It seems that hackers have determined to begin to target bitcoin related services te earnest spil the latest organisation to fall prey is the very popular Slush’s bitcoin mining pool that usually resides atВ https://mining.bitcoin.cz/ .
Slush’s pool is the oldest mining pool and it embarked with a forum postbode on November 28, 2010 when the pool technicus (Slush) literally invented pool mining when he suggested that “Join poor CPU miners to one cluster and increase their chance to find a block!”. В В While the suggestion wasgoed fairly controversial at the time Slush wrote the very first miningВ pool software (Called a “Cooperative miner” at the time) and the surplus is history.
According to Slush he very first noticed something wasgoed up when someone reset the password to his OVH Manager account at his hosting provider OVH.CO.UK Web Hosting Solutions.
What ensued wasgoed a brief battle inbetween the perpetrator and Slush resetting passwords te attempts to build up control of the pool. В While Slush does not have any evidence yet he says “So far it looks like yet another inwards job, like Linode two years ago. Or attackers found some shortcut how to build up access to Manager without confirming the request from the email.”. В Slush zometeen goes on to say “For now I fully blame OVH for this punt.”
Slush says he has now successfully managed to isolate and budge the Stratum servers (В stratum.bitcoin.cz, stratum2.bitcoin.cz and stratum3.bitcoin.cz) to Amazon EC2 instances so spil not to waste any hash power but spil there is no safe database server the shares are not presently being recorded and Slush says “Because database isn’t running and shares are not stored, I’ll spread blocks mined during database outage to miners who’ll proceed mining on the pool since the database will be up again.”
Slush also says that the mining pool will be back to normal operation soon after he fully migrates from OVH to Amazon EC2.
The very first postbode on BitcoinTalk is available here or quoted below.
The pool has bot hacked. Fortunately I noticed it quick enough, so I made database snapshot seconds before attackers overtake the database machine. I lost some amount of bitcoins, but I’ll be able to recover it from my pocket. For now I’m evaluating what’s next to do, because all machines te OVH has bot compromised and they cannot be trusted anymore.
Today at 3pm UTC I noticed that somebody succesfully resetted the password to OVH manager, the place where servers can be managed, restarted to rescue mode etc. I promptly resetted the password at OVH to something different and I also switched password on my email account and checked that there’re no other active connections to my mailbox. I have to say that my mailbox is secured by OTP passwords and I take physical security very gravely, so nobody other had an access to my mailbox. I known that password-reset feature is fairly popular attack vector, so I made everything possible to prevent it to toebijten.
By switching the password at OVH, all other sessions using the old credentials are automatically kicked from the Manager. I also cross-checked that nothing wrong toebijten to the servers at this time. Unluckily I didn’t find a way how the attackers got access to Manager, so I asked OVH support to provide some extra information and restrict Manager access to my IP range.
That’s no verrassing that OVH didn’t react to this toegangsbewijs for hours, but at 11pm UTC I realized that there’s another succesful password reset at OVH. This is accomplish mystery to mij, because I’m aboslutely sure that nobody else had access to my mailbox and the email with reset listig has bot untouched (unread, not deleted). I’d say that attacker won’t bother by switching status of the email to “unread”, but he’d delete the email instead.
This time I realized that the attacker resetted the machine with the wallet to rescue mode, which means that I lost the control to this machine. I wasgoed still succesful by logging into the database and I took the snapshot of database and transferred it to safe location. Few seconds since the migration finished, attackers restarted all remaining machines to rescue mode.
So far it looks like yet another inwards job, like Linode two years ago. Or attackers found some shortcut how to build up access to Manager without confirming the request from the email. I don’t know what’s worse option. I’ll investigate this punt ter detail zometeen and I hope OVH won’t close eyes to this.
I can recover the pool to the normal operation tomorrow.
Edit 01:38 UTC:В Stratum servers are running on safe servers at Amazon. Mining works for now. I’ll setup fresh database and webserver on trusted machines ter few hours, so the pool will be back te utter operation. Slush – BitcoinTalk