Crypto pool security

Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
I am kind of curious how pools work so I decided to perform an OSINT assessment on rplant.xyz, one that is quite popular with CurveHash.

First, how about a simple WhoIs - https://www.eurodns.com/whois-search/xyz-domain-name :
Code: 
WHOIS rplant.xyz
Domain Name: RPLANT.XYZ
Registry Domain ID: D9617870-CNIC
Registrar WHOIS Server: whois.cloudflare.com
Registrar URL: http://cloudflare.com
Updated Date: 2020-07-27T17:31:52.0Z
Creation Date: 2015-08-21T10:52:29.0Z
Registry Expiry Date: 2021-08-21T23:59:59.0Z
Registrar: Cloudflare, Inc.
Registrar IANA ID: 1910
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Registrant Organization: DATA REDACTED
Registrant State/Province: DATA REDACTED
Registrant Country: US
Registrant Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Admin Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Tech Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Name Server: ANASTASIA.NS.CLOUDFLARE.COM
Name Server: HUGH.NS.CLOUDFLARE.COM
DNSSEC: signedDelegation
Billing Email: Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin, or Tech contact of the queried domain name.
Registrar Abuse Contact Email: [email protected]
Registrar Abuse Contact Phone: +1.4153197517
URL of the ICANN Whois Inaccuracy Complaint Form: https://www.icann.org/wicf/

They like Cloudflare and have owned this domain since August of 2015.

Next, how about we find some subdomains:
Code: 
amass enum --passive -d rplant.xyz > out.txt
cat out.txt | nc termbin.com 9999

Now the result we get is a link which contains a text file with some subdomains.

Code: 
xsc-pool.rplant.xyz
stratum-hez.rplant.xyz
exit3.rplant.xyz
stratum-ru.rplant.xyz
aquapool.rplant.xyz
pool.rplant.xyz
stratum-uk.rplant.xyz
stratum-eu.rplant.xyz
exit5.rplant.xyz
stratum-ap.rplant.xyz
stratum-na.rplant.xyz
post.rplant.xyz
exit4.rplant.xyz
www.rplant.xyz
betapool3.rplant.xyz
rplant.xyz
time.rplant.xyz
nginpool.rplant.xyz
betapool.rplant.xyz
pool-de.rplant.xyz
api.poolbeta.rplant.xyz
stratum-ca.rplant.xyz
jadepay-faucet.rplant.xyz
stratum.rplant.xyz
poolbeta.rplant.xyz
api.betapool.rplant.xyz
pool-hez.rplant.xyz
api.pool.rplant.xyz
stratum-reg.rplant.xyz
stratum-de.rplant.xyz
stratum-asia.rplant.xyz
pool-fr.rplant.xyz
xmrpool.rplant.xyz
api.rplant.xyz
stratum2.rplant.xyz
pool2.rplant.xyz
rplant.rplant.xyz

https://opendata.rapid7.com/ could be used also (FDNS).

What if we want to mass resolve these to see they are legit? Just ping them all in a for statement.

Just toss all of 'em into a domains.txt or use the earlier mentioned out.txt with this:
Code: 
for server in `cat domains.txt`
do echo $server "-"
dig $server +short
printf "\n"
done | paste -d " " - - -

Then what I do is grep only the IPs and uniq 'em like this:
Code: 
bash dig.sh | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}"

Code: 
104.24.112.133
104.24.113.133
139.99.68.221
146.59.217.34
172.67.147.70
195.91.235.130
51.79.30.143
51.89.173.178
89.108.65.169
89.175.21.60
89.175.21.61

So now the mystery is kind of revealed, rplant is hosted at various hosts including OVH:
Code: 
root@c2-30-waw1:~# whois 51.89.173.178 | grep mnt-by | sort | uniq
mnt-by:         OVH-MNT

I was especially curious of the api.rplant.xyz:
Code: 
Nmap scan report for ip34.ip-146-59-217.eu (146.59.217.34)
Host is up (0.028s latency).
Not shown: 59349 filtered ports, 566 closed ports
PORT      STATE SERVICE
80/tcp    open  http
443/tcp   open  https
3032/tcp  open  redwood-chat
3335/tcp  open  directv-soft
3340/tcp  open  anet-m
3341/tcp  open  anet-h
3342/tcp  open  webtie
3350/tcp  open  findviatv
3351/tcp  open  btrieve
3360/tcp  open  kv-server
3361/tcp  open  kv-agent
3382/tcp  open  fujitsu-neat
3383/tcp  open  esp-lm
6335/tcp  open  unknown
6336/tcp  open  unknown
6502/tcp  open  netop-rc
7018/tcp  open  fisa-svc
7022/tcp  open  ctdp
7023/tcp  open  ct2nmcs
7025/tcp  open  vmsvc-2
7029/tcp  open  unknown
7030/tcp  open  op-probe
7040/tcp  open  quest-disc

With -sV
Code: 
Nmap scan report for api.rplant.xyz (146.59.217.34)
Host is up (0.028s latency).
rDNS record for 146.59.217.34: ip34.ip-146-59-217.eu
Not shown: 959 filtered ports, 36 closed ports
PORT     STATE SERVICE     VERSION
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
443/tcp  open  ssl/http    nginx 1.18.0 (Ubuntu)
3351/tcp open  ssl/stratum Stratum bitcoin mining protocol
6502/tcp open  netop-rc?
7025/tcp open  ssl/stratum Stratum bitcoin mining protocol
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

For each IP:

104.24.112.133
Code: 
Host is up (0.028s latency).
Not shown: 996 filtered ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
8080/tcp open  http-proxy
8443/tcp open  https-alt

104.24.113.133

139.99.68.221


146.59.217.34
172.67.147.70
195.91.235.130
51.79.30.143
51.89.173.178

89.108.65.169
Code: 
Nmap scan report for 89-108-65-169.cloudvps.regruhosting.ru (89.108.65.169)
Host is up (0.045s latency).
Not shown: 973 filtered ports
PORT     STATE  SERVICE         VERSION
22/tcp   open   ssh             OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp   open   tcpwrapped
443/tcp  open   tcpwrapped
3001/tcp closed nessus
3003/tcp closed cgms
3006/tcp closed deslogind
3007/tcp closed lotusmtap
3011/tcp closed trusted-web
3013/tcp closed gilatskysurfer
3030/tcp closed arepa-cas
3052/tcp closed powerchute
3306/tcp closed mysql
3322/tcp closed active-net
3323/tcp closed active-net
3324/tcp closed active-net
3325/tcp closed active-net
3333/tcp closed dec-notes
3351/tcp open   tcpwrapped
3367/tcp closed satvid-datalnk
3371/tcp closed satvid-datalnk
3372/tcp closed msdtc
3389/tcp closed ms-wbt-server
7000/tcp closed afs3-fileserver
7001/tcp closed afs3-callback
7007/tcp closed afs3-bos
7019/tcp closed doceri-ctl
7025/tcp open   tcpwrapped
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

89.175.21.60
89.175.21.61

I asked rplant if he has any tips for starting a mining pool and his response was mildly irritated:
rplant: are you a good Linux admin, do you know c/c++/mysql/javascript? are you familiar with cryptocurrencies? do you know how to read getblocktemplate? if not, forget about the pool. there are such newcomers every month. no sense, better keep your blog
Click to expand...

He also mentioned for his server infrastructure: "internal 12 hosts, external 4" - needless to say he appears somewhat active on GitHub via private repos and some public, but nothing wild: https://github.com/rplant8

1608009992390.png

Some example work he has done is shown above, he also seems to have asked for help in a few areas on GH:
https://github.com/dvandal/cryptonote-nodejs-pool/issues/535 (mirror: http://web.archive.org/web/20201128...com/dvandal/cryptonote-nodejs-pool/issues/535 )

Definitely the guy runs into crashing issues and other problems relatively often:
github.com

Corrupt subexpire entry in RDB skipping · Issue #154 · Snapchat/KeyDB

Keydb started restarting(crashing?) about once a day after using expiremember for hash set. After restart all ttl are lost. When manually restarted, the behavior is the same. Ubuntu 16.04, KeyDB ve...
github.com github.com

So, perhaps working with mining pools is a nightmare but I am leaning toward the idea this guy thinks he is 1337 for running cryptocurrency mining pools and being able to code. Nothing against him, although slightly curious why someone that supports crypto would not be more encouraging and interested in assisting with infrastructure ideas for decentralization. It is almost as if the guy enjoys taking his 1% fees from the mining activity. I cannot hold this against him but the profits he is likely getting would be reason enough for him to likely resist sharing insider intel on building pools.

Considering the fact he leaves traces/trails all over his GitHub to what/where he uses, I am placing my bets on the idea he simply has setup an array of servers for HA (high availability) then smirks at the idea his stuff works well and he makes boat loads of crypto into his wallets for operating rplant.xyz - I am going to open the door to the "trade secret" of how his enterprise works..

I am just going to run down a list of his repos on GitHub since this highly probably gives away how he runs:
github.com

rplant8 - Repositories

rplant8 has 40 repositories available. Follow their code on GitHub.
github.com github.com

 
Asphyxia

Asphyxia

Owner
Administrator
Apr 25, 2015
1,845
2
2,199
327
Now let's run down a list of some past vulnerabilities regarding rplant's setup for the sake of considering security of a pool:
github.com

PacketStorm-Exploits/bitcoinaltcoin-stratum.txt at master · BuddhaLabs/PacketStorm-Exploits

Collection of publicly available exploits from Packetstorm - PacketStorm-Exploits/bitcoinaltcoin-stratum.txt at master · BuddhaLabs/PacketStorm-Exploits
github.com github.com
https://github.com/slush0/stratum-mining-proxy/issues/66 (bad operator error)
https://www.first.org/resources/papers/amsterdam2019/FIRST-TC-pres-v1.1.pdf useful info about Stratum servers

Multiple YiiMP pools hacked, this is what we know so far..

Multiple YiiMP pools hacked, this is what we know so far..
bitcointalk.org

To launch a Curve Yiimp, one would have to make use of https://github.com/curvehashcoin/yiimp-curve
 
You must log in or register to reply here.
Top