That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.
People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.
Topic: I've just been robbed :-( - page 6. (Read 19185 times)
That sucks, bro.
If it's any consolation (probably not), I heard a story on this forum once about a guy that formatted a drive with tens of thousands of coins on it. He said the worst part was his wife knowing about it.
If it's any consolation (probably not), I heard a story on this forum once about a guy that formatted a drive with tens of thousands of coins on it. He said the worst part was his wife knowing about it.
If it was just formatted one time, they are probably recoverable.
Wow sorry to hear that. I've since gone and removed all unencrypted wallets I had backed up just in case. If there's any possible way of getting things back, I wish you luck. Was about to say I hope you didn't have much but.. yeah, sorry.
Thank you for being strong and sharing everything you did so that others in the future may be more protected now. It sucks but your story will help others!
Thank you for being strong and sharing everything you did so that others in the future may be more protected now. It sucks but your story will help others!
could this be someone trying to launder your coins? I will try and dig out when the first peak occured.
edit:
[namecoin chart with odd peak]
no it was much too early. sorry for the confusion and good luck with getting back your coins. with this large a stash you really should have been more careful.
edit:
[namecoin chart with odd peak]
no it was much too early. sorry for the confusion and good luck with getting back your coins. with this large a stash you really should have been more careful.
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.
wait so..was the primary error that you left your backup wallet unencrypted? Or were there others?
I was going to ask the same thing. Could someone please explain (in simple words?) how the coins got stolen?
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.
wait so..was the primary error that you left your backup wallet unencrypted? Or were there others?
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.
Good investigating. Someone needs to build a physical device that generates address/key pairs offline so you can take a Polaroid of it and stick it in a safety deposit box.
i do feel 50% more paranoid now - if even security researchers get hacked, who can even say his hot wallet is secure?
I've started closing down SSH as much as possible. The one time I got hacked, it was via a temporary account with a stupidly simple password and a privilege escalation. Fortunately, as far as I can tell, nothing substantial happened but with the world as it is at the moment, leaving the port open to the world when I only ever occasionally need to access it from the internet and then for only short periods of time seems unwise.
This incident also proves, if need be, that using linux rather than windows does not automagically protect you from cybercriminals.
Whatever the OS, it's your security
procedures that make all the difference.
Whatever the OS, it's your security
procedures that make all the difference.
Still reconstructing everything that happened, but it seems that broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] was able to log into my machine:
Same happened a few minutes later on my machine at home (my bash history must have told him were to find it), and from there he must have been able to find my wallet backup (which is really old, but was kept unencrypted, so any key that was in there is compromised).
I'll write everything down and file a report, we'll see how open to technology the swiss police are
Quote
Sep 28 20:45:36 nb-10391 sshd[19170]: reverse mapping checking getaddrinfo for broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 28 20:45:37 nb-10391 sshd[19170]: Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2
Sep 28 20:45:37 nb-10391 sshd[19173]: subsystem request for sftp by user cdecker
Sep 28 20:45:37 nb-10391 sshd[19170]: Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2
Sep 28 20:45:37 nb-10391 sshd[19173]: subsystem request for sftp by user cdecker
Same happened a few minutes later on my machine at home (my bash history must have told him were to find it), and from there he must have been able to find my wallet backup (which is really old, but was kept unencrypted, so any key that was in there is compromised).
I'll write everything down and file a report, we'll see how open to technology the swiss police are
Really sorry. The best thing I've ever done is create a bunch of paper wallet backups on a un-networked Linux machine with Armory and then do a military grade wipe of the drive. I suggest everyone holding significant amounts do something similar. I remember when Gavin started talking about wallet encryption and how he made it a point to say that it couldn't fend of attacks such as the one you've unfortunately fallen victim to. Real bummer.
Cdecker, I'm so sorry to hear this, regardless of how it happened. 
Russkies cracked into your computer and pilfered your wallet? That's a lesson to all of us.
Russkies cracked into your computer and pilfered your wallet? That's a lesson to all of us.
What is "Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2" about? Does that mean he had the private key corresponding to your public key so was able to respond to some kind of asymmetric crypto challenge to auto-login through sshd?
-MarkM-
-MarkM-
Still reconstructing everything that happened, but it seems that broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] was able to log into my machine:
Same happened a few minutes later on my machine at home (my bash history must have told him were to find it), and from there he must have been able to find my wallet backup (which is really old, but was kept unencrypted, so any key that was in there is compromised).
I'll write everything down and file a report, we'll see how open to technology the swiss police are
Quote
Sep 28 20:45:36 nb-10391 sshd[19170]: reverse mapping checking getaddrinfo for broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 28 20:45:37 nb-10391 sshd[19170]: Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2
Sep 28 20:45:37 nb-10391 sshd[19173]: subsystem request for sftp by user cdecker
Sep 28 20:45:37 nb-10391 sshd[19170]: Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2
Sep 28 20:45:37 nb-10391 sshd[19173]: subsystem request for sftp by user cdecker
Same happened a few minutes later on my machine at home (my bash history must have told him were to find it), and from there he must have been able to find my wallet backup (which is really old, but was kept unencrypted, so any key that was in there is compromised).
I'll write everything down and file a report, we'll see how open to technology the swiss police are
Ah so likely they logged your keystrokes to get any passwords you typed, or maybe even were able to access decrypted keys in RAM depending on what kind of "secure RAM" system might be used for keys.
Quite likely you are rootkitted too, so that pretty much anything and everything on your system is suspect, unless they weren't keylogging last time you logged in as a user who can write to the executable files areas and do not have a root exploit that can work from whatever user the logged in as.
-MarkM-
Quite likely you are rootkitted too, so that pretty much anything and everything on your system is suspect, unless they weren't keylogging last time you logged in as a user who can write to the executable files areas and do not have a root exploit that can work from whatever user the logged in as.
-MarkM-
Nevermind the other Thread, as I already explained it's part of my research, I myself am 82.130.102.160, and yes we developed BitThief, so that's not it.
I think showing up on blockchain.info actually put a huge target on my back. I see a few connection to my notebook from Russian domains and the big surprise: they are able to log in...
They must have somehow gotten my password or
[...few minutes later ...]
sorry had to kill the network connection, whoever it was they were still logged in on my machine...
I think showing up on blockchain.info actually put a huge target on my back. I see a few connection to my notebook from Russian domains and the big surprise: they are able to log in...
They must have somehow gotten my password or
[...few minutes later ...]
sorry had to kill the network connection, whoever it was they were still logged in on my machine...
if you have a copy of your unencrypted wallet.dat somewhere and you encrypt it LATER all your private keys are UNSECURED which you had in the wallet until the encryption task happened.
Would be great to hear him confirm this was the case that he had all that before encryption
it doesn't matter how many coins you have, ALL your coins are unsecured which you receive with this private key(s) also the coins you might receive in the future!
So, you stored your wallet in plaintext at somewhere other people may be able to access, and surprised someone robbed you?
if you have a copy of your unencrypted wallet.dat somewhere and you encrypt it LATER all your private keys are UNSECURED which you had in the wallet until the encryption task happened.
Would be great to hear him confirm this was the case that he had all that before encryption
Jump to: