Looks like my BTC wallet was hacked | Bitcointalksearch.org

philipma1957

legendary

Activity: 4256

Merit: 8551

'The right to privacy matters'

Quote from: manselr on June 11, 2015, 09:58:24 AM

Quote from: Amitabh S on June 11, 2015, 02:36:33 AM

The coins eventually landed up here https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL
If you Google for the address, you will get several links. It seems to be an exchange address.

Have you figured out the source of the hack? Was is definitely the forum software?

How what use that would be? If he ran the coins through a exchange, it becomes as difficult as trying to guess coins after being ran by a mixer.. it's an headache trying to figure out who owns what anymore.
I would say OP downloaded some dodgy wallet from some altcoin.

yeah best way to keep a wallet safe is dedicate a pc to the blockchain and nothing else.

I use an old mobo/cpu from gpu mining back in 2012 . I run my wallet on that and nothing else.

manselr

legendary

Activity: 868

Merit: 1006

Quote from: Amitabh S on June 11, 2015, 02:36:33 AM

The coins eventually landed up here https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL
If you Google for the address, you will get several links. It seems to be an exchange address.

Have you figured out the source of the hack? Was is definitely the forum software?

How what use that would be? If he ran the coins through a exchange, it becomes as difficult as trying to guess coins after being ran by a mixer.. it's an headache trying to figure out who owns what anymore.
I would say OP downloaded some dodgy wallet from some altcoin.

Amitabh S

legendary

Activity: 1001

Merit: 1005

The coins eventually landed up here https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL
If you Google for the address, you will get several links. It seems to be an exchange address.

Have you figured out the source of the hack? Was is definitely the forum software?

Tommo_Aus

sr. member

Activity: 420

Merit: 250

Is anyone good at tracing BTC transactions? Its been a while but I thought I'd revisit this and I've seen the BTC moved in January:

https://blockchain.info/address/1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt

Wouldn't mind knowing where it went, if its gone to an exchange there might be something to trace.

AliceWonder

full member

Activity: 168

Merit: 100

Looks that way to me.

Tommo_Aus

sr. member

Activity: 420

Merit: 250

Been a while since this happened but does this mean the coins are still sitting in the same address?

https://blockchain.info/address/1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt

Really sucks seeing the coins there in limbo in someone else's account.

pengoau

full member

Activity: 208

Merit: 100

Quote from: Tommo_Aus on February 18, 2014, 06:08:44 PM

Quote from: dddbtc on February 18, 2014, 01:14:54 PM

I am a user of your pool. This is very unfortunate. I have also been following the hack of the TomCoin portion for the past few days. Please copy all of suspicious PHP source and make a pastebin. I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.

Even tho I'm late...

A good file sharing site is: mega.co.nz

Security suggestion: Implement 2 Factor Auth (now that the backdoor is known and gone) and mod_security to prevent hackers uploading files if they find a new backdoor.

Just my 2c worth...
Any money the hacker is watching this thread and found out about your pool from this forum.

Paranoid much?

Sucks to hear you got hacked tommo, good to hear you are persisting and this has been a worthwhile learning experience. At least only 10k or so of coins were stolen so there is no real need for clients to come after you. You don't need legal or financial problems to be added to your grief.

Tommo_Aus

sr. member

Activity: 420

Merit: 250

Quote from: fcmatt on February 20, 2014, 08:15:17 PM

You really need to remove everything from www dir and put back only what you know. Or list all files looking for newer dates, file creation times, files created by www instead of root or your normal user you edit files with,etc They tend to leave multiples of these backdoors for this exact reason. i failed to mention this to you but i did say start www from scratch or review every file.

Yeah I checked through the files and creation dates, somehow I missed this one.

fcmatt

legendary

Activity: 2072

Merit: 1001

Quote from: Tommo_Aus on February 20, 2014, 08:06:56 PM

I've uploaded the lib.php file to here:

http://www8.zippyshare.com/v/82893458/file.html

I'd greatly appreciate if someone could take a look at it just to make sure there isn't anything else I should worry about.

Checked my BTC wallet today and found another transaction, luckily it wasn't significant as everything else had been emptied out earlier... little shit ('scuse my French) going back for more. I did a file contents search and found another instance of it in my web dir under a different name. I'd moved all of the other wallets to another server earlier on so access was only available to the one wallet. I've since deleted this last instance of the craplication.

You really need to remove everything from www dir and put back only what you know. Or list all files looking for newer dates, file creation times, files created by www instead of root or your normal user you edit files with,etc They tend to leave multiples of these backdoors for this exact reason. i failed to mention this to you but i did say start www from scratch or review every file.

Tommo_Aus

sr. member

Activity: 420

Merit: 250

I've uploaded the lib.php file to here:

http://www8.zippyshare.com/v/82893458/file.html

I'd greatly appreciate if someone could take a look at it just to make sure there isn't anything else I should worry about.

Checked my BTC wallet today and found another transaction, luckily it wasn't significant as everything else had been emptied out earlier... little shit ('scuse my French) going back for more. I did a file contents search and found another instance of it in my web dir under a different name. I'd moved all of the other wallets to another server earlier on so access was only available to the one wallet. I've since deleted this last instance of the craplication.

dddbtc

sr. member

Activity: 490

Merit: 250

Quote from: Hushpupy on February 19, 2014, 11:16:54 AM

Tom Pool is up and running again!!!!

Have happily kept 30GH/s on tompool the entire time. Thankfully I am auto-withdrawing altcoins to cryptsy and not utilizing TomCoin. Really glad to see the project wasn't closed due to the hack.

Hushpupy

newbie

Activity: 8

Merit: 0

Tom Pool is up and running again!!!!!

creepywheepy

member

Activity: 87

Merit: 10

Sorry to hear that. I wonder cause hacking is really a big problem - what is the best way to protect from hacks?

dddbtc

sr. member

Activity: 490

Merit: 250

Quote from: Tommo_Aus on February 18, 2014, 06:08:44 PM

Quote from: dddbtc on February 18, 2014, 01:14:54 PM

I am a user of your pool. This is very unfortunate. I have also been following the hack of the TomCoin portion for the past few days. Please copy all of suspicious PHP source and make a pastebin. I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.

http://www.zippyshare.com/ would work nicely. They don't have any ads or compulsory registration.

Tommo_Aus

sr. member

Activity: 420

Merit: 250

Thanks guys, I've just brought the individual pools and multipools back online, hopefully some smooth sailing from here!

Don't hesitate to contact me fcmatt, thanks for all your help identifying the point of entry you were spot on, I'd be glad to return the favour

tertius993

hero member

Activity: 1029

Merit: 712

Good news. My miner switched back automatically when the pool came back online.

fcmatt

legendary

Activity: 2072

Merit: 1001

Quote from: Tommo_Aus on February 19, 2014, 12:22:51 AM

Heh many thanks but no need, I'll just get things back up and more secure then hope some miners return

I've removed the forum software, changed passwords, reviewed files in the web directories and blocked a heap of ports (about the only ones open now are for the web server, mining (stratum) and SSH access).

TomCoin is now up, should have the other pools and multipools up soon. I'm just taking this as an opportunity to load balance between the servers as running so many wallets on my server with lower disk I/O is hurting its performance.

tommo, i am glad to see you up and running again.

perhaps i can message you in the future if i have any curious questions about your experiences running a multicoin pool?

Tommo_Aus

sr. member

Activity: 420

Merit: 250

Heh many thanks but no need, I'll just get things back up and more secure then hope some miners return

I've removed the forum software, changed passwords, reviewed files in the web directories and blocked a heap of ports (about the only ones open now are for the web server, mining (stratum) and SSH access).

TomCoin is now up, should have the other pools and multipools up soon. I'm just taking this as an opportunity to load balance between the servers as running so many wallets on my server with lower disk I/O is hurting its performance.

Hushpupy

newbie

Activity: 8

Merit: 0

Quote from: El_Nickio on February 18, 2014, 01:05:44 PM

Sorry for your troubles Tommo - I'd be happy for a zeroed account and a fresh start!

I will be happy to donate my miners on your pool for a day to help you build up your pool again. 38gh for a day. Let start a donation to Tom pool! Any else would like to make a miner donation to Tom pool?

Tommo_Aus

sr. member

Activity: 420

Merit: 250

Quote from: dddbtc on February 18, 2014, 01:14:54 PM

I am a user of your pool. This is very unfortunate. I have also been following the hack of the TomCoin portion for the past few days. Please copy all of suspicious PHP source and make a pastebin. I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.

Topic: Looks like my BTC wallet was hacked (Read 7215 times)