My run ter with Unauthorised Litecoin mining on AWS

My run in with Unauthorised Litecoin mining on AWS

Introduction

Luke Chadwick

Geek since birth. Futurist. Paramour. Idealist.

Update: You can read an update to this story here

Normally I’m a big advocate of open sourcing projects both current (and old) on GitHub. Today however, I wish that I wasn’t.

On Sunday night I received an email from Amazon telling that they’d detected my Amazon key on one of my repositories. This wasgoed a little bit of a verrassing, because I’m usually so diligent about not saving credentials into repositories.

After a schrijven search I found the key buried ter an old project that I’d just determined didn’t need to be private.

That wasn’t the end of the matter, I wasgoed ter for a rude shock when I logged into my Amazon account to check for unauthorised usage. $3000+ ter pending charges. Woah!

It didn’t take long to find the source of the billing. Twenty cc2.8xlarge instances humming along te the us-east region for the last two days.

By this stage I’d already revoked the key (spil suggested te the email). So I quickly shut the instances down, while I would have liked to preserve them for forensics, I just couldn’t afford to leave them running while waiting for Amazon support (I do not pay for support, since this is just my private account that I dabble with).

After taking stock for a few moments, I detached one of the volumes and fastened it to another example. Having a poke around confirmed what I had already guessed. The unauthorised user had bot mining litecoin with the mining pool pool-x.eu.

I’ve emailed pool-x.eu asking them to suspend the account, but I’ve yet to receive a reply.

What have I learned from this practice?

Enable billing alerts

Given I spend about $60-80 a month with Amazon usually, I could have bot warned MUCH earlier. Now that the pony has bolted I’ve enabled the pony bolting detector.

Check GitHub

It’s not indeed that hard to do a regular search of GitHub for keys and passwords ter your repositories. Check your friends repositories spil well…many eyes.

Audit code before open sourcing

Always a good rule, but be especially careful flicking the switch on repositories that you’ve had spil private for a long time.

Update: @joneaves suggested either using something like checkstyle (java) and/or a pre-commit hook. Good advice.

Use IAM Keys

Fairly a few people have pointed out on twitter and hacker news that the other thing you should be doing is using restricted IAM keys.

More tips on Amazon

A friend pointed out that Amazon has a good security blog postbode that deals with this and other risks to your account.

Luke Chadwick

Geek since birth. Futurist. Paramour. Idealist.

Related movie: HashFlare – Contracts from $1. A loterijlot mining algorithms!


Leave a Reply

Your email address will not be published. Required fields are marked *