I've just been robbed :-( - page 5. | Bitcointalksearch.org

nomnomnom

sr. member

Activity: 313

Merit: 250

Quote from: caffeinewriter on September 28, 2012, 09:13:55 PM

Quote from: Cdecker on September 28, 2012, 07:58:58 PM

Thanks caffeinewriter, any help is appreciated. I will file a report on Monday, and see what they say.

As for the cleaning up I think I'm OK. Just running clamscan over all the files, rkhunter had nothing to complain, but I don't know whether an eventual rootkit wouldn't be smart enough to fool them, any experience about that?

Let me put it this way. There is nothing more annoying than Rootkits. They hide in every dark corner of your system. I'd recommend a specific rootkit detector/remover. Here are some I know of.

1. http://www.gmer.net (Windows)

2. https://www.pcworld.com/product/946306/f-secure-blacklight-rootkit-eliminator.html (Windows)

3. http://www.rootkit.nl/projects/rootkit_hunter.html (Linux)

4. http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx (Windows)

If you still think you might have a rootkit, wipe your system clean. It's really the only surefire way to get rid of a rootkit.

I think after a disaster like this the only secure method is to reinstall all affected computers, make some images
of the harddisk so you can still analyze what happend.

phillipsjk

legendary

Activity: 1008

Merit: 1001

Let the chips fall where they may.

Quote from: Cdecker on September 28, 2012, 07:30:00 PM

I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.

Does you home machine password have more or less than 60 bits of information (10 character, letters, numbers ,symbols)?

You may want to check the logs for failed login attempts.

I think the lesson here (which I did not know) is that you are going to move to key-based authentication, you should do it everywhere at the same time. Do you log into you home machine from Public computers? is that why you were not using Key based authentication?

Note: until recently, I was using password authentication with about 17 bits of information. Half my security was obscurity (two logins required with different usernames and passwords).

cedivad

legendary

Activity: 1176

Merit: 1001

Please explain us how the hell they got access to your private key.

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Quote from: ?? on ??

Quote from: GernMiester on September 28, 2012, 10:28:50 PM

BTC is the most pathetic way to store money I have ever seen. PERIOD!!!!!
It gets taken and you get told go to hell and I get yet another laugh...
If you try and get my FIAT that is not in the bank, well, my gun(s) will change your mind or take your life. Simple as that...

Ban this troll.

By the way, they don't need to physically steal your FIAT to rob you, they simply print more.

Indeed. They may do it slowly but it is surely. At 3%/year it'll take them, what, about 20 years to take half of it but guns in both hands and bars on the doors won't stop them.

So far with Bitcoin, excepting a week when everyone went bananas last summer, you would very likely be much ahead, maybe even very much ahead.

squid

member

Activity: 112

Merit: 10

Separate money into multiple offline backup wallets. Everything in 1 pot is silly =/

Sorry about your loss.

caffeinewriter

hero member

Activity: 532

Merit: 500

Quote from: BkkCoins on September 28, 2012, 11:06:19 PM

Quote from: GernMiester on September 28, 2012, 10:28:50 PM

BTC is the most pathetic way to store money I have ever seen. PERIOD!!!!!
It gets taken and you get told go to hell and I get yet another laugh...
If you try and get my FIAT that is not in the bank, well, my gun(s) will change your mind or take your life. Simple as that...

Yes, now print a paper wallet (key) and you can say exactly the same thing about Bitcoin.

+1 GernMiester, I respect your opinion and respectfully reject it and maintain my own.

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Quote from: GernMiester on September 28, 2012, 10:28:50 PM

BTC is the most pathetic way to store money I have ever seen. PERIOD!!!!!
It gets taken and you get told go to hell and I get yet another laugh...
If you try and get my FIAT that is not in the bank, well, my gun(s) will change your mind or take your life. Simple as that...

Yes, now print a paper wallet (key) and you can say exactly the same thing about Bitcoin.

GernMiester

sr. member

Activity: 285

Merit: 250

BTC is the most pathetic way to store money I have ever seen. PERIOD!!!!!
It gets taken and you get told go to hell and I get yet another laugh...
If you try and get my FIAT that is not in the bank, well, my gun(s) will change your mind or take your life. Simple as that...

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Quote from: Red Emerald on September 28, 2012, 09:21:15 PM

Quote from: BkkCoins on September 28, 2012, 08:37:09 PM

Even someone with brief access to your laptop could simply run ssh-copy-id to some remote server they control.

ssh-copy-id transfers the public key. That is fine. Your public key can be public. It's the private key that you have to protect and often have encrypted.

You're right - I got turn around. It's someone adding a public key to your authorized_keys file that you would need to be wary of.

Red Emerald

hero member

Activity: 742

Merit: 500

Quote from: BkkCoins on September 28, 2012, 08:37:09 PM

Even someone with brief access to your laptop could simply run ssh-copy-id to some remote server they control.

ssh-copy-id transfers the public key. That is fine. Your public key can be public. It's the private key that you have to protect and often have encrypted.

Stories like this make me want to change all my passwords and move to new hot wallets. This is why I keep my large stash in an offline Armory wallet.

caffeinewriter

hero member

Activity: 532

Merit: 500

Quote from: Cdecker on September 28, 2012, 07:58:58 PM

Thanks caffeinewriter, any help is appreciated. I will file a report on Monday, and see what they say.

As for the cleaning up I think I'm OK. Just running clamscan over all the files, rkhunter had nothing to complain, but I don't know whether an eventual rootkit wouldn't be smart enough to fool them, any experience about that?

Let me put it this way. There is nothing more annoying than Rootkits. They hide in every dark corner of your system. I'd recommend a specific rootkit detector/remover. Here are some I know of.

1. http://www.gmer.net (Windows)

2. https://www.pcworld.com/product/946306/f-secure-blacklight-rootkit-eliminator.html (Windows)

3. http://www.rootkit.nl/projects/rootkit_hunter.html (Linux)

4. http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx (Windows)

If you still think you might have a rootkit, wipe your system clean. It's really the only surefire way to get rid of a rootkit.

BkkCoins

hero member

Activity: 784

Merit: 1009

firstbits:1MinerQ

Quote from: Cdecker on September 28, 2012, 07:30:00 PM

Quote from: BkkCoins on September 28, 2012, 07:27:08 PM

That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.

People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.

I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.

Any possibility of physical access at home? Roommate, neighbor, wandering gypsy, anyone who has physical access can gain root without password and then access your key - unless you use encrypted home or an encrypted hard disk.

Do you have remote access methods open at home, eg. VNC, or run a web server or other service? These are things that can get compromised. Java based web apps/servers seem to be open like swiss-cheese nowadays going by reading the news anyway.

Even someone with brief access to your laptop could simply run ssh-copy-id to some remote server they control. That would give your key to their server for later re-access. I wouldn't fully believe this was a Russian user. It could just as easily be your next door neighbor using a proxy.
Check whether an additional key has been added to your laptop's ~/.ssh/authorized_keys file. This could be done by anyone with even a few moments access to your laptop.

Another thing I noticed - your sshd log msg indicates the user used sftp to login since it happened at the same exact same second as the ssh login. Hence, it wasn't a user logging in to the console and then choosing to use sftp. Have there been machines where you used sftp to view files? This uses ssh as a transport layer but you may have thought differently about how you connected since the client would not be console but Nautilus or any number of file browser apps.

kangasbros

hero member

Activity: 812

Merit: 1006

I'm sorry for the accident Sad

Care to share the details of your exact setup? I still didn't pick up what OS you were using etc.

Insu Dra

full member

Activity: 182

Merit: 100

agh sorry to hear ...

Just wanted to repeat my self again,
we need a easy to use Multi Sig implementation asap ...

Funds like these do not belong on a one to one transaction address.
Roll Eyes

BC12345

newbie

Activity: 57

Merit: 0

My humble advice:

- log off, go to bed, try to sleep and get your head clear

- tomorrow, try to figure out what happened.

paulie_w

sr. member

Activity: 420

Merit: 250

wow, 8000+ btc, that must hurt. sorry man!

Cdecker

hero member

Activity: 489

Merit: 505

Thanks caffeinewriter, any help is appreciated. I will file a report on Monday, and see what they say.

As for the cleaning up I think I'm OK. Just running clamscan over all the files, rkhunter had nothing to complain, but I don't know whether an eventual rootkit wouldn't be smart enough to fool them, any experience about that?

caffeinewriter

hero member

Activity: 532

Merit: 500

2 things:

1. I sent an email to the ISP that controls the IP that hacked you. I doubt much will come of it, but I figured "Hey, worth a shot".

2. I can check your computer through Teamviewer if you're comfortable with letting me have access to it. I'd just check the startup processes. However, I won't be of much help on Linux if that's what you use. I'm not comfortable enough with Linux to do much. :/

labestiol

sr. member

Activity: 434

Merit: 251

Quote from: Cdecker on September 28, 2012, 07:30:00 PM

Quote from: BkkCoins on September 28, 2012, 07:27:08 PM

That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.

People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.

I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.

Keylogger somewhere ? Password shared with a compromised website ?
Sorry for you loss, and good luck with your research. And thanks for doing research on bitcoin

Cdecker

hero member

Activity: 489

Merit: 505

Quote from: BkkCoins on September 28, 2012, 07:27:08 PM

That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.

People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.

I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.

Topic: I've just been robbed :-( - page 5. (Read 19257 times)