I was hacked, management port on Claymore miner open by default. DAMN!!!

[lmlim]

Please put the management port diabled/read only by default.
I was hacked last week. my wallet was replaced for 2.5 hrs and reverted back. all of my rigs produce 0 btc during that time....

temporary solution was to disable UPnP in my router.

how do i disable it? putting it in extra launch param didnt work for me....

[computeronix]

Side question but even if the management port was opened in the client the port would need to be Port Forwarded through your network firewall (assuming you have a standard wireless router at home). If the port is not forwarded and you are behind a NAT'd device then no one would have been able to connect to this port even if the client has it opened

I guess what I am saying here is if you are not behind some sort of NAT'd / Firewalled network device where this machine is located, you have bigger concerns than someone being able to access the port (if its opened, havent checked) on this client

[computeronix]

Also with Claymore, remember a certain percentage of time is mined towards Claymore's wallet as his fee.

My guess is this is what is really going on here

[drkskwlkr]

@lmlim I was about to say the same as @computeronix. Claymore (like other miners) binds to localhost address only. This is not normally accessible from outside the router. In order to get exploited, you need to have your router set up to allow port forwarding; then somebody on the outside needs to know your IP address in order to access the admin interface on your rig.

Obviously, this can't happen by accident. If you are indeed hacked, it is not the fault of NHM and Claymore, and may happen again. First thing you should do is check your router NAT settings for any unusual settings. Also, if the router supports DMZ, check if by any chance your mining rig is not assigned to the DMZ VLAN (very unlikely but still).

P.S. Disabling UPnP is always a great idea.

My guess is this is what is really going on here

Yes but Claymore has a 2% fee AFAIK, that's ~72 seconds GPU time per hour.

[gpcola]

Yes but Claymore has a 2% fee AFAIK, that's ~72 seconds GPU time per hour.

Over the course of a week that could be ~2.5 hrs

[drkskwlkr]

@gpcola Ah, good point :) From the original post it wasn't clear whether these 2.5 hours are a single period of time or accumulated over a longer period.

[lmlim]

Thanks everyone for replying,

the incident happened from ~1.45AM to ~4.15AM july 24th. my mining work was 0 from all of my rigs during that time. but all rigs was running ok(no crash, no freeze, nothing), when i woke up that morning. seems like my wallet has been replaced temporarily for 2.5hrs, and then reverted back. I am not pointing fingers to claymore/nicehash fault. it's not 2.5hrs of devfee accumulated sum from a week work as someone mentioned either.

I already checked everything that you guys mentioned regarding routers, dmz, nat, etc. they are all in the state they should have been. except UPnP was enabled, i disabled it since.

my question: is there a way to disable management port from NH GUI? adding -mport 0 from extra launch param didnt work for me....

[DillonN]

Which Claymore miner were you using? By default they bind to localhost, i.e. 127.0.0.1. With that it would be impossible to "hack" into the remote management port unless they had access to your actual computer. A port bound to localhost cannot be accessed even from computers on your local network (unless you've modified your Windows install to allow remote localhost access), let alone remote PCs (regardless of router settings).

Of course I'm not trying to say you didn't get hacked, but with the default behaviour of Claymore/NHML the hacker would have to have a lot more access to your PC than just the port! Locking down the remote management is an option, but currently NHML does this so it can get speed info to display. I believe there is a readonly option for Claymore remote management which I will look into for the next release

[lmlim]

thanks for replying Mr Dillon,

i am using the latest one ver 9.7 that comes with NHML 1.8.0.2.
also, i am using nicehash viewer app on on android as a tool to monitor my rigs. this app, i believe it's not official from nicehash. (it made me somewhat worried)
is there any official nicehash app on android for monitoring purposes?

===

[drkskwlkr]

also, i am using nicehash viewer app on on android as a tool to monitor my rigs. this app, i believe it's not official from nicehash. (it made me somewhat worried)

NHM apps rely on the NiceHash API to get information. As far as hash power sellers are concerned, this API is read-only and allows access to a subset of the information that NiceHash keeps about your mining process. The monitor app does not communicate with your rig and the API cannot be used to switch BTC addresses. The breach is highly unlikely to have come through there.

my mining work was 0 from all of my rigs during that time. but all rigs was running ok(no crash, no freeze, nothing), when i woke up that morning. seems like my wallet has been replaced temporarily for 2.5hrs, and then reverted back.

Hold on there. Are you saying your wallet was replaced, or that it looks as if it's been replaced because its balance did not increase for a period of 2.5 hours? Because now that I read this, it looks as if jumping to a conclusion without actual evidence. Did you have to set the old wallet address back with your own hands?

[lmlim]

@drkskwlkr

thanks for the enlightment re: android apps.

Hold on there. Are you saying your wallet was replaced, or that it looks as if it's been replaced because its balance did not increase for a period of 2.5 hours? Because now that I read this, it looks as if jumping to a conclusion without actual evidence. Did you have to set the old wallet address back with your own hands?

yes, i think it looked my wallet was replaced for 2.5hrs, because my balance was not increased and mining was still running during that time. my wallet was intact and mining is still running when i saw my computer, i did not change the wallet back nor do i see some other wallet number. sorry, i may have jumped to a wrong conclusion, but reading from profit projection and profitability difference also i can see i lost 2.5hrs worth of mining that day.

I am not sure what else to think about, I have avira av but put exception on NHM directory. I also have teamviewer client running, which i hard passworded.

anyway, i just want to find what went wrong or what weaknesses with my systems/rigs and want try to fix it, not to point fingers at anyone.

cheers.

[ChriscomIT]

Hi, just a wild and simple guess but could it be that you had an internet connection loss for 2.5h ??

[gpcola]

Perhaps the miner crashed and was subsequently restarted or as @ChriscomIT says, you had no internet for those 2.5hrs?

[p1r473]

Highly doubt someone hacked you for 2.5hours then reverted it. Your computer just messed up. I get it too. Sometimes dns issues. Could be anything.

[donjuan201]

Had exactly the same issue....it disappeared when I removed the port forwarding rule from my router, no idea how these guys are getting hold of ones public IP but somehow they are getting the details from somewhere....I am using ethermine.org and dcr.supernova pools, so somewhere the public IPs are getting published and these guys are trying to get in on the default ports.....don't think this should get ignored....protect your rigs properly....

[snofte]

My Claymore amd gold miner acted strange yesterday. It had made an exit during nigth, had to restart it. Then it started mining to another address. zwal param in config.txt was changed, no address at all there ! It also started mining us.gold instead of eu.gold. I changed config.txt, and started fresh. All well now, but whats going on ??

[DillonN]

The Claymores are all locked down in NHML