Is great to have the forum back again thx theymos.
The attack was weird because at last we don't know how he got access to the KVM...
I will give here some possible scenarios.
*Forum admins join to the forum from an insecure point and the forum was compromised.
*Attacker was on the same modem with admins and make a Man in the middle attack.
*Attacker hack the ISP provider before hack the forum.
*There is a 0 day what only the attacker know.
And maybe all that points are wrong... I think if we don't find the source of the problem, it is not fixed yet.
Topic: About the recent server compromise - page 12. (Read 15325 times)
The tweet for those who didn't follow the link:
Edit: Found the quote:
Quote
@bitcointalk Non-authoritative answer:
Name: http://bitcointalk.org
Address: 186.2.165.183 : this means attackers use DNS Poisoning ...
According to the OP, Theymos changed from his previous host NForce to another host because of suspicious activity. This would explain the IP change.Name: http://bitcointalk.org
Address: 186.2.165.183 : this means attackers use DNS Poisoning ...
Edit: Found the quote:
Quote
To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.
Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?
Thanks theymos & bitcointalk stuff for getting the forum back online.
Hope you get the m@therf@ckers and make them pay. In any way.
Hope you get the m@therf@ckers and make them pay. In any way.
Passwords and secret questions can be changed here: https://bitcointalk.org/index.php?action=profile;sa=account.
Also
1) Is there any information on what the additional suspicion was?
2) Was there any content / PM rollbacks?
Also
1) Is there any information on what the additional suspicion was?
2) Was there any content / PM rollbacks?
Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?
We all wish there were.
]I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.
I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this
What was the message of the email, since I can't find any email from Bitcointalk or Theymos. I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this
Quote from: theymos via email
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
You are receiving this message because your email address is associated
with an account on bitcointalk.org. I regret to have to inform you that
some information about your account was obtained by an attacker who
successfully compromised the bitcointalk.org server. The following
information about your account was likely leaked:
- Email address
- Password hash
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your
secret answer
- Various settings
You should immediately change your forum password and delete or change
your secret question. To do this, log into the forum, click "profile",
and then go to "account related settings".
If you used the same password on bitcointalk.org as on other sites, then
you should also immediately change your password on those other sites.
Also, if you had a secret question set, then you should assume that the
attacker now knows the answer to your secret question.
Your password was salted and hashed using sha256crypt with 7500 rounds.
This will slow down anyone trying to recover your password, but it will
not completely prevent it unless your password was extremely strong.
While nothing can ever be ruled out in these sorts of situations, I do
not believe that the attacker was able to collect any forum personal
messages.
I apologize for the inconvenience and for any trouble that this may cause.
-----BEGIN PGP SIGNATURE-----
iF4EAREIAAYFAlVhiGIACgkQxlVWk9q1keeUmgEAhGi8pTghxISo1feeXkUMhW3a
uKxLeOOkTQR5Zh7aGKoBAMEvYsGEBGt3hzInIh+k43XJjGYywSiPAal1KI7Arfs0
=bvuI
-----END PGP SIGNATURE-----
Hash: SHA256
You are receiving this message because your email address is associated
with an account on bitcointalk.org. I regret to have to inform you that
some information about your account was obtained by an attacker who
successfully compromised the bitcointalk.org server. The following
information about your account was likely leaked:
- Email address
- Password hash
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your
secret answer
- Various settings
You should immediately change your forum password and delete or change
your secret question. To do this, log into the forum, click "profile",
and then go to "account related settings".
If you used the same password on bitcointalk.org as on other sites, then
you should also immediately change your password on those other sites.
Also, if you had a secret question set, then you should assume that the
attacker now knows the answer to your secret question.
Your password was salted and hashed using sha256crypt with 7500 rounds.
This will slow down anyone trying to recover your password, but it will
not completely prevent it unless your password was extremely strong.
While nothing can ever be ruled out in these sorts of situations, I do
not believe that the attacker was able to collect any forum personal
messages.
I apologize for the inconvenience and for any trouble that this may cause.
-----BEGIN PGP SIGNATURE-----
iF4EAREIAAYFAlVhiGIACgkQxlVWk9q1keeUmgEAhGi8pTghxISo1feeXkUMhW3a
uKxLeOOkTQR5Zh7aGKoBAMEvYsGEBGt3hzInIh+k43XJjGYywSiPAal1KI7Arfs0
=bvuI
-----END PGP SIGNATURE-----
The number of security breaches is unacceptable... It's now a joke theymos...
Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?
]I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.
I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this
What was the message of the email, since I can't find any email from Bitcointalk or Theymos. I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this
Launch the new forum Theymos, come on! We were supposed to see something concrete by the end of February.. It's been 3 months!
Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?
66.172.27.160 has very little information on it's WHOIS, however the company Cyberverse, Inc. does show up and their website does show both colocation and cloud services offered by them. It appears that only credit card payments are accepted (more importantly bitcoin does not appear to be accepted), so there is a good chance that (assuming that a similar attack was not launched against them) this could be a lead.
edit: it appears that ChunkHost also shows up in the above WHOIS and according to their blog, it appears they accept Bitcoin. Their website is also not less professional then Cyberverse so it is possible they simply are hosted by Cyberverse and the attacker was using ChunkHost :/
First and foremost thanks for the forum, it is unfortunate that it has become such a target.
Second, thanks for laying all this out. I especially appreciate the table of how long to crack our passwords. I have to admit, I'm a little shocked at how easy they are to crack.
Good luck to you!
Second, thanks for laying all this out. I especially appreciate the table of how long to crack our passwords. I have to admit, I'm a little shocked at how easy they are to crack.
Good luck to you!
Thank you Theymos&Staff for your hard work!!
i already change my password, just in case
jaja i hope so, btw before sleep, drink some beer
i already change my password, just in case
You got a lot done for only a few days of down time. Have you slept yet?
jaja i hope so, btw before sleep, drink some beer
so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
NO update on Twitter or Reddit.Prove that you are real Theymos ?
We assume that you are fake theymos.
Nice done hacking man !
so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
NO update on Twitter or Reddit.Prove that you are real Theymos ?
We assume that you are fake theymos.
Nice done hacking man !
so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless. Prove that you are real Theymos ?
I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this
edit: it appears that theymos has changed the HTTPS keys and GPG signed the new keys earlier today.
Quote
gpg: Signature made Mon May 25 10:53:03 2015 EDT using DSA key ID DAB591E7
gpg: Good signature from "Michael Marquardt"
gpg: aka "theymos"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5E6B 3F3B A961 193C 5C9B 4435 C655 5693 DAB5 91E7
gpg: Good signature from "Michael Marquardt
gpg: aka "theymos
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5E6B 3F3B A961 193C 5C9B 4435 C655 5693 DAB5 91E7
Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?
Thank you Theymos for your hardwork 
hope it's not going down again for the long time. this is the longest downtime ever i know since i register here last year
cmiiw
hope it's not going down again for the long time. this is the longest downtime ever i know since i register here last year
cmiiw
Jump to: