[cfarm-users] Compile Farm acceptable usage

Jacob Bachmeyer jcb62281 at gmail.com
Mon Dec 30 06:55:32 CET 2024 

On 12/29/24 19:51, Zach van Rijn via cfarm-users wrote:
> Dear CFarm User,
>
>
> It has come to our attention that Compile Farm resources have
> (in general) been abused in pursuit of cryptocurrency mining.

Was this one incident or multiple incidents?  By the same user or 
multiple accounts?  Long-standing or new accounts?

Can you say which hosts were abused in this way?A first guess would be 
that they went for the larger x86 nodes, but I would like more details. 
This could be a concerning development or just another day on the Internet.

> [...]
>
> We understand that, occasionally, an account may be compromised
> (which means one's private key is compromised), and that such
> use may not be intentional. We will therefore investigate and
> decide how to proceed, starting with immediate account lockdown.

The only possible excuse would be that the user's private SSH key had 
been stolen. I certainly hope the implicated user(s) are innocent and 
would be willing to come forward.  Figuring out how their keys were 
stolen might help the rest of us protect ourselves better.

(Unless the victim had the worst security practices in the group, there 
are others who could benefit from the same lessons.)

That the keys were stolen *should* be obvious from the sshd logs:  the 
miners would have been started from a different IP block than the 
legitimate user uses ... unless the theft was indirect (malware gaining 
access to an unlocked SSH agent somehow) and the illicit access was 
relayed through the legitimate user's machine.

> As a general reminder, please do not perform any sensitive tasks
> on CFarm machines; these machines are not considered secure. We
> provide (with the generous help of various administrators around
> the world) a service to make machines available for use, with no
> guarantee of privacy or security.

If this was not simply a matter of crooks talking their way into compile 
farm accounts, I am very concerned because this means security 
assessments involving "that machine is not interesting" need to be 
reevaluated if the crooks are now looking to steal any scrap of CPU time 
that they can.

(I have lost count of the number of times I have been told not to worry 
about a machine because it holds nothing of value.)


-- Jacob

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.tetaneutral.net/pipermail/cfarm-users/attachments/20241229/0ca96cb3/attachment.htm>

More information about the cfarm-users mailing list