11:30:14 <xmrpow> This guy on nano pool is now having 58 mhs and 45000 workers. Do you think this is a botnet. In my opinion the slope for it is too constant.
12:37:25 <sech1> xmrpow probably attacking servers/VMs or exploiting some cloud compute
14:43:30 <hyc> do we know the nanopool operators? can we ask them for the IP addresses of some of these workers?
15:44:00 <xmrpow> sech1: Could be possible, but personally im sceptical about this theory. Wouldnt data center ops recognize that?
15:44:37 <xmrpow> hyc: i think they wont provide the ips. Wouldnt be good for their business.
15:47:47 <sech1> They're not very cooperating. I tried to report a botnet once there, and the answer was "Can you please, provide IP of infected servers, used for mining with this address? Also, please, provide configurations used for mining"
15:48:09 <sech1> So unless the botnet is running on your server, you can't report it
15:49:43 <xmrpow> sech1 hmm... Could sb fake a nonce pattern?
15:56:45 <sech1> if they use the same nonce iteration algorithm then yes of course
15:58:28 <xmrpow> So how could sb check if randomx has been broken?
15:59:12 <sech1> by checking profitability per kh/s?
16:46:53 <xmrpow> Thought there might exist some other indicator...
16:48:41 <xmrpow> 60mhs... And still growing.
19:34:38 <gethh> it some cloud fraud, I bet, no fluctuations like botnet
19:54:55 <sech1> I wonder how long this guy is going to last
19:55:07 <sech1> this scale is noticeable even for the biggest cloud providers
19:55:19 <sech1> 61 MH/s already
20:14:10 <gethh> unless the cloud provider pretends not to know where it gets those credit card money from :)
21:26:52 <xmrpow> How far do you think this thing is potentially going to scale up?
21:27:51 <hyc> still wondering why it was flat on the weekend, and only increasing on weekdays
21:28:08 <hyc> that's not the pattern of someone using idle office computers
21:30:36 <xmrpow> hyc: We are going to see what is happening this weekend. As long as this guy is still ramping up...
21:39:57 <xmrpow> I rly dont understand why this guy is not using his own daemon....
21:40:24 <xmrpow> Might be intentional.
21:40:28 <hyc> 60MH, yeah he could run his own
21:40:46 <xmrpow> why paying 1% fee
21:40:47 <xmrpow> ?
21:40:59 <hyc> or the guy is just not very sophisticated. script kiddy doing remote installs
21:41:23 <xmrpow> and nobody is recognizing it?
21:41:32 <hyc> yeah that's just weird
21:41:35 <xmrpow> Not very sript kiddy like.
21:42:07 <hyc> then again, the hash rates per worker are low. maybe he's using only 1 thread per machine and no one sees the perf hit
21:42:33 <UkoeHB_> or he found an equally unsophisticated victim
21:42:34 <xmrpow> I think they are not running on aws...
21:43:04 <hyc> AWS cpu time costs too much
21:45:05 <xmrpow> hyc: i thought in datacenters intel has much higher market shares until epyc came. Some of the machine are hitting 7khs. On one thread?
21:45:30 <hyc> ah it mostly looked like 840, 1680Hs when I looked
21:46:50 <xmrpow> i dont have average values but if you sort the workers there are some mining above 2khs
21:49:06 <xmrpow> 3000 thousand workers are above 3khs
21:49:28 <xmrpow> sorry 3000
21:50:04 <kinghat[m]> not sure if already posted? https://cointelegraph.com/news/1000-corporate-systems-infected-with-monero-mining-malware
21:50:22 <hyc> would expect those to have already been cleaned up
21:50:39 <hyc> and again, they don't fit the usage pattern seen here
21:51:53 <hyc> office PCs are probably only powered on 8 hours/day. 24/7 usage has to be servers only.
21:51:56 <kinghat[m]> got ya
21:52:24 <xmrpow> hyc: or some asic ;) But I rly hope it isnt...
21:52:32 <hyc> lol
21:52:42 <xmrpow> Then we would be screwed
21:52:55 <jwinterm> nobody ever turns their computers off at my lab
21:53:08 <jwinterm> we are genuinely encouraged to leave them on for overnight security patches and whatnot
21:53:16 <hyc> interesting
21:53:37 <hyc> but business PCs already have remote management engines, that can turn them on via ethernet commands
21:53:38 <xmrpow> jwinterm: So many of them?
21:54:12 <jwinterm> we probably have 10-15k wired LAN PCs
21:54:27 <jwinterm> plus super computers
21:54:49 <xmrpow> ok. Which one?
21:55:00 <jwinterm> but just generally I doubt office workers turn off their desktops, hashrate might even drop during daytime when they're actually using CPU
21:55:08 <jwinterm> not that excel and chrome uses that much cpu
21:55:29 <hyc> yeah, RAM is the bigger factor probably
21:55:52 <jwinterm> xmrpow, sierra is the big boy now
21:58:09 <xmrpow> jwinterm: Dont you have some load monitoring system?
21:58:12 <xmrpow> for the office pcs?
21:58:32 <jwinterm> probably, I don't work in IT
21:58:39 <jwinterm> maybe not, I don't know
21:58:44 <xmrpow> ok
21:58:50 <jwinterm> I run simulations overnight on desktop sometimes and no one ever yells at me
21:59:11 * kinghat[m] uploaded an image: image.png (38KB) < https://matrix.org/_matrix/media/r0/download/matrix.org/fGECyysdulbxILceuocJMXrr >
21:59:12 <kinghat[m]> interestingly, cpu-world.com has banned me because it thinks im a botnet?
21:59:35 <kinghat[m]> i was visiting the site but i was manually checking for xeons
21:59:51 <kinghat[m]> nothing automated
21:59:57 <kinghat[m]> never seen that before
22:00:32 <kinghat[m]> sorry, bot*, not botnet.
22:02:01 <xmrpow> So we all agree that i has to be some datacenter?
22:02:33 <hyc> fits best, yeah
22:03:30 <xmrpow> Because of the average hashrate of each miner it either has to be some older hardware or not full load like you said
22:25:35 <geonic> https://www.reddit.com/r/MoneroMining/comments/grcht8/1000_corporate_systems_infected_with_monero/fs07v3u/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
22:25:55 <geonic> ^ thoughts on this?
22:32:44 <geonic> Are there any objective criteria for increasing minimum RAM requirements in the future?
22:35:08 <hyc> obviously if we raise them too much, only servers in data centers will be able to participate
22:37:36 <selsta> IMO botnets are just a side effect of decentralization, a bit like ASIC miners who have free access to electricity.
22:38:01 <selsta> If you have a decentralized system where everyone can join and mine then it will be difficult to avoid.
22:38:58 <selsta> best thing you can do is reach out to AV providers to include randomx heuristics
22:40:09 <geonic> I’d appreciate it if we could bump it up to 64gb, which is what I have. That way I’d solo mine a block once a month instead of once a year :)
22:42:01 <geonic> and jwinterm’s nuclear-powered botnet would be cut off... it’s a win-win
22:42:10 <hyc> my laptop has only 32GB. So I will vote no. :P
22:42:19 <geonic> lol
22:43:52 <geonic> Would it be useful if miners signaled the amount of RAM present on a machine?
22:44:20 <hyc> if they know why we want to know, they will start lying and underreporting
22:46:04 <geonic> Could it be built into the daemon in a tamper-proof way? Just thinking out loud
22:47:54 <geonic> might be useful to have data like that to guide future adjustments to the pow like minimum thresholds
22:50:22 <hyc> it's also unfriendly to assume that someone running a miner is happy to have 100% of their RAM get used by the miner
22:51:11 <geonic> that’s for sure
23:18:54 <jwinterm> lol implying my nuclear powered botnet doesn't have infintie ram
23:38:06 <geonic> dammit