
My run-in with unauthorised Litecoin mining on AWS - vertis
http://vertis.io/2013/12/16/unauthorised-litecoin-mining.html
======
acangiano
CPU mining of scrypt-based cryptocurrency is highly inefficient. Let's do some
math.

A cc2.8xlarge is reported to mine at 85 kh/s, so 20 of them would give you
1700 kh/s. That's roughly equivalent to a couple of high-end AMD GPUs (say a
couple of overclocked 290x). This hashing power gives you a little over 0.5
LTC per day. It mined for two days, so it gained a little over 1 LTC. Let's
call it $40.

That's right, the idiot behind this cost the OP $3000+ for $40 profit. A
smarter criminal would have spawn GPU instances on EC2.

~~~
gigq
Makes you wonder why the criminal didn't launch g2.2xlarge instances which
would get 185 kH/s per instance. In fact for awhile there litecoin mining was
profitable at spot prices.

[http://www.completefusion.com/profitable-litecoin-mining-
on-...](http://www.completefusion.com/profitable-litecoin-mining-on-ec2/)

~~~
acangiano
My guess would be ignorance. I don't think the criminal behind this knows what
he is doing.

A smarter criminal would have opted for g2.2xlarge instances as well as mining
for a currently more profitable coin. Granted he'd need to be careful not to
leave a trail, he could essentially trade these coins for LTC and still obtain
more litecoins.

~~~
gigq
An even smarter criminal would have "mined" the Ripple give away using EC2,
there are still people paying for those instances as we speak so surely they
would be more profitable than litecoin mining (assuming you sell them right
away).

[https://www.computingforgood.org/](https://www.computingforgood.org/)

[https://ripple.com/forum/viewtopic.php?f=18&t=4382](https://ripple.com/forum/viewtopic.php?f=18&t=4382)

~~~
jnbiche
Uh, nope. I "mined" Ripple through that little project for a couple of days
(using the g2 instances) and got a couple of dollars worth of Ripple back for
over $100 ec2 bill (460 hours of WCG runtime).

I'll boinc on my desktop for science and goodwill but will not waste any more
time on Ripple's program or indeed on Ripple itself, as brilliant as the idea
is. Ripple's founders are hanging on to their 60%+ outstanding Ripples so
tightly that I suspect the project will never truly get off the ground.

As much as people criticize it, I think some variation of Bitcoin's seignorage
mining is the only realistic way to bootstrap a successful virtual currency,
at least at this point.

~~~
SectioAurea
Premined strategies like Ripple chose certainly aren't the road to success.

------
davidjgraph
This is rough luck, but getting specific servers hacked is more commonplace.
In the AWS billing console [0] there is an "alert" option. It walks you
through setting up the various types of alarms.

If you're hacked the most likely problem you'll get is a spike in data
transfer costs. You can up the alarms to, for example, email you if the
bandwidth usage goes above x (cost) over y time period.

I had a perl DOS bot get into a server, took about 2 hours to trigger the
alarm. Shame I was fast asleep at the time, but the idea was there...

[0]
[https://console.aws.amazon.com/billing/home](https://console.aws.amazon.com/billing/home)

------
earless1
I think smarter usage of IAM roles would have also helped here. Keys created
strictly for S3 access should not have the ability to launch new instances and
so on. Limiting keys to their specific purpose is a good security practice
even for dev environments.

~~~
miles932
AWS IAM supports the ability to permit or prevent specific types of instances
from being started by a given key; if folks are worried about a key being used
to start G2 or CG1 or any other specific instance, take a look at the
instructions here: [http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-
polic...](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-policies-for-
amazon-ec2.html)

------
debaserab2
I wonder if the author is going to be on the hook for the bill for this.

If he originally received this note from amazon, it makes me also wonder if
amazon knew about the fraud while it was happening. I sense that they probably
monitor the launch of many of the XXL servers more closely than others.

~~~
snowpalmer
I had the _exact_ same thing happen to me. 2 days of 20 instances running and
then amazon called me. I shut it down and revoked permissions immediately.

They did refund the money.

~~~
icpmacdo
I just checked my EC2 page and have found $45 worth of charges from instances
that I shut down weeks ago. Would it have automatically re ordered some if the
bidding price dropped below a threshold? When I looked at my management
console there were no EC2 instances running. This has turned out to be a very
expensive experiment in LTC mining.

------
meritt
Ugh, that sucks. Too late to help you now (but perhaps others) on your billing
alerts points: check out [http://cloudability.com](http://cloudability.com)
\-- alerts, analytics, prediction, suggestions, etc. Free for the most useful
stuff.

------
lambda
Another good habit to be in is never checking any kind of credentials into
source control; even if it's some private personal project, just don't be
tempted to check in your credentials to source control, because at some point
you may find some portion of that that's useful that you import into a public
project, accidentally preserving full history.

Sorry to the OP, hope that Amazon reverses those charges once you tell them
what happened.

~~~
yeukhon
We know we shouldn't be committing password or personal key. But shit happens
and it does happen very frequently, even top notched people do.

What we need is not to say "don't it", because no shit we shouldn't be doing
that. instead we need defense mechanism. It would be helpful and interesting
if git or hg has a plugin that detects when some credentials is leaking
through and warn users "hey you better check this shit out" before doing a
real commit.

The other thing is "don't commit key into a private repository". Don't chef
and puppet users usually do that? How are people backing up their keys?

~~~
dwaltrip
For rails, the Figaro gem is really helpful for managing environment
variables, which is a good place to store credentials (the config file for
Figaro is then added to .gitignore)

~~~
yeukhon
But how do you back up this set of environment variables. Yes, in practice I
also use ignore file to prevent sensitive things leak into repository and I
usually generate password dynamically on the fly or through some script.

------
colbyaley
I suggest the OP check out Cloudability[1], which provides realtime cost
management for AWS and other cloud providers. We help over 10,000 customers
make sure this doesn't happen to them. (disclosure: I work there)

[1]: [https://cloudability.com/](https://cloudability.com/)

------
trapexit
You can (and should) set up an AWS CloudWatch alert on your account that will
send you an email or SMS notification when your monthly bill exceeds a set
threshold.

~~~
zwass
I was surprised how incredibly difficult that is to set up. Eventually I dead-
ended following the instructions when CloudWatch told me there were 0 metrics
to choose from for monitoring...

~~~
sharpy
Hi,

There are a couple of things that are easy to overlook when using billing
metrics.

1\. All billing metrics are stored in us-east-1 even for usages in other
regions.

2\. If you are using consolidated billing, billing metrics will be published
under the linked account, and will only be visible to that account.

Hope that helps.

~~~
chimeracoder
> 1\. All billing metrics are stored in us-east-1 even for usages in other
> regions.

...what? Is this true? If so, can someone explain the logic behind this?

~~~
ceejayoz
It's true, and probably means a set of instances in us-east-1 are the ones
computing and storing billing costs for users.

------
awhitty
Shoot, as someone who made the same mistake of leaving my AWS keys in an open
source project, I think I narrowly dodged a bullet. I didn't realize this risk
was so high. Thanks for this post!

------
dhughes
Now I'm curious, how many litecoins would it have generated in two days?

~~~
gigq
One cc2.8xlarge instance will give you 85 kH/s so 20 instances would give 1700
kH/s which only nets about $18 at current market prices / difficulty. So over
2 days he would have made off with a whopping $36.

~~~
rkuykendall-com
Writing a script that generated $38 every time somebody accidentally commits a
AWS key sounds like an amazing source of extra cash, depending on your current
income.

~~~
nisa
If he would have used an altcoin that is limited by CPU like Primecoin he
could have earned around 8000$ in 2days. Not sure if my calculation is legit
through. It's based on the chains/day from the list at
[http://anty.info/primecoin-calculator/](http://anty.info/primecoin-
calculator/)

Scary. I'm sure a lot of universities and servers will see an influx of hacks
for coin-mining.

------
umairsiddique
Exactly same thing happened to me. 20 x xlarge instances raking up a total
bill of $1800. I've opened a support case with them.

~~~
TwoBit
I'm confused about this. Somebody got OPs account number and password because
it was written down in a file he put on git?

~~~
vertis
It wasn't my password it was my access token and secret key. But it has almost
the same effect.

------
sheetjs
> Audit code before open sourcing

It's important to remember that open-sourcing is generally one-way: once it's
out there, it's impossible to completely eliminate all traces. Always audit
code, and if there's even a remote possibility that you'll regret it you
should check again

~~~
lancefisher
I'd recommend blowing away your repository's history before open sourcing as
well.

~~~
DanWaterworth
If you decide to do this, using git replace so that you and other trusted
people can see the history, but others can't is a particularly good idea.

------
sillysaurus2
Is this illegal? Could he somehow go to some authority?

EDIT: Why is it unlikely the FBI will successfully investigate?

~~~
patio11
Ask a simple question, get a simple answer: it is obviously and unambiguously
illegal. You can certainly refer this to the FBI computer crimes folks and
your local law enforcement. It is unlikely they will successfully investigate.

~~~
rplnt
What specifically is illegal about that? Someone gave you credentials to an
online service. Now you use those credentials. What law did you brake? You
probably broke the ToS/EULA/whatever, but that by itself is not illegal.

(I'm not saying otherwise, I'm asking)

~~~
freehunter
Just because you have the means to do something does not mean you have the
permission. If I drop my car key on the ground and you take it, it's still
stealing. I gave you the means (accidentally), not the permission. Especially
when using the ill-gotten item will cost me (gas, time, money).

Reminds me of the old phrase: What's the difference between hacking and
penetration testing? Permission.

~~~
rplnt
Yes, I see that difference. I also know there are laws protecting computer
systems and such. But was wondering if it could be applied to an online
service.

------
delinka
or "...with unauthorized account usage on AWS." I get that the unauthorized
use was mining, but the mining operation itself isn't unauthorized by Amazon
nor by the creator of the currency.

~~~
vertis
Sure guess that could have been clearer. Unauthorized account usage used for
mining litecoins.

------
devonbleak
FYI all AWS keys start with AKIA - makes it easy to search for 'em.

------
judah
The author suggested enabling billing alerts. For those running on Azure,
billing alerts are currently in preview mode, and can be enabled via
[https://account.windowsazure.com/PreviewFeatures](https://account.windowsazure.com/PreviewFeatures)

------
tomphoolery
I know there are a few code-quality bots on Github, but is there any service
that you can install as a webhook which automatically checks for things like
Amazon key pairs (which, IIRC, _always_ start with "AKIA", at least the API
keys anyway)?

~~~
tlrobinson
I'm also curious if there's some utility or at least a list of regular
expressions that can be used to scan for a number of credentials, not just
AWS.

------
billjive
How did Amazon detect your key in the wild? Or did they notice based on usage
patterns/activity in your instances?

~~~
earless1
All AWS keys I've seen start with 'AKIA'. I am assuming that they have bots
that search Github and other search engines for access keys. At that point it
is easy for them to tie them back to an account and notify the user.

~~~
vertis
They must only have started doing that recently. This project has been out in
the wild for at least a year.

~~~
enko
Well, kudos to them for doing that, at least. Of course it's awful that you
could be out ~$3k, but imagine how bad it could have been if they hadn't been
so proactive.

~~~
vertis
Yeah, it would have been another day at least before I checked amazon again.

~~~
werner
Luke, drop me a note at werner [at] amazon with a link to the support ticket
you created, and we'll see what we can do.

~~~
sashagim
Wow, talk about customer service!

~~~
jayzalowitz
horray AWS!

------
mnml_
Amazon will refund you if you explain your situation.

------
omarchowdhury
So are you liable?

------
smiro2000
sorry dude :(

------
badmadrad
"Having a poke around confirmed what I had already guessed. The unauthorised
user had been mining litecoin with the mining pool pool-x.eu."

Hmmm..you already guessed someone hacked your account to mine litecoin?
Astroturfing much? That's the last thing I would have guessed. I would have
thought someone was using it as some crazy web server or mail server to
generate spam or phony websites for bogus ad clicks.

~~~
vertis
_shrug_ maybe I was wrong to make that kind of assumption.

It was probably the type and quantity of instance that tipped me off a little,
having read about people trying to mine with EC2 again.

