Error log homeassistant.log someone is trying to do mining ?!

Configuration
1

Hi all,

I’ve just seen these error logs in my homeassistant.log:

2024-02-25 00:32:21.331 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 350, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "aiohttp/_http_parser.pyx", line 557, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message:
  Invalid method encountered:

    b'{"method":"login","params":{"login":"45JymPWP1DeQxxMZNJv9w2bTQ2WJDAmw18wUSryDQa3RPrympJPoUSVcFEDv3bhiMJGWaCD4a3KrFCorJHCMqXJUKApSKDV","pass":"xxoo","agent":"xmr-stak-cpu/1.3.0-1.5.0"},"id":1}\n'
      ^
2024-02-25 00:32:23.359 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 350, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "aiohttp/_http_parser.pyx", line 557, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message:
  Invalid method encountered:

    b'{"id":1,"method":"mining.subscribe","params":[]}\n'
      ^
2024-02-25 00:32:24.498 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 350, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "aiohttp/_http_parser.pyx", line 557, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message:
  Invalid method encountered:

    b'{"params": ["miner1", "password"], "id": 2, "method": "mining.authorize"}\n'
      ^
2024-02-25 00:32:25.661 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 350, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "aiohttp/_http_parser.pyx", line 557, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message:
  Invalid method encountered:

    b'{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"blue1","pass":"x","agent":"Windows NT 6.1; Win64; x64"}}\n'
      ^
2024-02-25 00:32:28.769 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 350, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "aiohttp/_http_parser.pyx", line 557, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message:
  Invalid method encountered:

    b'{"params": ["miner1", "bf", "00000001", "504e86ed", "b2957c02"], "id": 4, "method": "mining.submit"}\n'
      ^
2024-02-25 00:32:32.616 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 350, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "aiohttp/_http_parser.pyx", line 557, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadStatusLine: 400, message:
  Invalid method encountered:

    b'{"id":1,"jsonrpc":"2.0","method":"login","params":{"login":"x","pass":"null","agent":"XMRig/5.13.1","algo":["cn/1","cn/2","cn/r","cn/fast","cn/half","cn/xao","cn/rto","cn/rwz","cn/zls","cn/double","rx/0","rx/wow","rx/loki","rx/arq","rx/sfx","rx/keva"]}}\n'
      ^
2024-02-25 01:25:33.407 ERROR (MainThread) [aiohttp.server] Error handling request
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/aiohttp/web_protocol.py", line 350, in data_received
    messages, upgraded, tail = self._request_parser.feed_data(data)
                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "aiohttp/_http_parser.pyx", line 557, in aiohttp._http_parser.HttpParser.feed_data
aiohttp.http_exceptions.BadHttpMessage: 400, message:
  Pause on PRI/Upgrade:

    b''
      ^

And I’m seeing these method called:
mining.subscribe
mining.authorize
mining.submit

Obviously I don’t have any integrations or what so ever on my Home Assistant configuration for mining, or anything for cryptocurrency.

Could be some integration, addon or HACS addon that wants to do some mining on my minipc? How can I find something about this stuff?

Thanks to all!

2

Not one to fall for FUD, but it seems you are infected, indeed.

As it’s in the HA log, I’d say it’s not coming from an addon but an integration.
I’d first suspect integrations you would have installed manually. Do you have some and what are they?
Lastly, I’d check whatever you installed from HACS. Once an integration has been “accepted” in HACS, there is no further control on what the developper could push in an upgrade.

To check what custom integration you have installed, look at the /config/custom_components directory.

3

Thanks for the kind reply!

So you think that I can search for “mining” in all files under /config/custom_components ? These are the directories under that path:

alarmo
alexa_media
browser_mod
custom_templates
hacs
midea_ac_lan
skyq
spotcast
ui_lovelace_minimalist
webrtc

Can I see all the code for this stuff on my HA installation or is not possible? I think they are quite basic components.

4

Yes

Yes. In the terminal addon:

cd /config/custom_components
grep -r "mining" * > ../mining.find

and post the resulting /config/mining.find file to, e.g., pastebin for analysis

5

Be aware that even if you cannot find the mining text in your custom integrations it doesn’t mean that a certain integration could expose a vulnerability that allows an attacker to explot it.

6

To help with the search, looking at some of your logs, the attack is using the stratum-protocol.

7

Are you on Docker or Container?

I remembered seeing this on Reddit a bit back.

https://www.reddit.com/r/homeassistant/comments/160um27/i_found_a_cryptocurrency_miner_in_my/

8

Sorry which other logs? First time that I have to look at logs so I don’t know other logs other than homeassistant.log

Thanks :wink:

9

You are fine.

Someone is having a mining application and pointed it at your Home Assistant instance to login. As Home Assistant doesn’t speak the mining protocol, it logs an error and doesn’t process it.

We should make sure the error gets logged with some extra context.

6 Likes
10

I have Home Assistant OS.

11

Thats a bit scarier. Port forwarding enabled?

12

Ah cool. Not obvious it’s the server side throwing errors, indeed.

@SaintTDI Please mark balloob’s answer as the correct one for anyone stumbling on this thread in the future.

13

Ah ok! Thank you so much! :wink:

Can I do anything to block it?

14

It seems that is what is happening already, the call is being blocked/rejected, but it is being logged to make you aware of it :slight_smile:

15

I was refering to the homeassistant log :slight_smile: