Topic: Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM... - page 15. (Read 62094 times)
If you trace the coins forward, it looks like they are going through some sort of laundering/mixing process as we speak.
It exists now at an informal level, but I expect the "tainted coins" stigma will decrease over time. Right now we have a high percentage of relatively fresh coins, but just like fiat, after they've been in circulation for some time it will be taken for granted that some percentage of it has been involved in some kind of scam.
digital, you're correct, it's my general "donation" address, but I created the new one to track donations to pool funds...
Woops, guess I was a little late on that one...
His full address from the firstbits is:
Edit: nevermind, see above post
I've already sent along what I could spare...
Edit: nevermind, see above post
I've already sent along what I could spare...
just changed my password, thanks for the heads up.
do you have a donation address?
do you have a donation address?
You can donate to 18pmHDP5fx4A9Tpo69V1KEXWUQyK7EvT9C . Thank you for your support!
digital: thank you, too :-)
just changed my password, thanks for the heads up.
do you have a donation address?
do you have a donation address?
The Bitcoin Faucet bitcoind's are both running on a Linode VPS, which was mysteriously restarted 14 hours ago.
Gavin, thank you for info. It's the same time when my linodes were restarted (it was around 7 am UTC). Did you contacted Linode about this issue? Looks like they're still rejecting any problems on their side...
I can't remember, does MtGox block stolen coins from deposit?
Is it positively confirmed that it is a linode issue and not an exploit for bitcoind?
There's no way how to "learn" linode's username and password to login into Linode Manager from machine itself. And attacker obviously used Linode Manager to change root password. So - yes, it isn't bitcoind issue.
The most interesting point of the whole hack is that Linode don't have any log about login to Manager by the attacker, which indicate that they used some vulnerability of Manager itself.
Wow, thats going to be an interesting one to figure out ...
Following the dendrogram on blockchain.info, it looks like the money went
to a pool of bitcoin worth around 25000 ... not the first malfeasance then.
Also, seems like the thief is in the process of laundering the whole thing.
FYI:
The Bitcoin Faucet bitcoind's are both running on a Linode VPS, which was mysteriously restarted 14 hours ago. The ~4 bitcoins in the main-net Faucet's wallet were stolen, also; I'll shutdown the Faucet website, do NOT donate any coins to the Faucet donation address, it is controlled by the thief.
This is extremely disturbing. Wonder who else was stolen from. Sounds like it was well-planned. The Bitcoin Faucet bitcoind's are both running on a Linode VPS, which was mysteriously restarted 14 hours ago. The ~4 bitcoins in the main-net Faucet's wallet were stolen, also; I'll shutdown the Faucet website, do NOT donate any coins to the Faucet donation address, it is controlled by the thief.
FYI:
The Bitcoin Faucet bitcoind's are both running on a Linode VPS, which was mysteriously restarted 14 hours ago. The 5 bitcoins in the main-net Faucet's wallet were stolen, also; I'll shutdown the Faucet website, do NOT donate any coins to the Faucet donation address, it is controlled by the thief.
Transaction ID: 14350f6f2bda8f4220f5b5e11022ab126a4b178e5c4fca38c6e0deb242c40c5f
... if you want to start watching where the coins end up.
The Bitcoin Faucet bitcoind's are both running on a Linode VPS, which was mysteriously restarted 14 hours ago. The 5 bitcoins in the main-net Faucet's wallet were stolen, also; I'll shutdown the Faucet website, do NOT donate any coins to the Faucet donation address, it is controlled by the thief.
Transaction ID: 14350f6f2bda8f4220f5b5e11022ab126a4b178e5c4fca38c6e0deb242c40c5f
... if you want to start watching where the coins end up.
Is it positively confirmed that it is a linode issue and not an exploit for bitcoind?
There's no way how to "learn" linode's username and password to login into Linode Manager from machine itself. And attacker obviously used Linode Manager to change root password. So - yes, it isn't bitcoind issue.
The most interesting point of the whole hack is that Linode don't have any log about login to Manager by the attacker, which indicate that they used some vulnerability of Manager itself.
Is it positively confirmed that it is a linode issue and not an exploit for bitcoind?
Three things for everyone to learn from this:
#1, use cold storage as preemptive damage control. Congratulations on being the first high-profile case to get this right.
#2, don't store high value wallets on a public-facing server. It's much better to keep your wallet on a machine in another secure location, poll for any required sends, sanity check them, and then send them to the network.
#3, Slush just earned 3094 honor points.
#1, use cold storage as preemptive damage control. Congratulations on being the first high-profile case to get this right.
#2, don't store high value wallets on a public-facing server. It's much better to keep your wallet on a machine in another secure location, poll for any required sends, sanity check them, and then send them to the network.
#3, Slush just earned 3094 honor points.
Hopefully Linode comes clean...
Man, that's a huge loss. Thanks again Slush for everything you do, you have a donation coming your way from me. It wont be much, but I'll do what I can at least to help out...
Man, that's a huge loss. Thanks again Slush for everything you do, you have a donation coming your way from me. It wont be much, but I'll do what I can at least to help out...
Wow. I'm sorry to read about this slush.
I applaud you for covering this out of pocket. Another demonstration of why I'm glad to be mining in your pool.
I'm covering all financial loss from my own money, to keep pool users out of this stupid issue.
I applaud you for covering this out of pocket. Another demonstration of why I'm glad to be mining in your pool.
Short story:
Somebody hacked my backup machine with pool data hosted on Linode and steal 3094 BTC ("hot" coins ready for payouts). Cold backup was not affected in any way by this hack.
It looks that also user database has been compromised. Although passwords are stored in SHA1 with salt, I strongly recommend to change your password on the pool immediately.
Robery of Bitcoins has no impact to pool users, I'm covering the loss from my own income (although it means that many months of my work is wasted
).
Long story + evidence:
This morning I received SMS from pool monitoring that BTC balance went under expected amount, so I started investigating what happen. I saw that there was transaction moving 3094 BTC out of the pool wallet (http://blockexplorer.com/tx/34b84108a142ad7b6c36f0f3549a3e83dcdbb60e0ba0df96cd48f852da0b1acb) few minutes ago. I watched the logs and it didn't look like server has been compromised in any way.
Then I found that two of my Linode machines has been restarted half a hour ago, too, and root passwords has been changed. I changed passwords to new one and found that there was malicious activity on the machines. Then I discover that passwords were changed over Linode Manager (Linode web management), because there was record about password change in Host Job queue (last activity done over Manager). This also explains why attacker restarted machines, because it's necessary to apply this change from Manager.
I reported accident to Linode staff and asked for log of recent logins to Manager. To my surprise, there were only my own log attempts and last login before the attack was on 08/02/2012! I reported to Linode that something is going wrong, because I has been using strong password for my Linode Manager (because I know it's basically backdoor to my machines) and I didn't use this password on different places.
Full log of support ticket is here.
I'm still waiting what they'll find, but expect they'll try to hide any issue on their side and they will definitely reject to pay 3000 BTC for this attack :-/.
Plus
Few hours ago another guy contacted me that his Linode machine has been attacked and his coins was moved to the same wallet, asking me if I know what happen (because he found that 1Mining2 address is mine). We found that our issues are the same - changed password in Manager, stolen coins & Linode staff is telling they have no security issue on their side. Heh.
It looks like attackers found some vulnerability of Linode Manager and used it to infiltrate Linodes with running bitcoind (we both had bitcoind running on the machine), to gain maximum profit for the less rush (it does not look that so much machines has been hacked, at least I didn't find anything on twitter etc). It looks like attackers were interested only in Bitcoins, because they leave Namecoins untouched, although they have the same chance to steal them.
From the attacker's wallet it looks there were more people affected by this Linode hack, maybe they'll know anything more?
Conclusion
There's no reason to think that pool itself was hacked. I changed all passwords everywhere (mainly to database), moved coins to new wallet and everything is working fine. Backup machine didn't contain keys for accessing pool server, so there's no need to reinstall pool to another machine. I'm covering all financial loss from my own money, to keep pool users out of this stupid issue.
Somebody hacked my backup machine with pool data hosted on Linode and steal 3094 BTC ("hot" coins ready for payouts). Cold backup was not affected in any way by this hack.
It looks that also user database has been compromised. Although passwords are stored in SHA1 with salt, I strongly recommend to change your password on the pool immediately.
Robery of Bitcoins has no impact to pool users, I'm covering the loss from my own income (although it means that many months of my work is wasted
).Long story + evidence:
This morning I received SMS from pool monitoring that BTC balance went under expected amount, so I started investigating what happen. I saw that there was transaction moving 3094 BTC out of the pool wallet (http://blockexplorer.com/tx/34b84108a142ad7b6c36f0f3549a3e83dcdbb60e0ba0df96cd48f852da0b1acb) few minutes ago. I watched the logs and it didn't look like server has been compromised in any way.
Then I found that two of my Linode machines has been restarted half a hour ago, too, and root passwords has been changed. I changed passwords to new one and found that there was malicious activity on the machines. Then I discover that passwords were changed over Linode Manager (Linode web management), because there was record about password change in Host Job queue (last activity done over Manager). This also explains why attacker restarted machines, because it's necessary to apply this change from Manager.
I reported accident to Linode staff and asked for log of recent logins to Manager. To my surprise, there were only my own log attempts and last login before the attack was on 08/02/2012! I reported to Linode that something is going wrong, because I has been using strong password for my Linode Manager (because I know it's basically backdoor to my machines) and I didn't use this password on different places.
Full log of support ticket is here.
I'm still waiting what they'll find, but expect they'll try to hide any issue on their side and they will definitely reject to pay 3000 BTC for this attack :-/.
Plus
Few hours ago another guy contacted me that his Linode machine has been attacked and his coins was moved to the same wallet, asking me if I know what happen (because he found that 1Mining2 address is mine). We found that our issues are the same - changed password in Manager, stolen coins & Linode staff is telling they have no security issue on their side. Heh.
It looks like attackers found some vulnerability of Linode Manager and used it to infiltrate Linodes with running bitcoind (we both had bitcoind running on the machine), to gain maximum profit for the less rush (it does not look that so much machines has been hacked, at least I didn't find anything on twitter etc). It looks like attackers were interested only in Bitcoins, because they leave Namecoins untouched, although they have the same chance to steal them.
From the attacker's wallet it looks there were more people affected by this Linode hack, maybe they'll know anything more?
Conclusion
There's no reason to think that pool itself was hacked. I changed all passwords everywhere (mainly to database), moved coins to new wallet and everything is working fine. Backup machine didn't contain keys for accessing pool server, so there's no need to reinstall pool to another machine. I'm covering all financial loss from my own money, to keep pool users out of this stupid issue.
Jump to: