Pages:
Author

Topic: I've just been robbed :-( - page 6. (Read 19257 times)

hero member
Activity: 784
Merit: 1009
firstbits:1MinerQ
September 28, 2012, 07:27:08 PM
#36
That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.

People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.
hero member
Activity: 546
Merit: 500
September 28, 2012, 06:22:58 PM
#35
That sucks, bro.

If it's any consolation (probably not), I heard a story on this forum once about a guy that formatted a drive with tens of thousands of coins on it. He said the worst part was his wife knowing about it.

If it was just formatted one time, they are probably recoverable.
hero member
Activity: 533
Merit: 500
September 28, 2012, 05:56:03 PM
#34
Wow sorry to hear that.  I've since gone and removed all unencrypted wallets I had backed up just in case.  If there's any possible way of getting things back, I wish you luck.  Was about to say I hope you didn't have much but.. yeah, sorry.

Thank you for being strong and sharing everything you did so that others in the future may be more protected now.  It sucks but your story will help others!
legendary
Activity: 1708
Merit: 1020
September 28, 2012, 05:51:48 PM
#33
could this be someone trying to launder your coins? I will try and dig out when the first peak occured.

edit:
[namecoin chart with odd peak]

no it was much too early. sorry for the confusion and good luck with getting back your coins. with this large a stash  you really should have been more careful.
newbie
Activity: 57
Merit: 0
September 28, 2012, 05:47:53 PM
#32
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.

wait so..was the primary error that you left your backup wallet unencrypted? Or were there others?

I was going to ask the same thing. Could someone please explain (in simple words?) how the coins got stolen?
full member
Activity: 210
Merit: 100
September 28, 2012, 05:46:04 PM
#31
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.

wait so..was the primary error that you left your backup wallet unencrypted? Or were there others?
hero member
Activity: 489
Merit: 505
September 28, 2012, 05:13:22 PM
#30
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.
donator
Activity: 1464
Merit: 1047
I outlived my lifetime membership:)
September 28, 2012, 05:03:40 PM
#29
Good investigating. Someone needs to build a physical device that generates address/key pairs offline so you can take a Polaroid of it and stick it in a safety deposit box.
hero member
Activity: 668
Merit: 501
September 28, 2012, 05:02:20 PM
#28
i do feel 50% more paranoid now - if even security researchers get hacked, who can even say his hot wallet is secure?
legendary
Activity: 2576
Merit: 2267
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
September 28, 2012, 04:55:05 PM
#27
I've started closing down SSH as much as possible. The one time I got hacked, it was via a temporary account with a stupidly simple password and a privilege escalation. Fortunately, as far as I can tell, nothing substantial happened but with the world as it is at the moment, leaving the port open to the world when I only ever occasionally need to access it from the internet and then for only short periods of time seems unwise.
legendary
Activity: 1092
Merit: 1016
760930
September 28, 2012, 04:51:35 PM
#26
This incident also proves, if need be, that using linux rather than windows does not automagically protect you from cybercriminals.

Whatever the OS, it's your security
procedures that make all the difference.
legendary
Activity: 2198
Merit: 1311
September 28, 2012, 04:47:33 PM
#25
Still reconstructing everything that happened, but it seems that broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] was able to log into my machine:

Quote
Sep 28 20:45:36 nb-10391 sshd[19170]: reverse mapping checking getaddrinfo for broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 28 20:45:37 nb-10391 sshd[19170]: Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2
Sep 28 20:45:37 nb-10391 sshd[19173]: subsystem request for sftp by user cdecker

Same happened a few minutes later on my machine at home (my bash history must have told him were to find it), and from there he must have been able to find my wallet backup (which is really old, but was kept unencrypted, so any key that was in there is compromised).

I'll write everything down and file a report, we'll see how open to technology the swiss police are Cheesy

Really sorry.  The best thing I've ever done is create a bunch of paper wallet backups on a un-networked Linux machine with Armory and then do a military grade wipe of the drive.  I suggest everyone holding significant amounts do something similar.  I remember when Gavin started talking about wallet encryption and how he made it a point to say that it couldn't fend of attacks such as the one you've unfortunately fallen victim to.  Real bummer.
hero member
Activity: 784
Merit: 1000
Annuit cœptis humanae libertas
September 28, 2012, 04:46:24 PM
#24
Cdecker, I'm so sorry to hear this, regardless of how it happened. Sad

Russkies cracked into your computer and pilfered your wallet? That's a lesson to all of us.
legendary
Activity: 2940
Merit: 1090
September 28, 2012, 04:43:24 PM
#23
What is "Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2" about? Does that mean he had the private key corresponding to your public key so was able to respond to some kind of asymmetric crypto challenge to auto-login through sshd?

-MarkM-

hero member
Activity: 489
Merit: 505
September 28, 2012, 04:38:35 PM
#22
Still reconstructing everything that happened, but it seems that broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] was able to log into my machine:

Quote
Sep 28 20:45:36 nb-10391 sshd[19170]: reverse mapping checking getaddrinfo for broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] failed - POSSIBLE BREAK-IN ATTEMPT!
Sep 28 20:45:37 nb-10391 sshd[19170]: Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2
Sep 28 20:45:37 nb-10391 sshd[19173]: subsystem request for sftp by user cdecker

Same happened a few minutes later on my machine at home (my bash history must have told him were to find it), and from there he must have been able to find my wallet backup (which is really old, but was kept unencrypted, so any key that was in there is compromised).

I'll write everything down and file a report, we'll see how open to technology the swiss police are Cheesy
legendary
Activity: 2940
Merit: 1090
September 28, 2012, 04:30:44 PM
#21
Ah so likely they logged your keystrokes to get any passwords you typed, or maybe even were able to access decrypted keys in RAM depending on what kind of "secure RAM" system might be used for keys.

Quite likely you are rootkitted too, so that pretty much anything and everything on your system is suspect, unless they weren't keylogging last time you logged in as a user who can write to the executable files areas and do not have a root exploit that can work from whatever user the logged in as.

-MarkM-
hero member
Activity: 489
Merit: 505
September 28, 2012, 04:26:40 PM
#20
Nevermind the other Thread, as I already explained it's part of my research, I myself am 82.130.102.160, and yes we developed BitThief, so that's not it.

I think showing up on blockchain.info actually put a huge target on my back. I see a few connection to my notebook from Russian domains and the big surprise: they are able to log in...
They must have somehow gotten my password or

[...few minutes later ...]

sorry had to kill the network connection, whoever it was they were still logged in on my machine...
legendary
Activity: 2856
Merit: 1520
Bitcoin Legal Tender Countries: 2 of 206
September 28, 2012, 04:25:36 PM
#19
if you have a copy of your unencrypted wallet.dat somewhere and you encrypt it LATER all your private keys are UNSECURED which you had in the wallet until the encryption task happened.

Would be great to hear him confirm this was the case that he had all that before encryption

it doesn't matter how many coins you have, ALL your coins are unsecured which you receive with this private key(s) also the coins you might receive in the future!
legendary
Activity: 1806
Merit: 1003
September 28, 2012, 04:21:06 PM
#18
So, you stored your wallet in plaintext at somewhere other people may be able to access, and surprised someone robbed you?
420
hero member
Activity: 756
Merit: 500
September 28, 2012, 04:20:45 PM
#17
if you have a copy of your unencrypted wallet.dat somewhere and you encrypt it LATER all your private keys are UNSECURED which you had in the wallet until the encryption task happened.

Would be great to hear him confirm this was the case that he had all that before encryption
Pages:
Jump to: