstall and make sure you change passwords for “root” and “user” when you login to terminal by doing:

passwd user
passwd root

Hope this helps and good luck, if it always goes down exactly at 2:30am, there maybe a “cron” or “at” jobs somewhere that trigger their software at that time.


#37

Same here, same hour, but not always.
Today didn’t.


#39

I think problem is clear
someone is scanning ports and via VNC, shelinabox or others comes inside in add second miner somewhere.
to avoid that i think we must to close all ports from router. disable VNC and Shellina box and change all password.
and if you already have this problem - best solution fresh install Hiveos


#40

You said someone is scanning ports. Just at 2:30am (SERVER TIME)? How “someone” know that its 2:30 on the server? We have same symptoms even we change timezones or so.
A few systems with exactly the same settings and spec works with no problems for weeks or even months, but some crashed as soon as you set timezone to get near 2:30am!
99.9% hives scripts or packages problem, but as guys said above HiveOS developers simply don’t care about their customers who pay money! :frowning:


#41

I suspect that somehow infect the system injected some script that exact at 2:30a.m. launch other miner which mines to other wallet.