algo icon indicating copy to clipboard operation
algo copied to clipboard

Published 20 hours ago verified publisher icon trailofbits

GCP - shutdown for cryptocurrency mining ?

Open jspasiuk opened this issue 4 years ago • 9 comments

Anyone has this issue? This is the second time that Google shut down the VM created with the script:

We've detected that your Google Cloud Project Simple S (id: XXXX) IP XXXX is violating the Supplemental Terms and Conditions For Google Cloud Startup Program by engaging cryptocurrency mining, resulting in the suspension of all project resources displaying this behavior.

Any idea what is causing this?

jspasiuk avatar Feb 23 '21 17:02 jspasiuk

This is a bit eerie. I hope this repo wasn't victim of a supply chain attack...

davesdere avatar Feb 28 '21 02:02 davesdere

I encountered this same issue as well with Google—three times in the last 24 hours.

kdavidson007 avatar Mar 26 '21 20:03 kdavidson007

More info about this issue:

This activity took place from IP add_source_ip 35.xxx.xxx.xx which contacted the following IP’s 54.37.7.208 between 2021-02-23 07:49 and 2021-02-23 08:32 (Pacific Time).

And the IP 54.37.7.208 is from https://web.xmrpool.eu/

jspasiuk avatar Mar 29 '21 01:03 jspasiuk

If they're basing mining detection on who your server connects to then any of your VPN clients could be the cause of this issue.

davidemyers avatar Mar 29 '21 20:03 davidemyers

@davidemyers In my case, I'm only using this for personal use—there are no other VPN clients. Any idea what might be causing this? It's happening repeatedly, and I'm no longer able to use GCE without it being shut down.

If they're basing mining detection on who your server connects to then any of your VPN clients could be the cause of this issue.

kdavidson007 avatar Apr 01 '21 11:04 kdavidson007

I think you need to review the software on whatever client you're using to see if you can find an application that's behaving unexpectedly.

If you deployed your AlgoVPN with ad blocking enabled you can try putting the suspect domain name in /etc/dnscrypt-proxy/black.list, then running sudo /usr/local/sbin/adblock.sh.

If you didn't deploy with ad blocking, you can try editing /etc/dnscrypt-proxy/dnscrypt-proxy.toml and using the [blacklist] feature to block the suspect domain.

Or you can give up on GCE and try another provider.

davidemyers avatar Apr 01 '21 12:04 davidemyers

You might ask Google directly about this. They might help you. Please let us know here. Thanks. I do not have this issue in a Google Cloud or DigitalOcean instance by the way.

Jean-Cote avatar Aug 02 '21 21:08 Jean-Cote

Same here. Google closed my whole project.

magicknight avatar Jul 12 '23 14:07 magicknight