Topic: 149.34 BTC and 7397 LTC stolen, assistance appreciated/rewarded - page 2. (Read 8489 times)

I think they found it via some random port scans, perhaps. There are other indications it may have been scanned as part of a list of Bitcoin daemons that were online or relay nodes, yes, but that's harder to determine. Looking at the attack pattern once they found a way to get through, they were browsing around and seem to have possibly taken all the coins as a sudden opportunity, and maybe not the original goal. It appears they did a little more looking around on the filesystem after they transferred the coins. They never actually stole the wallet itself, as far as I can tell, though I'm still reviewing traffic flows.

I'm hoping the person has some sort of conscience in all this and returns them, which would be ideal, but in reality, the traces left behind seem very amateur.

And no, not running Java as a browser plugin or anything. The compromised system isn't used as a desktop.

Goodluck, btw how did that hacker knew you have funds in that PC, I mean it's not like some genie told him that "Hack this pc and you will get a lot of money",  There must be some kind of leak. (Relay IP or something?), or someone else knew that you have bitcoins in your pc.

Also did you were running JAVA in your pc and browser?

perhaps some malware ...
keylogger

or other stuff like that.

that sucks

They were supposed to be, but judging by the lack of difficulty the attacker had (total attack time was about two hours from first connections to last), I'd guess not.

Were the wallets password protected?

That's the question I've been asking myself all week. It was only recently I had consolidated it down into a few addresses, preparing to shuffle it off to some cold storage and exchanges. However, other things happened over the last month and I didn't get the chance to do it all, so it left them sitting there. The method they used to steal them all stunned me, though, I had never suspected ElasticSearch would allow full command line access by default, so a development project using that is at the core of the event.

For the police side of it, I'm collecting the last of what evidence I can find for them.

Why you were even holding that 100+ BTC and 7000+ BTC on a server/PC.
You can do Police report and ask perfect-privacy to provide real ip address of that user.

whyyou bothering your self? Keep logs go to the police, they work with interpol to dedect hacker.

It wasn't an exploit, but theft nonetheless. The attacker used the ElasticSearch API to create a 'dynamic script' inside the search software, which is capable of running any shell commands, etc. the attacker wants. This is in fact a feature of ElasticSearch, though one they don't show in the configurations an example of disabling. So, the software ships with a gaping security hole for anyone to walk into (and one has to search for the documentation this feature exists), it looks like.

By using this API, they were able to connect to the Bitcoin and Litecoin daemons and transfer all the coins off the server. Running this dynamic script inside ElasticSearch puts results of the commands into the search index, and the only identifier in there of what the initial request may have been is a field called "counte" (which then has results of the command), and I've looked around to see if this field shows up in any examples, but it doesn't, meaning the code itself is slightly unique (and someone somewhere knows who wrote it and who uses it).

The Perfect Privacy thing I noticed, where they also do state an AUP limiting illegal activities, so I'm trying to contact them for any assistance.

For where I got the information, it's all first hand. All connection flow to/from the servers are logged, so the IPs and so forth were gathered from those connection logs, associated web server logs, etc.

I'm a little unclear on what vulnerability was exploited to gain access to your wallet. Please keep us updated with details as you uncover them, you never know what might lead to the perp. The notable IP above appears to be a VPN endpoint for perfect-privacy.org, so it's probably not going to be much help.

Hi all,

On February 18th at 20:46 UTC, an attacker used the dynamic scripting function of an ElasticSearch instance to steal 149.34 BTC and 7397 LTC from my computer. I'm looking for any assistance in finding/locating the coins/attacker, and also want to inform the community that if they receive coins from 1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjvin, they are likely my stolen coins.

All the Bitcoin was sent to 1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjvin one lump. Since it was stolen on Tuesday, it hasn't moved anywhere else yet. This makes me slightly hopeful it will be returned to me.

The transaction was bf22138b74c3b3528410126ac41f821f71e065a5b0e3a6d819df30f120fda3c4.

The Litecoin was taken in chunks, but it all went to the Litecoin address Li5k5sYdyWD5gDR9TkaU5vk6tDB63XdQRw under a few transactions. There is one other transaction in that Litecoin account (26.846 LTC) which is unrelated to my coins, but may be useful in tracking down the one who stole mine.

The attacker showed up to ElasticSearch from the following IPs:

178.217.187.39
185.27.115.201
188.124.19.114
192.99.8.96
193.37.152.241
194.132.32.42
37.221.161.234
76.104.78.60
77.247.181.165
88.80.187.215
93.114.45.194
94.242.243.166
95.211.167.171
95.211.60.34
96.44.189.100

It seems the 93.114.45.194 IP was fairly central to the attack, since it was the IP the nmap and other intrusion tests were done from, while the actual attack went via the IPs above (mostly seem to be Tor). This may have been a targeted attack, but I'm still investigating all the evidence left behind. The elasticsearch script was using a variable called "counte", which would be found in the exploit software's methods.

It's also clear this was done manually by a human, and not via an automated bot/botnet to do the actual theft.

Any further assistance with this would be appreciated, and anything that leads to a return of coins will be rewarded. Unfortunately, the stolen coins were being used to pay for the ongoing web services like pastebin.ca, so without the return, the group of sites will likely have to shutdown.

Thanks.