Pages:
Author

Topic: I've just been robbed :-( - page 5. (Read 19273 times)

sr. member
Activity: 313
Merit: 250
September 29, 2012, 03:08:15 AM
#56
Thanks caffeinewriter, any help is appreciated. I will file a report on Monday, and see what they say.

As for the cleaning up I think I'm OK. Just running clamscan over all the files, rkhunter had nothing to complain, but I don't know whether an eventual rootkit wouldn't be smart enough to fool them, any experience about that?

Let me put it this way. There is nothing more annoying than Rootkits. They hide in every dark corner of your system. I'd recommend a specific rootkit detector/remover. Here are some I know of.

1. http://www.gmer.net (Windows)

2. https://www.pcworld.com/product/946306/f-secure-blacklight-rootkit-eliminator.html (Windows)

3. http://www.rootkit.nl/projects/rootkit_hunter.html (Linux)

4. http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx (Windows)

If you still think you might have a rootkit, wipe your system clean. It's really the only surefire way to get rid of a rootkit.

I think after a disaster like this the only secure method is to reinstall all affected computers, make some images
of the harddisk so you can still analyze what happend.
legendary
Activity: 1008
Merit: 1001
Let the chips fall where they may.
September 29, 2012, 12:53:22 AM
#55
I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.

Does you home machine password have more or less than 60 bits of information (10 character, letters, numbers ,symbols)?

You may want to check the logs for failed login attempts.

I think the lesson here (which I did not know) is that you are going to move to key-based authentication, you should do it everywhere at the same time. Do you log into you home machine from Public computers? is that why you were not using Key based authentication?

Note: until recently, I was using password authentication with about 17 bits of information. Half my security was obscurity (two logins required with different usernames and passwords).
legendary
Activity: 1176
Merit: 1001
September 29, 2012, 12:23:26 AM
#54
Please explain us how the hell they got access to your private key.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 29, 2012, 12:02:46 AM
#53
BTC is the most pathetic way to store money I have ever seen. PERIOD!!!!!
It gets taken and you get told go to hell and I get yet another laugh...
If you try and get my FIAT that is not in the bank, well, my gun(s) will change your mind or take your life. Simple as that...


Ban this troll.

By the way, they don't need to physically steal your FIAT to rob you, they simply print more.
Indeed. They may do it slowly but it is surely. At 3%/year it'll take them, what, about 20 years to take half of it but guns in both hands and bars on the doors won't stop them.

So far with Bitcoin, excepting a week when everyone went bananas last summer, you would very likely be much ahead, maybe even very much ahead.
member
Activity: 112
Merit: 10
September 28, 2012, 11:30:43 PM
#52
Separate money into multiple offline backup wallets. Everything in 1 pot is silly =/

Sorry about your loss.
hero member
Activity: 532
Merit: 500
September 28, 2012, 11:15:27 PM
#51
BTC is the most pathetic way to store money I have ever seen. PERIOD!!!!!
It gets taken and you get told go to hell and I get yet another laugh...
If you try and get my FIAT that is not in the bank, well, my gun(s) will change your mind or take your life. Simple as that...

Yes, now print a paper wallet (key) and you can say exactly the same thing about Bitcoin.

+1 GernMiester, I respect your opinion and respectfully reject it and maintain my own.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 28, 2012, 11:06:19 PM
#50
BTC is the most pathetic way to store money I have ever seen. PERIOD!!!!!
It gets taken and you get told go to hell and I get yet another laugh...
If you try and get my FIAT that is not in the bank, well, my gun(s) will change your mind or take your life. Simple as that...

Yes, now print a paper wallet (key) and you can say exactly the same thing about Bitcoin.
sr. member
Activity: 285
Merit: 250
September 28, 2012, 10:28:50 PM
#49
BTC is the most pathetic way to store money I have ever seen. PERIOD!!!!!
It gets taken and you get told go to hell and I get yet another laugh...
If you try and get my FIAT that is not in the bank, well, my gun(s) will change your mind or take your life. Simple as that...
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 28, 2012, 09:33:52 PM
#48
Even someone with brief access to your laptop could simply run ssh-copy-id to some remote server they control.
ssh-copy-id transfers the public key.  That is fine.  Your public key can be public.  It's the private key that you have to protect and often have encrypted.
You're right - I got turn around. It's someone adding a public key to your authorized_keys file that you would need to be wary of.
hero member
Activity: 742
Merit: 500
September 28, 2012, 09:21:15 PM
#47
Even someone with brief access to your laptop could simply run ssh-copy-id to some remote server they control.
ssh-copy-id transfers the public key.  That is fine.  Your public key can be public.  It's the private key that you have to protect and often have encrypted.

Stories like this make me want to change all my passwords and move to new hot wallets.  This is why I keep my large stash in an offline Armory wallet.
hero member
Activity: 532
Merit: 500
September 28, 2012, 09:13:55 PM
#46
Thanks caffeinewriter, any help is appreciated. I will file a report on Monday, and see what they say.

As for the cleaning up I think I'm OK. Just running clamscan over all the files, rkhunter had nothing to complain, but I don't know whether an eventual rootkit wouldn't be smart enough to fool them, any experience about that?

Let me put it this way. There is nothing more annoying than Rootkits. They hide in every dark corner of your system. I'd recommend a specific rootkit detector/remover. Here are some I know of.

1. http://www.gmer.net (Windows)

2. https://www.pcworld.com/product/946306/f-secure-blacklight-rootkit-eliminator.html (Windows)

3. http://www.rootkit.nl/projects/rootkit_hunter.html (Linux)

4. http://www.sophos.com/en-us/products/free-tools/sophos-anti-rootkit.aspx (Windows)

If you still think you might have a rootkit, wipe your system clean. It's really the only surefire way to get rid of a rootkit.
hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 28, 2012, 08:37:09 PM
#45
That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.

People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.
I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.
Any possibility of physical access at home? Roommate, neighbor, wandering gypsy, anyone who has physical access can gain root without password and then access your key - unless you use encrypted home or an encrypted hard disk.

Do you have remote access methods open at home, eg. VNC, or run a web server or other service? These are things that can get compromised. Java based web apps/servers seem to be open like swiss-cheese nowadays going by reading the news anyway.

Even someone with brief access to your laptop could simply run ssh-copy-id to some remote server they control. That would give your key to their server for later re-access. I wouldn't fully believe this was a Russian user. It could just as easily be your next door neighbor using a proxy.
Check whether an additional key has been added to your laptop's ~/.ssh/authorized_keys file. This could be done by anyone with even a few moments access to your laptop.

Another thing I noticed - your sshd log msg indicates the user used sftp to login since it happened at the same exact same second as the ssh login. Hence, it wasn't a user logging in to the console and then choosing to use sftp. Have there been machines where you used sftp to view files? This uses ssh as a transport layer but you may have thought differently about how you connected since the client would not be console but Nautilus or any number of file browser apps.
hero member
Activity: 812
Merit: 1006
September 28, 2012, 08:36:07 PM
#44
I'm sorry for the accident Sad

Care to share the details of your exact setup? I still didn't pick up what OS you were using etc.
full member
Activity: 182
Merit: 100
September 28, 2012, 08:30:48 PM
#43
agh sorry to hear ...

Just wanted to repeat my self again,
we need a easy to use Multi Sig implementation asap ...

Funds like these do not belong on a one to one transaction address.
 Roll Eyes
newbie
Activity: 57
Merit: 0
September 28, 2012, 08:13:41 PM
#42
My humble advice:

- log off, go to bed, try to sleep and get your head clear

- tomorrow, try to figure out what happened.
sr. member
Activity: 420
Merit: 250
September 28, 2012, 08:13:16 PM
#41
wow, 8000+ btc, that must hurt. sorry man!
hero member
Activity: 489
Merit: 505
September 28, 2012, 07:58:58 PM
#40
Thanks caffeinewriter, any help is appreciated. I will file a report on Monday, and see what they say.

As for the cleaning up I think I'm OK. Just running clamscan over all the files, rkhunter had nothing to complain, but I don't know whether an eventual rootkit wouldn't be smart enough to fool them, any experience about that?
hero member
Activity: 532
Merit: 500
September 28, 2012, 07:48:49 PM
#39
2 things:

1. I sent an email to the ISP that controls the IP that hacked you. I doubt much will come of it, but I figured "Hey, worth a shot".

2. I can check your computer through Teamviewer if you're comfortable with letting me have access to it. I'd just check the startup processes. However, I won't be of much help on Linux if that's what you use. I'm not comfortable enough with Linux to do much. :/
sr. member
Activity: 434
Merit: 251
September 28, 2012, 07:44:26 PM
#38
That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.

People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.
I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.

Keylogger somewhere ? Password shared with a compromised website ?
Sorry for you loss, and good luck with your research. And thanks for doing research on bitcoin
hero member
Activity: 489
Merit: 505
September 28, 2012, 07:30:00 PM
#37
That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.

People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.
I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.
Pages:
Jump to: