Author

Topic: Dealing with Bitcoin hackers (Read 251 times)

staff
Activity: 3458
Merit: 6793
Just writing some code
January 28, 2018, 07:39:24 PM
#4
  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
I would suggest that you not try these as those are things that can get you in trouble with the law. Well, having an insult is fine, but distributing malware is not.
sr. member
Activity: 586
Merit: 317
January 26, 2018, 04:44:13 PM
#3
Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that.

Obviously several webmasters host their wallets online, considering the number of attacks I observed. I guess they are running a local bitcoind deamon to handle their payments. Having your financial transactions handled by a third party remains very risky for the meantime.

You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid...

Waste of time: most of those addresses are already blacklisted or come from zombie hosts.
And staying in a rural area, I know for sure our local cops do not even know what is Bitcoin  Grin

Cheers.
copper member
Activity: 2856
Merit: 3071
https://bit.ly/387FXHi lightning theory
January 26, 2018, 04:19:16 PM
#2
Hello mates !

As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.

See for instance those evidences I recorded:

2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip

But since I used to be a bad guy too long time ago, I had the following ideas:

  • Redirect them to an easy affiliate link, like Chaturbate for example
  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
  • Redirect them to the CIA or the NSA.

They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.

Be careful also as they are trying to access to those critical directories:

/backup/
/bitcoin/
/btc/

I would advise you not to use them anymore or simply reject the incoming traffic.

So to setup my tricky projects, I simply use those statments inside my .htaccess:

RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]

RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]

This is working pretty well, even better you could make some money with those villains Grin

Enjoy !

If you fancy doing something good. Secure a connection from your server to them, search for their bitcoin config file and attempt to run their bitcoin daemon app to send all their coins to you and attempt to return them to the person who sent it.

Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that.

You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid...
sr. member
Activity: 586
Merit: 317
January 26, 2018, 01:50:27 PM
#1
Hello mates !

As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.

See for instance those evidences I recorded:

2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip

But since I used to be a bad guy too long time ago, I had the following ideas:

  • Redirect them to an easy affiliate link, like Chaturbate for example
  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
  • Redirect them to the CIA or the NSA.

They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.

Be careful also as they are trying to access to those critical directories:

/backup/
/bitcoin/
/btc/

I would advise you not to use them anymore or simply reject the incoming traffic.

So to setup my tricky projects, I simply use those statments inside my .htaccess:

RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]

RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]

This is working pretty well, even better you could make some money with those villains Grin

Enjoy !
Jump to: