Potential security flaw

[danarmstrong]

I've had my minera system exposed to the internet for a while and over the last week I've noticed that my settings have been altered numerous times to point to a different pool with someone else's worker information. I changed the Minera password each time I noticed it and ran checks on my system security and Minera appears to be the only culprit. For the time being I have pulled it off of the internet and will see if I can find out how the breach is occurring.

[michelem09]

Please check you have changed all the default passwords on your Minera system, there are at least 3 passwords to be changed before exposing it to the Internet:

• Minera web password: go to web settings page, scroll down and change it
• minera system user: SSH into it and do sudo passwd minera
• pi system user: SSH into it and do sudo passwd pi

After done that you can expose it to Internet but as precaution I'd change the default SSH config to not permit password access, allowing the access based only on SSH Key. (you can check something like this: http://www.cyberciti.biz/faq/how-to-set-up-ssh-keys-on-linux-unix/)

[danarmstrong]

All of these steps had been done prior to web exposure. Unless they scrubbed their tracks very well, only the web account appears to have been compromised.

[michelem09]

mmm, probably best try is to look at web server logs and minera ones. Could you find something bad? Without info is really hard for me understand what happened there.

[danarmstrong]

It would probably be better if you didn't store the password in plaintext in the database.

[michelem09]

Well, yes I could try to crypt it but understanding what's the problem could be helpful too. It's really strange they can get the password from the DB, I mean they probably could do that only accessing the controller by SSH, so probably there are a flaw before that.

[PartTimeLegend]

Just out of curiosity have you run sudo apt-get -y update && sudo apt-get -y upgrade && sudo apt-get -y dist-upgrade recently? You remember Heartbleed and ShellShock? If you didn't patch, you're still vulnerable.

Minera does not perform package updates. This is to me considered out of scope of a mining controller and comes under the scope of OS maintenance.

[ronakevolution]

I already had the same problem the second time. I had all 3 passwords changed all updates recorded, etc. But it is now for the second time happened that the same person has hacked my system. My Pi is also accessible via the Internet. How was it possible to search for it ?? It must be something've looked certain.

He had a pool of selected works not even correct.
He had this address: VqSPcvUXVc2tg9sFSKHS8kKGNNZXYTG5sx.80

I do not know me like this with Linux. Would it help if I provide the image?

[sassod]

As far as I know there are 4 passwords that needs to be changed :

usernames

• pi
• root
• minera
• web acces : minera

@ronakevolution

address VqSPcvUXVc2tg9sFSKHS8kKGNNZXYTG5sx is on

http://www.simplemulti.com/stats/VqSPcvUXVc2tg9sFSKHS8kKGNNZXYTG5sx

database as a high fluctuating worker.

that is something that needs to be adressed instantly I think.

br

2014-12-04 13:47 GMT+01:00 ronakevolution notifications@github.com:

I already had the same problem the second time. I had all 3 passwords
changed all updates recorded, etc. But it is now for the second time
happened that the same person has hacked my system. My Pi is also
accessible via the Internet. How was it possible to search for it ?? It
must be something've looked certain.

He had a pool of selected works not even correct.
He had this address: VqSPcvUXVc2tg9sFSKHS8kKGNNZXYTG5sx.80

I do not know me like this with Linux. Would it help if I provide the
image?

—
Reply to this email directly or view it on GitHub
#116 (comment).

[michelem09]

@ronakevolution if you can make an image from your hacked SD and tell me where to download it, that could be really helpful!

If you can't, please look at logs and send me something (in PM please to "michele AT befree DOT it"):

/var/logs/syslog
/var/log/minera/log-<date>.php
/var/log/auth
last -a

[danarmstrong]

I am currently running penetration tests against Minera to see if anything in the software is allowing this to happen. I won't claim that my box is unbreakable but the security is significantly greater on it than the average ubuntu machine. I have analyzed the system and there are no traces of a user having gained access to it. Also, the user identified above is the same user that changed my rig.

[michelem09]

You can stop investigating I just found the security holes on Minera.
Tomorrow I'll give you the patch and I should spread it urgently because they are big ones.

[michelem09]

@danarmstrong I have pushed the fix in the developing branch (0de8c8a).
This is a big hole, I completely forget to check for user session in the API controller functions, giving the attacker the possibility to do almost everything (start/stop/save settings/etc).

I think I will release it on master branch within the next major release, I hope to do it next week.

I'm going to warn forum users too.

Thanks to point me there.

[danarmstrong]

Thank you for fixing this issue. I'm sure many people will rest easy knowing that a fix is coming soon.

[michelem09]

This is fixed by 0.4.0.