Virus on hive-os_kernel#110

LJ70 · May 21, 2022, 5:08pm

Try searching the root files for an installed malicious script. On each rig, open a Hive Shell, once open, type in the following query (hit enter after “cd /usr/bin” and enter again after “find a.sh” [do not use the full quotes])

cd /usr/bin/
find a.sh

The system should return the following repsonse;

find: ‘a.sh’: No such file or directory

(Note: “a.sh” stands for Administrator Shell) If the system does not return anything but “No such file or directory” , your system is hacked and you should do a full install of HiveOS using the most recent stable version. Always download the most recent version of HiveOs and put an Air Gap between the file and any system which is online or connected to the internet.

Dojo76 · May 22, 2022, 12:39pm

Pretty scary. Do you exactly know when you where hacked? If it happened after a specific build upgrade (as it seems) the image should be immediately pulled, a lot of users experienced the upgrade issue (impossible to selfupdate) after a hive-replace, there’s another 3d covering the issue

LJ70 · May 22, 2022, 1:44pm

I had issues early on when I started mining. I noticed I was mining on Unmineable and found I was submitting shares but Unmineable showed my rigs off line. I ran across a youtube video where a Linux programmer showed how to search for malicious scripts in Ubuntu. After I purged my systems, I put my rigs behind two firewalls and purchased a Cisco DMVPN network switch (Dedicated Managed VPN). I had one of my network Admin’s at work program the DMVPN switch. After the network upgrades, I do not have issues with someone trying to hack my systems. Well worth the $1500 bucks. Now my entire house is behind two firewalls, a DMVPN and a big sandbox. I monitor my systems with my Mac running intrusion detection programs and I monitor my network with Wire Shark. If someone is tries to hack my network, I just DDOS their IP address. They stop really quick.

painting · May 22, 2022, 8:52pm

Also use a separate network for iot/mining from your regular one.

Seems that this has been making the rounds

GTreaper · May 23, 2022, 3:09pm

Hello!
i too had 51.159.1.221 as token, i removed all sessions changed password and also redid my 2fa setup and it did reaper now after an hour or so. DEV team needs to answer in total what we need to do at this point.
Do we have to go out of our way reintalling every single workers hiveos?
thats a huge hassle…

GTreaper · May 23, 2022, 3:22pm

Ok so 51.159.1.221 keeps reappearing when i login via app. Is this a ip not to be worried about or should i be worried??

GTreaper · May 23, 2022, 3:30pm

yep same for me, when i log in from app
CFNetwork/897.15 and 51.159.1.221 keeps re appearing…

GTreaper · May 23, 2022, 4:15pm

Hive Os def. need to get on this ASAP and my best belief is that they are working they’re hardest on this as we speak!

GTreaper · May 23, 2022, 4:38pm

Something is DEF upp since api just went down!
’

GTreaper · May 23, 2022, 6:05pm

Report status: After a few hours without login from hiveos from android app no new sessions or similar things has popped up…

Dojo76 · May 23, 2022, 6:11pm

Do you think that the vulnerability is exploited by the android app?

GTreaper · May 23, 2022, 7:50pm

I’m def. not sure. But hive has a API in france, you can redirect workers to i think its paris API for example if you have trouble with rigs going offline… That was my initial thought maybe it corelates to that server/api in someway?

painting · May 23, 2022, 10:29pm

Not certain but could be that I was using nextdns. I disabled it and haven’t seen the france address since

Dojo76 · May 25, 2022, 8:31pm

You’re correct, when you log in from the mobile app the ip from France appears but I guess is by design, probably when you use the app a gateway is used to admin the farm. I may be wrong but this is not an attacker

system · July 16, 2023, 11:32am

This topic was automatically closed 416 days after the last reply. New replies are no longer allowed.