OS
Pool
ASIC Firmware
ASIC Hub
More
blog
Blog
News and Articles
forum
Forum
Top discussions, announcements, help
Show all articles
Referral Program
referral
Increase your income with Hive. Invite your friends and earn real cryptocurrency!
Get your referral link

Virus on hive-os_kernel#110

#17

I would definitely like to know what service is provided by 51.159.36.160.
I’m afraid to delete that personal token and run the risk of not being able to access my account.

#18

That is an ip located in france. Haven’t been in france in the last 24h, so not me.

I’ve deleted it a few times, but kept reappearing, so now I disabled it

Didn’t had any issues when I deleted it.

#19

have you tried to contact the people at flex? That address has 8 gh/s, but seems they only scammed $18k. Doesn’t sound that much for a scam operation, unless they have more accounts.

If they are not hunting for things like this (ip from all over), blocking the wallet will probably only delay these guys a little until they update their code with a new address.

However, do try as Keaton suggested a clean install. Don’t use the media you had before until you had a chance to fully erase it. Change your rig id as well.

Seems that something is hijacking your rig. The doubt is whether it is something local to you or something on hive’s end?

@keaton_hiveon, just found that the paris ip shows when I use the app on ios. Why would it create a token from a paris ip?

#20

I revoke all and always keep apearing… My solution was a fresh re install of hive in all My rigs, and eliminate SSH, and all the other bullshit… For now he didnt appeared

#21

glad you squashed it.

I keep getting the french connection :angry: I suspect the phone app

@keaton_hiveon any feed back about paris?

Just for peace of mind I changed my password, and got 5 confirmation emails. Is that correct?

#22

Try searching the root files for an installed malicious script. On each rig, open a Hive Shell, once open, type in the following query (hit enter after “cd /usr/bin” and enter again after “find a.sh” [do not use the full quotes])

cd /usr/bin/
find a.sh

The system should return the following repsonse;

find: ‘a.sh’: No such file or directory

(Note: “a.sh” stands for Administrator Shell) If the system does not return anything but “No such file or directory” , your system is hacked and you should do a full install of HiveOS using the most recent stable version. Always download the most recent version of HiveOs and put an Air Gap between the file and any system which is online or connected to the internet.

1 Like
#23

Pretty scary. Do you exactly know when you where hacked? If it happened after a specific build upgrade (as it seems) the image should be immediately pulled, a lot of users experienced the upgrade issue (impossible to selfupdate) after a hive-replace, there’s another 3d covering the issue

#24

I had issues early on when I started mining. I noticed I was mining on Unmineable and found I was submitting shares but Unmineable showed my rigs off line. I ran across a youtube video where a Linux programmer showed how to search for malicious scripts in Ubuntu. After I purged my systems, I put my rigs behind two firewalls and purchased a Cisco DMVPN network switch (Dedicated Managed VPN). I had one of my network Admin’s at work program the DMVPN switch. After the network upgrades, I do not have issues with someone trying to hack my systems. Well worth the $1500 bucks. Now my entire house is behind two firewalls, a DMVPN and a big sandbox. I monitor my systems with my Mac running intrusion detection programs and I monitor my network with Wire Shark. If someone is tries to hack my network, I just DDOS their IP address. They stop really quick.

#25

Also use a separate network for iot/mining from your regular one.

Seems that this has been making the rounds

#26

Hello!
i too had 51.159.1.221 as token, i removed all sessions changed password and also redid my 2fa setup and it did reaper now after an hour or so. DEV team needs to answer in total what we need to do at this point.
Do we have to go out of our way reintalling every single workers hiveos?
thats a huge hassle…

#27

Ok so 51.159.1.221 keeps reappearing when i login via app. Is this a ip not to be worried about or should i be worried??

#28

yep same for me, when i log in from app
CFNetwork/897.15 and 51.159.1.221 keeps re appearing…

#30

Hive Os def. need to get on this ASAP and my best belief is that they are working they’re hardest on this as we speak!

#31

Something is DEF upp since api just went down!

#32

Report status: After a few hours without login from hiveos from android app no new sessions or similar things has popped up…

#33

Do you think that the vulnerability is exploited by the android app?

#34

I’m def. not sure. But hive has a API in france, you can redirect workers to i think its paris API for example if you have trouble with rigs going offline… That was my initial thought maybe it corelates to that server/api in someway?

#35

Not certain but could be that I was using nextdns. I disabled it and haven’t seen the france address since

#36

You’re correct, when you log in from the mobile app the ip from France appears but I guess is by design, probably when you use the app a gateway is used to admin the farm. I may be wrong but this is not an attacker

#37

This topic was automatically closed 416 days after the last reply. New replies are no longer allowed.