-
Notifications
You must be signed in to change notification settings - Fork 343
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Important: Delete Excawataor.ps1 and check your systems for viruses #2228
Comments
this new version doesnt have that fix we just did. |
Correct. This will be in 3.10 Beta 9 |
@UselessGuru I don't think releases are tracked: https://github.com/organizations/MultiPoolMiner/settings/audit-log I've changed my password as a precaution. |
I cannot access these logs. error 404 Did you change the permissions on the repo - all collaborateurs have at least admin rights. ??? BTW: Any input the changes/enhancements I made to 3.1.0 (beta)? |
I've checked the security tab in my profile and don't see any suspicious logins or other activity. And my account uses 2FA. Doesn't appear to have come from my account. |
Nothing suspicious in my security profile. And I changed my GitHub password. |
I was able to contact github support and get a record of the changes made to that release. @aaronsace it shows you edited the release 21 times between 2019-10-18 and 2018-10-26 - was that actually you, changing some wording or something? If not I would strongly advise you to check the security page of your profile for any suspicious activity and anything else that they might have done through your account. If you can I'd also make sure you're using 2FA for github. Contact me on skype if you want me to forward you the logs github sent me. For anyone that was affected: We don't know what they payload(s) were. The files the virus downloaded from a russian website are gone now, so I can't analyze them. If you downloaded 3.0.1 any time between October 18 to November 09, I'd strongly recommend you carefully check your systems for viruses, or better yet wipe them completely. If you store your bitcoin wallet on the same computer you mine on, I'd also encourage you to create a new wallet from a computer you know isn't affected, and transfer any bitcoin you have to that new wallet. This is just a precaution - we don't know what the payload did, or what they were after. But since they specifically targeted mining software, there's a good chance they'd try to go after people's wallets. Likewise, changing passwords to miningpoolhub, any exchanges you use, or just all websites in general would be a good precaution. |
i ve downloaded 7a,8a,10 but did not see any of the files except Wrapper.ps1 but looks empty file but there is a problem with my earning on Zpool 0,00095 ±10 % x2 (2 computers) but i earned on last 24h 0.000395 and the day before 0.000627 and the day before 0.000062 i think removing the x16r algo |
Wrapper.ps1 needs to be empty. That is OK.
|
i asked on zpool chat, they said x16r was not good to mine i should remove the algo |
Important!!!
The 3.0.1 release zip file got tampered with on Oct. 18th. 2018.
I've created a cleaned release which can be downloaded here:
MultiPoolMiner_3.0.1a_Release.zip
SHA256 Hash 518C520A1B6F99306D58F2011DE96AE1BDC7CA87CEE9B0037480A8D9C0B4FE56
Actions required
Delete the following files immediately (if present):
Reboot & Check your rig for viruses
Wrapper.ps1 needs to be replaced with a file from the cleaned release (see below).
To be save delete the whole MPM folder (just keep the config & stat files). Then download and install MPM again.
@aaronsace
Do you have any information (or have transfer logs) to find out who uploaded the manipulated file?
What happened???
On Oct. 26th an unknown source replaced the master release file with a tampered package that contains malicious code.
Two files were tampered with:
Wrapper.ps1 calls Excawator.ps1
Excawator.ps1 is a malicious script that contains encrypted code.
The decrypted code is shown below:
As some users have reported the malicious code fails to execute and throws errors on some systems.
#2227 (comment)
#2215
We cannot say wether the exploit generally failed.
Edit: Github logs show the release was first tampered with on October 18th, up until November 4th. Changed this post to reflect that -grantemsley
The text was updated successfully, but these errors were encountered: