Pages:
Author

Topic: Looks like my BTC wallet was hacked (Read 7233 times)

legendary
Activity: 4326
Merit: 8950
'The right to privacy matters'
June 14, 2015, 09:31:11 PM
#64
The coins eventually landed up here https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL
If you Google for the address, you will get several links. It seems to be an exchange address.

Have you figured out the source of the hack? Was is definitely the forum software?


How what use that would be? If he ran the coins through a exchange, it becomes as difficult as trying to guess coins after being ran by a mixer.. it's an headache trying to figure out who owns what anymore.
I would say OP downloaded some dodgy wallet from some altcoin.
 

yeah best way to keep a wallet safe is dedicate a pc to the blockchain and nothing else.

I use an old mobo/cpu from gpu mining back in 2012 .  I run my wallet on that and nothing else.
legendary
Activity: 868
Merit: 1006
June 11, 2015, 09:58:24 AM
#63
The coins eventually landed up here https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL
If you Google for the address, you will get several links. It seems to be an exchange address.

Have you figured out the source of the hack? Was is definitely the forum software?


How what use that would be? If he ran the coins through a exchange, it becomes as difficult as trying to guess coins after being ran by a mixer.. it's an headache trying to figure out who owns what anymore.
I would say OP downloaded some dodgy wallet from some altcoin.
legendary
Activity: 1001
Merit: 1005
June 11, 2015, 02:36:33 AM
#62
The coins eventually landed up here https://blockchain.info/address/1FsVcdeHbpvUVT3gjeuVR2ZSDnpcsJMsLL
If you Google for the address, you will get several links. It seems to be an exchange address.

Have you figured out the source of the hack? Was is definitely the forum software?
sr. member
Activity: 420
Merit: 250
June 04, 2015, 01:22:10 AM
#61
Is anyone good at tracing BTC transactions? Its been a while but I thought I'd revisit this and I've seen the BTC moved in January:

https://blockchain.info/address/1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt

Wouldn't mind knowing where it went, if its gone to an exchange there might be something to trace.
full member
Activity: 168
Merit: 100
July 14, 2014, 03:54:40 PM
#60
Looks that way to me.
sr. member
Activity: 420
Merit: 250
July 13, 2014, 07:36:53 PM
#59
Been a while since this happened but does this mean the coins are still sitting in the same address?

https://blockchain.info/address/1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt

Really sucks seeing the coins there in limbo in someone else's account.
full member
Activity: 208
Merit: 100
February 21, 2014, 05:45:31 AM
#58
I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.

Even tho I'm late...

A good file sharing site is:  mega.co.nz

Security suggestion: Implement 2 Factor Auth (now that the backdoor is known and gone) and mod_security to prevent hackers uploading files if they find a new backdoor.

Just my 2c worth...
Any money the hacker is watching this thread and found out about your pool from this forum.

Paranoid much? Smiley

Sucks to hear you got hacked tommo, good to hear you are persisting and this has been a worthwhile learning experience. At least only 10k or so of coins were stolen so there is no real need for clients to come after you. You don't need legal or financial problems to be added to your grief.
sr. member
Activity: 420
Merit: 250
February 20, 2014, 09:19:11 PM
#57
You really need to remove everything from www dir and put back only what you know. Or list all files looking for newer dates, file creation times, files created by www instead of root or your normal user you edit files with,etc They tend to leave multiples of these backdoors for this exact reason.  i failed to mention this to you but i did say start www from scratch or review every file.

Yeah I checked through the files and creation dates, somehow I missed this one.
legendary
Activity: 2072
Merit: 1001
February 20, 2014, 08:15:17 PM
#56
I've uploaded the lib.php file to here:

http://www8.zippyshare.com/v/82893458/file.html

I'd greatly appreciate if someone could take a look at it just to make sure there isn't anything else I should worry about.

Checked my BTC wallet today and found another transaction, luckily it wasn't significant as everything else had been emptied out earlier... little shit ('scuse my French) going back for more. I did a file contents search and found another instance of it in my web dir under a different name. I'd moved all of the other wallets to another server earlier on so access was only available to the one wallet. I've since deleted this last instance of the craplication.

You really need to remove everything from www dir and put back only what you know. Or list all files looking for newer dates, file creation times, files created by www instead of root or your normal user you edit files with,etc They tend to leave multiples of these backdoors for this exact reason.  i failed to mention this to you but i did say start www from scratch or review every file.
sr. member
Activity: 420
Merit: 250
February 20, 2014, 08:06:56 PM
#55
I've uploaded the lib.php file to here:

http://www8.zippyshare.com/v/82893458/file.html

I'd greatly appreciate if someone could take a look at it just to make sure there isn't anything else I should worry about.

Checked my BTC wallet today and found another transaction, luckily it wasn't significant as everything else had been emptied out earlier... little shit ('scuse my French) going back for more. I did a file contents search and found another instance of it in my web dir under a different name. I'd moved all of the other wallets to another server earlier on so access was only available to the one wallet. I've since deleted this last instance of the craplication.
sr. member
Activity: 490
Merit: 250
February 19, 2014, 11:19:56 AM
#54
Tom Pool is up and running again!!!!

Have happily kept 30GH/s on tompool the entire time. Thankfully I am auto-withdrawing altcoins to cryptsy and not utilizing TomCoin.  Really glad to see the project wasn't closed due to the hack.
newbie
Activity: 8
Merit: 0
February 19, 2014, 11:16:54 AM
#53
Tom Pool is up and running again!!!!!
member
Activity: 87
Merit: 10
February 19, 2014, 11:05:13 AM
#52
Sorry to hear that. I wonder cause hacking is really a big problem - what is the best way to protect from hacks?
sr. member
Activity: 490
Merit: 250
February 19, 2014, 09:08:45 AM
#51
I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.

http://www.zippyshare.com/ would work nicely. They don't have any ads or compulsory registration.
sr. member
Activity: 420
Merit: 250
February 19, 2014, 08:13:57 AM
#50
Thanks guys, I've just brought the individual pools and multipools back online, hopefully some smooth sailing from here!

Don't hesitate to contact me fcmatt, thanks for all your help identifying the point of entry you were spot on, I'd be glad to return the favour Smiley
hero member
Activity: 1029
Merit: 712
February 19, 2014, 02:14:55 AM
#49
Good news.  My miner switched back automatically when the pool came back online.
legendary
Activity: 2072
Merit: 1001
February 19, 2014, 12:24:27 AM
#48
Heh many thanks but no need, I'll just get things back up and more secure then hope some miners return Smiley

I've removed the forum software, changed passwords, reviewed files in the web directories and blocked a heap of ports (about the only ones open now are for the web server, mining (stratum) and SSH access).

TomCoin is now up, should have the other pools and multipools up soon. I'm just taking this as an opportunity to load balance between the servers as running so many wallets on my server with lower disk I/O is hurting its performance.

tommo, i am glad to see you up and running again.

perhaps i can message you in the future if i have any curious questions about your experiences running a multicoin pool?
sr. member
Activity: 420
Merit: 250
February 19, 2014, 12:22:51 AM
#47
Heh many thanks but no need, I'll just get things back up and more secure then hope some miners return Smiley

I've removed the forum software, changed passwords, reviewed files in the web directories and blocked a heap of ports (about the only ones open now are for the web server, mining (stratum) and SSH access).

TomCoin is now up, should have the other pools and multipools up soon. I'm just taking this as an opportunity to load balance between the servers as running so many wallets on my server with lower disk I/O is hurting its performance.
newbie
Activity: 8
Merit: 0
February 19, 2014, 12:11:00 AM
#46
Sorry for your troubles Tommo - I'd be happy for a zeroed account and a fresh start!
I will be happy to donate my miners on your pool for a day to help you build up your pool again. 38gh for a day. Let start a donation to Tom pool! Any else would like to make a miner donation to Tom pool?
sr. member
Activity: 420
Merit: 250
February 18, 2014, 06:08:44 PM
#45
I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.
Pages:
Jump to: