Pages:
Author

Topic: Looks like my BTC wallet was hacked - page 2. (Read 7235 times)

sr. member
Activity: 490
Merit: 250
February 18, 2014, 01:14:54 PM
#44
Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:



   Password:
   
   


It renders as a password input field with a Login button.

I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!
member
Activity: 95
Merit: 10
February 18, 2014, 01:05:44 PM
#43
Sorry for your troubles Tommo - I'd be happy for a zeroed account and a fresh start!
full member
Activity: 249
Merit: 100
February 18, 2014, 12:45:36 PM
#42
Perhaps you could reach an arrangement with somebody like fcmatt, to do some private security consulting for you.  At the very least it would be a second layer, a second set of experienced eyes keeping watch on that side of your site.  I always feared right from the start the possibility of thieves coming against you as you became higher profile.
newbie
Activity: 27
Merit: 0
February 18, 2014, 10:43:17 AM
#41
Mod_Security would most likely have prevented files from being uploaded and executed, which it sounds like happened here.

Sad
newbie
Activity: 43
Merit: 0
February 18, 2014, 08:43:22 AM
#40
I have been mining off and on for a while and really liked the interface and can tell you put a lot of work into it.  Don't let those bastards win.  I for one have faith that you are telling the truth and will defend Tom Pool's honor if anyone posts any negative bullshit on this or any other forum.  Just Zero everyone's account out and start over.  I'm down with sending you some coin as a donation to help you rebuild.  Just let the members know what we can do to help. 
hero member
Activity: 1029
Merit: 712
February 18, 2014, 06:12:16 AM
#39
Just to say I literally just started mining on your pool in the last day or two and I am very sorry to hear what happened.

As far as I can see you are one of the very few pools offering SHA profitability switching and payouts in BTC, so I would love to see the pool back online.

Don't let the bastards win.
full member
Activity: 121
Merit: 100
February 18, 2014, 06:03:44 AM
#38
Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.

I highly appreciate the work you have done on the pool and I would be eager to see it develop in future. Is there any way to send you some alt coins as donation. I am sure they many would support this idea so maybe if we all pull together we can make up for the loss, you take a few days off to clear your head and start afresh?

We love tompool!
member
Activity: 105
Merit: 10
February 18, 2014, 03:30:26 AM
#37
Wow this sucks!  Have only been mining with Tom for a few days and was happy to be working with an Aus local pool. Oh well if you come back Tom I will point my miners back to you pool for sure, it was just so convenient mining and getting paid in btc each day.
full member
Activity: 249
Merit: 100
February 18, 2014, 03:03:44 AM
#36
Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.
Dunno. You were evolving your pool really well though. I was impressed. So sorry to hear about this!
legendary
Activity: 2072
Merit: 1001
February 18, 2014, 01:00:36 AM
#35
Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.

well they could only write to places where www could write.. and only run commands from the www dirs... so that limits what they could have done. but keep in mind that some are clever. they could have run a script that starts a process that listens on a high port.. then deleted the file.. it would stick around until a reboot.

it is prob in your best interest to move the www dir to a backup place in /blah. then move over file by file of things you trust that were not able to be written to by www.. and rebuild the www back.
sr. member
Activity: 420
Merit: 250
February 18, 2014, 12:54:52 AM
#34
Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.
legendary
Activity: 2072
Merit: 1001
February 18, 2014, 12:40:45 AM
#33
Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:



   Password:
   
   


It renders as a password input field with a Login button.

that is probably a base64 encrypted php chunk/file that the attacker used to run commands on your server.
they do a POST to it logging in and then running a command. i have seen them before. quite common.
seeing that is contains that much data means it could be a whole webpage of commands for the script kid to run.

feel free to post the whole thing here. lets convert it to ascii
legendary
Activity: 2072
Merit: 1001
February 18, 2014, 12:38:19 AM
#32
There seems to be a common flow of requests, it goes:

77.109.138.42 - - [17/Feb/2014:10:11:20 -0800] "GET /tompoolforum/cache/Smarty/2/index.php HTTP/1.1" 200 3170 "http://tompool.org:81/tompoolforum/cache/Smarty/2/send.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

... then moments later ...

77.109.138.42 - - [17/Feb/2014:10:11:25 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1952 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Problem being these files don't exist anymore so I don't know what's in them.

that is not surprising that the files are gone. also the IP address is a tor exit node. helping people keep their privacy and assisting hackers all day long. essentially the hacker can somehow upload a file to your cache directory which probably has permissions allowing write to the webserver. they they post some info to it to call the rpc command.

i think you found the problem. to learn anymore would probably require i to access your server but i do not think either of us want that. your best bet is to completely remove the forum software and if you want forum software again run it on a totally different server.. a throw away box.
sr. member
Activity: 420
Merit: 250
February 18, 2014, 12:29:39 AM
#31
Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:



   Password:
   
   


It renders as a password input field with a Login button.
sr. member
Activity: 420
Merit: 250
February 18, 2014, 12:18:25 AM
#30
There seems to be a common flow of requests, it goes:

77.109.138.42 - - [17/Feb/2014:10:11:20 -0800] "GET /tompoolforum/cache/Smarty/2/index.php HTTP/1.1" 200 3170 "http://tompool.org:81/tompoolforum/cache/Smarty/2/send.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

... then moments later ...

77.109.138.42 - - [17/Feb/2014:10:11:25 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1952 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Problem being these files don't exist anymore so I don't know what's in them.
legendary
Activity: 2072
Merit: 1001
February 18, 2014, 12:09:47 AM
#29
I've been looking at the www logs, this gives me a suspicious feeling unless its a complete coincidence...

BTC stolen at these times (in PST, which is the servers timezone):

Feb 16 2014 15:11:47
Feb 16 2014 15:14:12
Feb 17 2014 10:15:30

Apache logs:

94.231.83.139 - - [16/Feb/2014:15:11:46 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1711 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
94.231.83.139 - - [16/Feb/2014:15:14:11 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
77.109.138.42 - - [17/Feb/2014:10:15:30 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Both IP's are located in Switzerland according to a Google search, the Smarty/2/send.php doesn't exist in the folder anymore. Am I onto something?

Yes. Disable forum software. It has too many holes to run on the pool server.

Find out what file they read to get rpc passwd and username. They had to.
sr. member
Activity: 420
Merit: 250
February 17, 2014, 11:58:37 PM
#28
I've been looking at the www logs, this gives me a suspicious feeling unless its a complete coincidence...

BTC stolen at these times (in PST, which is the servers timezone):

Feb 16 2014 15:11:47
Feb 16 2014 15:14:12
Feb 17 2014 10:15:30

Apache logs:

94.231.83.139 - - [16/Feb/2014:15:11:46 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1711 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
94.231.83.139 - - [16/Feb/2014:15:14:11 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
77.109.138.42 - - [17/Feb/2014:10:15:30 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Both IP's are located in Switzerland according to a Google search, the Smarty/2/send.php doesn't exist in the folder anymore. Am I onto something?
legendary
Activity: 2072
Merit: 1001
February 17, 2014, 09:19:45 PM
#27
true.. true.. but the company might be dodgie... setting up things so if they did want to do anything they could.

i admit the idea has merit but i have not encountered a single linux box in my career that did not complain loudly in the logs that disks were removed. raid controller bios has no option to disable that stuff. that would mean a custom linux distro was installed to disable it? doubtful.

but going through message files looking for the disks being removed is pretty simple.. depending on how far back you wish to look. log rotation might only allow several days to look back.

what would concern me more is some automated backup process they offer that is automagically installed on the server for the customer or he is using iscsi from the server to a large storage box. THEN the isp could view the backups of that or even connect to the storage box themselves.
sr. member
Activity: 420
Merit: 250
February 17, 2014, 09:17:37 PM
#26
and i have to admit the faster you feed us info the better.

I'll grab it ASAP, unfortunately some real life bits and pieces have to be attended to before I can grab this info.
member
Activity: 106
Merit: 10
Your Pool Your Way - Admin
February 17, 2014, 09:16:33 PM
#25
true.. true.. but the company might be dodgie... setting up things so if they did want to do anything they could.
Pages:
Jump to: