All my fairbrix just went somewhere by thremselves.....WTF!

Come-from-Beyond

legendary

Activity: 2142

Merit: 1009

Newbie

Quote from: caish5 on November 29, 2011, 10:11:38 AM

I've just noticed a transaction I did not initiate appear in my Fairbrix client.
Can anyone elaborate on this?
Could this be some sort of evil malware (on ubuntu)?
here is a screenshot.
http://ubuntuone.com/4TvNQeG81UI5lU1jp9VJ24

Maybe http://blockexplorer.sytes.net/block/413976c9a943c084673af2d80e6da36cedd480b3013a415a50d70fad22ebe877 ?

See a fork in NEXT BLOCK section?

localhost

sr. member

Activity: 392

Merit: 250

Quote from: racerguy on December 04, 2011, 11:19:45 AM

lol I used to solomine litecoins with rpcallowip=*
I too thought that the worst that could happen would be for someone else to mine for me(don't think I forwarded the port on my router though) guess I got lucky.

Same here. There should be some kind of warning in the client when the configuration is clearly too open such as rpcallowip=*. I never thought RPC was for anything else than mining... I think I kept it at rpcallowip=127.0.0.1, though.

makomk

hero member

Activity: 686

Merit: 564

Quote from: coblee on November 29, 2011, 09:03:35 PM

This problem really only affects fairbrix and tenebrix. Lolcust released tenebrix with a default config file that has a default rpcpassword and I didn't change it for fairbrix. There's a reason why bitcoin does not have a default rpc password and forces you to set one the first time you try to use RPC.

Solidcoin has a default rpcpassword too and you have to have one set if you want to mine solo using the built-in miner.

coblee

donator

Activity: 1654

Merit: 1350

Creator of Litecoin. Cryptocurrency enthusiast.

Quote from: racerguy on December 04, 2011, 11:19:45 AM

lol I used to solomine litecoins with rpcallowip=*
I too thought that the worst that could happen would be for someone else to mine for me(don't think I forwarded the port on my router though) guess I got lucky.

With litecoin, there's no default rpc password. So unless you set the password to something like "password", you are not that vulnerable. Of course, it's still not totally safe to do rpcallowip=*.

racerguy

sr. member

Activity: 270

Merit: 250

lol I used to solomine litecoins with rpcallowip=*
I too thought that the worst that could happen would be for someone else to mine for me(don't think I forwarded the port on my router though) guess I got lucky.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: Gavin Andresen on November 29, 2011, 10:37:36 PM

Quote from: DeathAndTaxes on November 29, 2011, 07:32:50 PM

Personally I think an interim step would be a version which has IRC and an option (enabled/disabled) and a "forget all addresses" option to experiment w/ non-IRC node discovery.

You can remove the addr.dat file and run with the -noirc and -nodnsseed options to experiment right now.

I fixed the bootstrap-from-hard-coded seed node code a couple of months ago, so use a recent version of bitcoin to see it working properly.

Thanks I will check it out.

Gavin Andresen

legendary

Activity: 1652

Merit: 2300

Chief Scientist

Quote from: DeathAndTaxes on November 29, 2011, 07:32:50 PM

Personally I think an interim step would be a version which has IRC and an option (enabled/disabled) and a "forget all addresses" option to experiment w/ non-IRC node discovery.

You can remove the addr.dat file and run with the -noirc and -nodnsseed options to experiment right now.

I fixed the bootstrap-from-hard-coded seed node code a couple of months ago, so use a recent version of bitcoin to see it working properly.

doublec

legendary

Activity: 1078

Merit: 1005

All nodes broadcast addresses, it's trivial to collect a list of most connectable nodes on the network. Even with IRC disabled. You can then test each of these for an open JSON-RPC port with the default password. It's possible people are actively doing that.

coblee

donator

Activity: 1654

Merit: 1350

Creator of Litecoin. Cryptocurrency enthusiast.

This problem really only affects fairbrix and tenebrix. Lolcust released tenebrix with a default config file that has a default rpcpassword and I didn't change it for fairbrix. There's a reason why bitcoin does not have a default rpc password and forces you to set one the first time you try to use RPC.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: btc_artist on November 29, 2011, 07:28:28 PM

How will the client make its first connection then?

Two different methods:

It makes a DNS lookup of bitseed.xf2.org bitseed.bitcoin.org.uk dnsseed.bluematt.me
If it finds no connections it sequentially connects to a hard coded list of "last resort" IP addresses.

Once it finds a single active node it asks for all active nodes that node knows. It then connects to each of those nodes and asks for all active nodes it knows. Addresses are saved between sessions so this only applies to the initial boot ("cold boot into network"). It then broadcasts its address to all known nodes ever 24 hours.

IRC is still used but even in the current version is a "downgraded" it considers addresses found via IRC to be lower priority than addresses discovered by other methods.

Personally I think an interim step would be a version which has IRC and an option (enabled/disabled) and a "forget all addresses" option to experiment w/ non-IRC node discovery.

btc_artist

full member

Activity: 154

Merit: 102

Bitcoin!

How will the client make its first connection then?

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: sd on November 29, 2011, 04:26:05 PM

Quote from: Raoul Duke on November 29, 2011, 04:13:08 PM

Quote from: sd on November 29, 2011, 04:09:29 PM

Quote from: caish5 on November 29, 2011, 10:40:09 AM

I do however have rpc open with default password.

My guess is that this was done by someone who already knew your IP and that you had fairbrix.

Maybe someone in the control of one of the other nodes his client was connected to or someone scrapping the IRC channel where almost all nodes bootstrap their initial connection?
I bet that are a lot of malicious nodes only getting connections to later scan the IP's and see if they can get some BTC. If they're doing it for shitbrix you can be certain they're doing it for Bitcoin and all other alt coins.

Totally possible. I've never liked the way BitCoin uses IRC to bootstrap.

Let this be yet another warning to everybody - Use a good quality password.

Good thing is neither do the developers. My understanding is IRC is going to be removed from future version of the client as it is no longer needed.

sd

hero member

Activity: 730

Merit: 500

Quote from: Raoul Duke on November 29, 2011, 04:13:08 PM

Quote from: sd on November 29, 2011, 04:09:29 PM

Quote from: caish5 on November 29, 2011, 10:40:09 AM

I do however have rpc open with default password.

My guess is that this was done by someone who already knew your IP and that you had fairbrix.

Maybe someone in the control of one of the other nodes his client was connected to or someone scrapping the IRC channel where almost all nodes bootstrap their initial connection?
I bet that are a lot of malicious nodes only getting connections to later scan the IP's and see if they can get some BTC. If they're doing it for shitbrix you can be certain they're doing it for Bitcoin and all other alt coins.

Totally possible. I've never liked the way BitCoin uses IRC to bootstrap.

Let this be yet another warning to everybody - Use a good quality password.

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: sd on November 29, 2011, 04:09:29 PM

Quote from: caish5 on November 29, 2011, 10:40:09 AM

I do however have rpc open with default password.

The guy with the Simpsons picture is right, that was a very silly thing to do.

BUT.. Who took these coins? Are crooks actively scanning random IPs for alternative crypto-currency clients and trying default passwords? It's possible but it seems like a lot of effort for a very small gain. Someone could have scripted it but they would have gone after bitcoin or something else with real value.

My guess is that this was done by someone who already knew your IP and that you had fairbrix.

Maybe someone in the control of one of the other nodes his client was connected to or someone scrapping the IRC channel where almost all nodes bootstrap their initial connection?
I bet that are a lot of malicious nodes only getting connections to later scan the IP's and see if they can get some BTC. If they're doing it for shitbrix you can be certain they're doing it for Bitcoin and all other alt coins.

sd

hero member

Activity: 730

Merit: 500

Quote from: caish5 on November 29, 2011, 10:40:09 AM

I do however have rpc open with default password.

The guy with the Simpsons picture is right, that was a very silly thing to do.

BUT.. Who took these coins? Are crooks actively scanning random IPs for alternative crypto-currency clients and trying default passwords? It's possible but it seems like a lot of effort for a very small gain. Someone could have scripted it but they would have gone after bitcoin or something else with real value.

My guess is that this was done by someone who already knew your IP and that you had fairbrix.

DeathAndTaxes

donator

Activity: 1218

Merit: 1079

Gerald Davis

Quote from: caish5 on November 29, 2011, 10:51:10 AM

Well good lesson to learn with FBX i reckon!
I only opened the port so i could have a friend help me mine ages ago

I say you came out ahead. If it prevents you from losing 10,000 BTC someday you should thank that scammer.

If you don't need RPC then turn it off.
If you do need RPC set a custom password and limit it to the localhost.
If you need RPC access from other machines in the localnet then limit it to locahost and the specific machines.
If you need RPC access from the public internet well maybe you should reconsider (or at least be aware of the significant risk).

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: caish5 on November 29, 2011, 10:51:10 AM

Well good lesson to learn with FBX i reckon!
I only opened the port so i could have a friend help me mine ages ago

Yes, praise the Lord it wasn't something more valuable. Tongue

caish5

sr. member

Activity: 324

Merit: 250

Well good lesson to learn with FBX i reckon!
I only opened the port so i could have a friend help me mine ages ago

Raoul Duke

legendary

Activity: 1358

Merit: 1002

Quote from: caish5 on November 29, 2011, 10:46:47 AM

So you can remotely control the whole client over rpc?
Had i known this i woulda used a better password.

Yes, you can control everything the client does.
You could even use the default password, as long as you wouldn't accept connections from nothing else than localhost or a specific IP address(may be dangerous, not sure how easy it is to spoof an IP)

caish5

sr. member

Activity: 324

Merit: 250

So you can remotely control the whole client over rpc?
Had i known this i woulda used a better password.

Topic: All my fairbrix just went somewhere by thremselves.....WTF! (Read 3525 times)