Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM... - page 7.

bbit

legendary

Activity: 1330

Merit: 1000

Bitcoin

Quote from: kiba on March 02, 2012, 12:56:04 AM

Quote from: rjk on March 02, 2012, 12:55:10 AM

Come on, stop spreading FUD. There is NO WAY IN HELL that the guy can cash out so quickly. Think of daily withdrawal limits, ID verification, coin tracing, and so forth.

My guess? Disheartened noobs cashing out because of loss of faith in the system. All the more coins for me!

Yeah, it's more likely market panic.

The price is dropping Huh

Not going to lie I got a little shaken also ...uggh...

kiba

legendary

Activity: 980

Merit: 1014

Quote from: rjk on March 02, 2012, 12:55:10 AM

Come on, stop spreading FUD. There is NO WAY IN HELL that the guy can cash out so quickly. Think of daily withdrawal limits, ID verification, coin tracing, and so forth.

My guess? Disheartened noobs cashing out because of loss of faith in the system. All the more coins for me!

Yeah, it's more likely market panic.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: payb.tc on March 02, 2012, 12:51:46 AM

aaaand the selling begins... http://mtgoxlive.com

Come on, stop spreading FUD. There is NO WAY IN HELL that the guy can cash out so quickly. Think of daily withdrawal limits, ID verification, coin tracing, and so forth.

My guess? Disheartened noobs cashing out because of loss of faith in the system. All the more coins for me!

neofutur

full member

Activity: 146

Merit: 100

Quote from: Littleshop on March 01, 2012, 09:34:44 PM

I would not trust any shared host (VM or not) that has access to your data for a wallet over $1000. The only way to do this is with encrypted disks that are setup or encrypted by the customer with no host access of any kind. No 'control panel" based hosting.

For sure a shared host can be less trusted than a dedicated server but . . . if the datacenter manager ( or employee ) is compromised, the thief can reboot in rescue mode, acces the disk, change root password . . . and the result will be the same . . . cold storage and therefore delayed withdraws ( manually validated once / day by the pool or exchange admin ) seem to be the only safe answer to me . . .

payb.tc

hero member

Activity: 812

Merit: 1000

aaaand the selling begins... http://mtgoxlive.com

Eveofwar

sr. member

Activity: 406

Merit: 250

Quote from: dooglus on March 02, 2012, 12:37:34 AM

Quote from: paraipan on March 01, 2012, 10:27:14 PM

Quote from: Eveofwar on March 01, 2012, 10:20:18 PM

http://blockchain.info/tx-index/2873808/0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 -- may be it.

could be, if it's the only 10 grand that moved lately, will wait for zt confirm

These are all the transactions with outputs of 2500 BTC or more in the time period we're looking at:

Code:

Thu Mar 1 02:16:40 2012 e558957e4108f33775f08cc1277d22fbb51261d232a2d2a14cfd518d333ce5f1 2822.44
Thu Mar 1 06:50:07 2012 7b45c1742ca9f544cccd92d319ef8a5e19b7dcb8742990724c6a9c2f569ae732 20555.0
Thu Mar 1 06:50:07 2012 0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 10000.0
Thu Mar 1 06:50:07 2012 901dbcef30a541b8b55fae8f7ad9917ef0754bda5b643705f3773e590785c4d3 3000.0
Thu Mar 1 06:50:07 2012 a82ad85286c68f37a2feda1f5e8a4efa9db1e642b4ef53cb9fd86170169e5e68 3000.0
Thu Mar 1 06:50:07 2012 a57132e2cbc580ac262aa3f7bac1e441d6573f9633118bc48009618585a0967e 3000.0
Thu Mar 1 07:59:31 2012 34b84108a142ad7b6c36f0f3549a3e83dcdbb60e0ba0df96cd48f852da0b1acb 3094.0 <-- slush
Thu Mar 1 18:39:22 2012 d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333 25000.0

The Bitcoinica 10k is certainly in that 06:50:07 block - it was a busy block indeed! http://blockexplorer.com/b/169179

https://bitcointalksearch.org/topic/bitcoinica-lost-43554-btc-from-linode-compromise-suspicious-txids-publicized-66979 -- They posted some of their "suspicious" TX Id's

cypherdoc

legendary

Activity: 1764

Merit: 1002

Quote from: bbit on March 02, 2012, 12:36:55 AM

Quote from: rjk on March 02, 2012, 12:15:36 AM

Quote from: trentzb on March 01, 2012, 11:52:18 PM

Yea, that is a reason to remain 'low profile'. But the faucet...yea, that just doesn't make sense. 5, 20 or 100 coins, grabbing from the faucet will hurt the end game.

Now we are getting somewhere. Hacker works for the CIA? Or, more likely, hacker works for a large bank or collection of banks? Stealing from the faucet is terrorism, plain and simple. Call the federales.

The last few replies mention allinvain and CIA - anyone seen allinvain? hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

Couple of ways to look at it. One Allinvain worked for the CIA and wanted to make it look like there was a "huge bitcoin" loss or two the CIA off'd Allinvain since nobody has heard from him in what like a thousand years? Or taken him to the brig off at sea....

no, he's been posting regularly over in the Hardware section in the Ztex thread i believe.

dooglus

legendary

Activity: 2940

Merit: 1330

Quote from: paraipan on March 01, 2012, 10:27:14 PM

Quote from: Eveofwar on March 01, 2012, 10:20:18 PM

http://blockchain.info/tx-index/2873808/0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 -- may be it.

could be, if it's the only 10 grand that moved lately, will wait for zt confirm

These are all the transactions with outputs of 2500 BTC or more in the time period we're looking at:

Code:

Thu Mar 1 02:16:40 2012 e558957e4108f33775f08cc1277d22fbb51261d232a2d2a14cfd518d333ce5f1 2822.44
Thu Mar 1 06:50:07 2012 7b45c1742ca9f544cccd92d319ef8a5e19b7dcb8742990724c6a9c2f569ae732 20555.0
Thu Mar 1 06:50:07 2012 0268b7285b95444808753969099f7ae43fb4193d442e3e0deebb10e2bb1764d0 10000.0
Thu Mar 1 06:50:07 2012 901dbcef30a541b8b55fae8f7ad9917ef0754bda5b643705f3773e590785c4d3 3000.0
Thu Mar 1 06:50:07 2012 a82ad85286c68f37a2feda1f5e8a4efa9db1e642b4ef53cb9fd86170169e5e68 3000.0
Thu Mar 1 06:50:07 2012 a57132e2cbc580ac262aa3f7bac1e441d6573f9633118bc48009618585a0967e 3000.0
Thu Mar 1 07:59:31 2012 34b84108a142ad7b6c36f0f3549a3e83dcdbb60e0ba0df96cd48f852da0b1acb 3094.0 <-- slush
Thu Mar 1 18:39:22 2012 d9804de366aa4c2a01565c3a3c8aa2ea20baafc276dc875f80b9044841205333 25000.0

The Bitcoinica 10k is certainly in that 06:50:07 block - it was a busy block indeed! http://blockexplorer.com/b/169179

stick_theman

sr. member

Activity: 372

Merit: 250

Quote from: bbit on March 01, 2012, 11:28:05 PM

Quote from: finway on March 01, 2012, 11:25:44 PM

I can't believe the hacker!

Don't even let off 5 Bitcoins... Sad

If you think about it that is pretty low - attack the free bitcoin faucent wtf? Huh

Thieving is the lowest of all sins.

bbit

legendary

Activity: 1330

Merit: 1000

Bitcoin

Quote from: rjk on March 02, 2012, 12:15:36 AM

Quote from: trentzb on March 01, 2012, 11:52:18 PM

Yea, that is a reason to remain 'low profile'. But the faucet...yea, that just doesn't make sense. 5, 20 or 100 coins, grabbing from the faucet will hurt the end game.

Now we are getting somewhere. Hacker works for the CIA? Or, more likely, hacker works for a large bank or collection of banks? Stealing from the faucet is terrorism, plain and simple. Call the federales.

The last few replies mention allinvain and CIA - anyone seen allinvain? hmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm

Couple of ways to look at it. One Allinvain worked for the CIA and wanted to make it look like there was a "huge bitcoin" loss or two the CIA off'd Allinvain since nobody has heard from him in what like a thousand years? Or taken him to the brig off at sea....

padrino

legendary

Activity: 1428

Merit: 1000

https://www.bitworks.io

I've seen a fair bit of traffic since I got into bitcoin talking about encrypting one's wallet if it's used for backup, etc. The initial articel I read indicating Linode was used only to hold a copy of the wallet but in reading the posts it sounds like it was the live wallet used to make transactions on the running systems, I guess I'm curious regarding which it was.

rjk

sr. member

Activity: 448

Merit: 250

1ngldh

Quote from: trentzb on March 01, 2012, 11:52:18 PM

Yea, that is a reason to remain 'low profile'. But the faucet...yea, that just doesn't make sense. 5, 20 or 100 coins, grabbing from the faucet will hurt the end game.

Now we are getting somewhere. Hacker works for the CIA? Or, more likely, hacker works for a large bank or collection of banks? Stealing from the faucet is terrorism, plain and simple. Call the federales.

trentzb

sr. member

Activity: 406

Merit: 251

Quote from: JeffK on March 01, 2012, 11:13:32 PM

Quote from: trentzb on March 01, 2012, 11:07:59 PM

Quote from: eleuthria on March 01, 2012, 04:44:48 PM

Quote from: Revalin on March 01, 2012, 04:39:35 PM

Getting access to the Linode admin UI doesn't give access to the server itself. You can view the console, but you just get the login prompt. You still need the server's password to log in.

To reset the password the server has to be shut down so that /etc/shadow can be modified. At that point they could just go in and grab the data, but they most likely used Linode's password changer to minimize the downtime to a few seconds to help prevent getting caught.

A reboot wouldn't be required if they got access to the Linode hosts, but it doesn't sound like that was the case here. I'm guessing the exploit is in their web-based server management.

This is by far one of the scariest things about the process. Considering Slush and the Faucet were compromised at roughly the same time, it points to the flaw being in Linode's administrative control panel. A -very- scary situation, considering Linode is one of the largest VPS providers around.

I'm late to the party. None of my bitcoind Linodes have been compromised...yet. Come and get 'em...all my coins are hot now.

I guess it was mostly the 'highest profile' targets that got hit, which explains Gavin getting chosen (although I always thought the faucet kept a rather low amount of coins in it at any time to a roughly equal inflow/outflow of coins or the fact that it used to run empty often

Yea, that is a reason to remain 'low profile'. But the faucet...yea, that just doesn't make sense. 5, 20 or 100 coins, grabbing from the faucet will hurt the end game.

dooglus

legendary

Activity: 2940

Merit: 1330

Quote from: Eveofwar on March 01, 2012, 09:28:03 PM

Quote from: dooglus on March 01, 2012, 09:26:48 PM

Quote from: JeffK on March 01, 2012, 09:22:19 PM

Have a more secure system in place next time.

The attacker went outside his secure system and gained root access. There's not much you can do about that except for not using a hosting service which allows attackers root access to your files.

How about encrypting the wallet ?

I have root access. I log in, modify bitcoind to send a copy of the plaintext password in a file somewhere the next time they type it, then reboot their system. They log back in, type their password, and I get their BTC. It's very hard to protect against an attacker with root access. P2SH would help, of course.

bitcoinBull

legendary

Activity: 826

Merit: 1001

rippleFanatic

Quote from: bbit on March 01, 2012, 11:28:05 PM

Quote from: finway on March 01, 2012, 11:25:44 PM

I can't believe the hacker!

Don't even let off 5 Bitcoins... Sad

If you think about it that is pretty low - attack the free bitcoin faucent wtf? Huh

It was just for confirming he had access to all of Linode. They said only 8 accounts were accessed (presumably those running bitcoind), so one question is, who were the other 5 and did they have any coins in their wallet?

Also, why 25k BTC? That's the exact same number allinvain lost. allinvain had a bit more than 25k in his wallet, but the thief only stole 25k even and let him keep the rest.

bbit

legendary

Activity: 1330

Merit: 1000

Bitcoin

Quote from: finway on March 01, 2012, 11:25:44 PM

I can't believe the hacker!

Don't even let off 5 Bitcoins... Sad

If you think about it that is pretty low - attack the free bitcoin faucent wtf? Huh

finway

hero member

Activity: 714

Merit: 500

I can't believe the hacker!

Don't even let off 5 Bitcoins... Sad

cypherdoc

legendary

Activity: 1764

Merit: 1002

Quote from: DeathAndTaxes on March 01, 2012, 10:45:33 PM

Quote from: cypherdoc on March 01, 2012, 09:42:09 PM

do these incidents not bode well for online clients like Electrum or Blockchain.info?

even with encrypted user generated private keys, they can be stolen by the server when opened to sign tx's.

Server never "opens" the key. The signing is done client side. While you could have funds stolen it would be because of malware on your computer. There is nothing on the server to steal.

refer to the section written by piuk himself: http://bitcoin.stackexchange.com/questions/2240/what-are-the-risks-of-using-strongcoin-com-as-an-online-wallet

JeffK

sr. member

Activity: 350

Merit: 250

I never hashed for this...

Quote from: trentzb on March 01, 2012, 11:07:59 PM

Quote from: eleuthria on March 01, 2012, 04:44:48 PM

Quote from: Revalin on March 01, 2012, 04:39:35 PM

Getting access to the Linode admin UI doesn't give access to the server itself. You can view the console, but you just get the login prompt. You still need the server's password to log in.

To reset the password the server has to be shut down so that /etc/shadow can be modified. At that point they could just go in and grab the data, but they most likely used Linode's password changer to minimize the downtime to a few seconds to help prevent getting caught.

A reboot wouldn't be required if they got access to the Linode hosts, but it doesn't sound like that was the case here. I'm guessing the exploit is in their web-based server management.

This is by far one of the scariest things about the process. Considering Slush and the Faucet were compromised at roughly the same time, it points to the flaw being in Linode's administrative control panel. A -very- scary situation, considering Linode is one of the largest VPS providers around.

I'm late to the party. None of my bitcoind Linodes have been compromised...yet. Come and get 'em...all my coins are hot now.

I guess it was mostly the 'highest profile' targets that got hit, which explains Gavin getting chosen (although I always thought the faucet kept a rather low amount of coins in it at any time to a roughly equal inflow/outflow of coins or the fact that it used to run empty often

JeffK

sr. member

Activity: 350

Merit: 250

I never hashed for this...

Quote from: ?? on ??

Also, JeffK, your Ron Paul sig quote irritates me.

Is quoting Paul not alloed here? I thought everyone was pretty libertarian? or was it that I had a Carl Marks quote next to it.

Topic: Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM... - page 7. (Read 62090 times)