Pages:
Author

Topic: About the recent server compromise - page 12. (Read 15385 times)

legendary
Activity: 3346
Merit: 3130
May 25, 2015, 10:21:46 AM
#28
Is great to have the forum back again thx theymos.

The attack was weird because at last we don't know how he got access to the KVM...

I will give here some possible scenarios.

*Forum admins join to the forum from an insecure point and the forum was compromised.
*Attacker was on the same modem with admins and make a Man in the middle attack.
*Attacker hack the ISP provider before hack the forum.
*There is a 0 day what only the attacker know.

And maybe all that points are wrong... I think if we don't find the source of the problem, it is not fixed yet.
sr. member
Activity: 268
Merit: 258
May 25, 2015, 10:18:00 AM
#27
The tweet for those who didn't follow the link:
Quote
@bitcointalk Non-authoritative answer:
Name: http://bitcointalk.org
Address: 186.2.165.183 : this means attackers use DNS Poisoning ...
According to the OP, Theymos changed from his previous host NForce to another host because of suspicious activity. This would explain the IP change.

Edit: Found the quote:
Quote
To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.
sr. member
Activity: 268
Merit: 258
May 25, 2015, 10:15:40 AM
#26
The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
[email protected]

Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?
What are you talking about? Neither IP address shows up as a tor exit node.
That list is for the most recent list of exit nodes which updates every hour. I would suggest looking here: https://collector.torproject.org/formats.html#exit-lists for archived lists from the past few days to see if one of the ips was an exit when the attack occurred.
full member
Activity: 238
Merit: 100
legendary
Activity: 910
Merit: 1000
May 25, 2015, 10:14:57 AM
#24
Thanks theymos & bitcointalk stuff for getting the forum back online.

Hope you get the m@therf@ckers and make them pay. In any way.
legendary
Activity: 1666
Merit: 1185
dogiecoin.com
May 25, 2015, 10:14:28 AM
#23
Passwords and secret questions can be changed here: https://bitcointalk.org/index.php?action=profile;sa=account.

Also
1) Is there any information on what the additional suspicion was?
2) Was there any content / PM rollbacks?
legendary
Activity: 2072
Merit: 1049
┴puoʎǝq ʞool┴
May 25, 2015, 10:12:44 AM
#22
Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?

We all wish there were.
copper member
Activity: 2996
Merit: 2374
May 25, 2015, 10:12:39 AM
#21
]I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.

I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this
What was the message of the email, since I can't find any email from Bitcointalk or Theymos.
Quote from: theymos via email
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

You are receiving this message because your email address is associated
with an account on bitcointalk.org. I regret to have to inform you that
some information about your account was obtained by an attacker who
successfully compromised the bitcointalk.org server. The following
information about your account was likely leaked:
 - Email address
 - Password hash
 - Last-used IP address and registration IP address
 - Secret question and a basic (not brute-force-resistant) hash of your
 secret answer
 - Various settings

You should immediately change your forum password and delete or change
your secret question. To do this, log into the forum, click "profile",
and then go to "account related settings".

If you used the same password on bitcointalk.org as on other sites, then
you should also immediately change your password on those other sites.
Also, if you had a secret question set, then you should assume that the
attacker now knows the answer to your secret question.

Your password was salted and hashed using sha256crypt with 7500 rounds.
This will slow down anyone trying to recover your password, but it will
not completely prevent it unless your password was extremely strong.

While nothing can ever be ruled out in these sorts of situations, I do
not believe that the attacker was able to collect any forum personal
messages.

I apologize for the inconvenience and for any trouble that this may cause.
-----BEGIN PGP SIGNATURE-----

iF4EAREIAAYFAlVhiGIACgkQxlVWk9q1keeUmgEAhGi8pTghxISo1feeXkUMhW3a
uKxLeOOkTQR5Zh7aGKoBAMEvYsGEBGt3hzInIh+k43XJjGYywSiPAal1KI7Arfs0
=bvuI
-----END PGP SIGNATURE-----
donator
Activity: 2352
Merit: 1060
between a rock and a block!
May 25, 2015, 10:10:18 AM
#20
The number of security breaches is unacceptable... It's now a joke theymos...
legendary
Activity: 3556
Merit: 9709
#1 VIP Crypto Casino
May 25, 2015, 10:09:57 AM
#19
Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?
sr. member
Activity: 268
Merit: 258
May 25, 2015, 10:08:59 AM
#18
]I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.

I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this
What was the message of the email, since I can't find any email from Bitcointalk or Theymos.
legendary
Activity: 2072
Merit: 1049
┴puoʎǝq ʞool┴
May 25, 2015, 10:08:49 AM
#17
Launch the new forum Theymos, come on! We were supposed to see something concrete by the end of February.. It's been 3 months!
copper member
Activity: 2996
Merit: 2374
May 25, 2015, 10:07:25 AM
#16
The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
[email protected]

Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?
What are you talking about? Neither IP address shows up as a tor exit node.

66.172.27.160 has very little information on it's WHOIS, however the company Cyberverse, Inc. does show up and their website does show both colocation and cloud services offered by them. It appears that only credit card payments are accepted (more importantly bitcoin does not appear to be accepted), so there is a good chance that (assuming that a similar attack was not launched against them) this could be a lead.

edit: it appears that ChunkHost also shows up in the above WHOIS and according to their blog, it appears they accept Bitcoin. Their website is also not less professional then Cyberverse so it is possible they simply are hosted by Cyberverse and the attacker was using ChunkHost :/
legendary
Activity: 1022
Merit: 1000
May 25, 2015, 10:07:18 AM
#15
First and foremost thanks for the forum, it is unfortunate that it has become such a target.

Second, thanks for laying all this out.  I especially appreciate the table of how long to crack our passwords.  I have to admit, I'm a little shocked at how easy they are to crack.

Good luck to you!
legendary
Activity: 1401
Merit: 1008
northern exposure
May 25, 2015, 10:04:45 AM
#14
Thank you Theymos&Staff for your hard work!!

i already change my password, just in case Wink


You got a lot done for only a few days of down time. Have you slept yet?

jaja i hope so, btw before sleep, drink some beer Wink
legendary
Activity: 975
Merit: 1003
May 25, 2015, 10:02:36 AM
#13
so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
NO update on Twitter or Reddit.
We assume that you are fake theymos.
Nice done hacking man !
It's ok, don't worry. We have spoken with the "real" one
full member
Activity: 238
Merit: 100
May 25, 2015, 10:00:29 AM
#12
so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
NO update on Twitter or Reddit.
We assume that you are fake theymos.
Nice done hacking man !
copper member
Activity: 2996
Merit: 2374
May 25, 2015, 10:00:04 AM
#11
so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.

I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this

edit: it appears that theymos has changed the HTTPS keys and GPG signed the new keys earlier today.

Quote
gpg: Signature made Mon May 25 10:53:03 2015 EDT using DSA key ID DAB591E7
gpg: Good signature from "Michael Marquardt "
gpg:                 aka "theymos "
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5E6B 3F3B A961 193C 5C9B  4435 C655 5693 DAB5 91E7
sr. member
Activity: 728
Merit: 256
May 25, 2015, 09:58:22 AM
#10
The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
[email protected]

Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?
hero member
Activity: 938
Merit: 1000
May 25, 2015, 09:56:21 AM
#9
Thank you Theymos for your hardwork Smiley
hope it's not going down again for the long time. this is the longest downtime ever i know since i register here last year
cmiiw
Pages:
Jump to: