Im started to work in company that deals with information security and in Friday we got a task: in one bank one of sysadmins think that someone is mining litecoin in worktime.
We have several IDS at this bank (systems that catch all of network traffic) and we can only use analysis of this traffic.
We ran the litecoin miner with pool (coinotron.com) and catch some traffic it generated. Thats some screenshots from Wireshark:
Its looks like very chaotic traffic with pool of ip’s, some of them is a Tor nodes.
Can someone help me and explain whats traffic generated by litecoin miner?
yes…someone it looks like someone could be mining litecoin… and maybe even using every ip on the server…not that sure about that though…you could just be seeing either the peers connected to a personal wallet someone has that is using the internet connection…
…port 9333 (by default) is the getwork/stratum port for litecoins blockchain (however other programs can use this port as well, bitcoin uses 8333 by default) but it also uses that port to connect to peers for updated chain information… so that is where the requests for block information go to and they are sent from the closest server back to the address who requested the work…
however there are no responses for accepted or rejected packets so it looks to me like someone syncing a wallet or just downloading the blockchain (also syncing a wallet) (which is why you see “pooled address” and “tor” address)…hope this helps…tell them to buy their own equipment to rent a server like everyone else if you do catch someone breaking the rules
Well, i found solution)) while mining, the cpuminer takes a JSON over the TCP (see on pic).
So only one filter for this JSON (special for method: mining_notify) can detect this.