Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Pages:
Author

Topic: Looks like my BTC wallet was hacked - page 2. (Read 7215 times)

dddbtc
sr. member
Activity: 490
Merit: 250
Re: Looks like my BTC wallet was hacked
February 18, 2014, 01:14:54 PM
#44
Quote from: Tommo_Aus on February 18, 2014, 12:29:39 AM
Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:



   Password:
   
   


It renders as a password input field with a Login button.

I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!
El_Nickio
member
Activity: 95
Merit: 10
Re: Looks like my BTC wallet was hacked
February 18, 2014, 01:05:44 PM
#43
Sorry for your troubles Tommo - I'd be happy for a zeroed account and a fresh start!
Goldshredder
full member
Activity: 249
Merit: 100
Re: Looks like my BTC wallet was hacked
February 18, 2014, 12:45:36 PM
#42
Perhaps you could reach an arrangement with somebody like fcmatt, to do some private security consulting for you.  At the very least it would be a second layer, a second set of experienced eyes keeping watch on that side of your site.  I always feared right from the start the possibility of thieves coming against you as you became higher profile.
suprastan
newbie
Activity: 27
Merit: 0
Re: Looks like my BTC wallet was hacked
February 18, 2014, 10:43:17 AM
#41
Mod_Security would most likely have prevented files from being uploaded and executed, which it sounds like happened here.

Sad
eclipso
newbie
Activity: 43
Merit: 0
Re: Looks like my BTC wallet was hacked
February 18, 2014, 08:43:22 AM
#40
I have been mining off and on for a while and really liked the interface and can tell you put a lot of work into it.  Don't let those bastards win.  I for one have faith that you are telling the truth and will defend Tom Pool's honor if anyone posts any negative bullshit on this or any other forum.  Just Zero everyone's account out and start over.  I'm down with sending you some coin as a donation to help you rebuild.  Just let the members know what we can do to help. 
tertius993
hero member
Activity: 1029
Merit: 712
Re: Looks like my BTC wallet was hacked
February 18, 2014, 06:12:16 AM
#39
Just to say I literally just started mining on your pool in the last day or two and I am very sorry to hear what happened.

As far as I can see you are one of the very few pools offering SHA profitability switching and payouts in BTC, so I would love to see the pool back online.

Don't let the bastards win.
freakingcat
full member
Activity: 121
Merit: 100
Re: Looks like my BTC wallet was hacked
February 18, 2014, 06:03:44 AM
#38
Quote from: Tommo_Aus on February 18, 2014, 12:54:52 AM
Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.

I highly appreciate the work you have done on the pool and I would be eager to see it develop in future. Is there any way to send you some alt coins as donation. I am sure they many would support this idea so maybe if we all pull together we can make up for the loss, you take a few days off to clear your head and start afresh?

We love tompool!
apap100
member
Activity: 105
Merit: 10
Re: Looks like my BTC wallet was hacked
February 18, 2014, 03:30:26 AM
#37
Wow this sucks!  Have only been mining with Tom for a few days and was happy to be working with an Aus local pool. Oh well if you come back Tom I will point my miners back to you pool for sure, it was just so convenient mining and getting paid in btc each day.
Goldshredder
full member
Activity: 249
Merit: 100
Re: Looks like my BTC wallet was hacked
February 18, 2014, 03:03:44 AM
#36
Quote from: Tommo_Aus on February 18, 2014, 12:54:52 AM
Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.
Dunno. You were evolving your pool really well though. I was impressed. So sorry to hear about this!
fcmatt
legendary
Activity: 2072
Merit: 1001
Re: Looks like my BTC wallet was hacked
February 18, 2014, 01:00:36 AM
#35
Quote from: Tommo_Aus on February 18, 2014, 12:54:52 AM
Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.

well they could only write to places where www could write.. and only run commands from the www dirs... so that limits what they could have done. but keep in mind that some are clever. they could have run a script that starts a process that listens on a high port.. then deleted the file.. it would stick around until a reboot.

it is prob in your best interest to move the www dir to a backup place in /blah. then move over file by file of things you trust that were not able to be written to by www.. and rebuild the www back.
Tommo_Aus
sr. member
Activity: 420
Merit: 250
Re: Looks like my BTC wallet was hacked
February 18, 2014, 12:54:52 AM
#34
Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.
fcmatt
legendary
Activity: 2072
Merit: 1001
Re: Looks like my BTC wallet was hacked
February 18, 2014, 12:40:45 AM
#33
Quote from: Tommo_Aus on February 18, 2014, 12:29:39 AM
Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:



   Password:
   
   


It renders as a password input field with a Login button.

that is probably a base64 encrypted php chunk/file that the attacker used to run commands on your server.
they do a POST to it logging in and then running a command. i have seen them before. quite common.
seeing that is contains that much data means it could be a whole webpage of commands for the script kid to run.

feel free to post the whole thing here. lets convert it to ascii
fcmatt
legendary
Activity: 2072
Merit: 1001
Re: Looks like my BTC wallet was hacked
February 18, 2014, 12:38:19 AM
#32
Quote from: Tommo_Aus on February 18, 2014, 12:18:25 AM
There seems to be a common flow of requests, it goes:

77.109.138.42 - - [17/Feb/2014:10:11:20 -0800] "GET /tompoolforum/cache/Smarty/2/index.php HTTP/1.1" 200 3170 "http://tompool.org:81/tompoolforum/cache/Smarty/2/send.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

... then moments later ...

77.109.138.42 - - [17/Feb/2014:10:11:25 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1952 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Problem being these files don't exist anymore so I don't know what's in them.

that is not surprising that the files are gone. also the IP address is a tor exit node. helping people keep their privacy and assisting hackers all day long. essentially the hacker can somehow upload a file to your cache directory which probably has permissions allowing write to the webserver. they they post some info to it to call the rpc command.

i think you found the problem. to learn anymore would probably require i to access your server but i do not think either of us want that. your best bet is to completely remove the forum software and if you want forum software again run it on a totally different server.. a throw away box.
Tommo_Aus
sr. member
Activity: 420
Merit: 250
Re: Looks like my BTC wallet was hacked
February 18, 2014, 12:29:39 AM
#31
Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:



   Password:
   
   


It renders as a password input field with a Login button.
Tommo_Aus
sr. member
Activity: 420
Merit: 250
Re: Looks like my BTC wallet was hacked
February 18, 2014, 12:18:25 AM
#30
There seems to be a common flow of requests, it goes:

77.109.138.42 - - [17/Feb/2014:10:11:20 -0800] "GET /tompoolforum/cache/Smarty/2/index.php HTTP/1.1" 200 3170 "http://tompool.org:81/tompoolforum/cache/Smarty/2/send.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

... then moments later ...

77.109.138.42 - - [17/Feb/2014:10:11:25 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1952 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Problem being these files don't exist anymore so I don't know what's in them.
fcmatt
legendary
Activity: 2072
Merit: 1001
Re: Looks like my BTC wallet was hacked
February 18, 2014, 12:09:47 AM
#29
Quote from: Tommo_Aus on February 17, 2014, 11:58:37 PM
I've been looking at the www logs, this gives me a suspicious feeling unless its a complete coincidence...

BTC stolen at these times (in PST, which is the servers timezone):

Feb 16 2014 15:11:47
Feb 16 2014 15:14:12
Feb 17 2014 10:15:30

Apache logs:

94.231.83.139 - - [16/Feb/2014:15:11:46 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1711 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
94.231.83.139 - - [16/Feb/2014:15:14:11 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
77.109.138.42 - - [17/Feb/2014:10:15:30 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Both IP's are located in Switzerland according to a Google search, the Smarty/2/send.php doesn't exist in the folder anymore. Am I onto something?

Yes. Disable forum software. It has too many holes to run on the pool server.

Find out what file they read to get rpc passwd and username. They had to.
Tommo_Aus
sr. member
Activity: 420
Merit: 250
Re: Looks like my BTC wallet was hacked
February 17, 2014, 11:58:37 PM
#28
I've been looking at the www logs, this gives me a suspicious feeling unless its a complete coincidence...

BTC stolen at these times (in PST, which is the servers timezone):

Feb 16 2014 15:11:47
Feb 16 2014 15:14:12
Feb 17 2014 10:15:30

Apache logs:

94.231.83.139 - - [16/Feb/2014:15:11:46 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1711 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
94.231.83.139 - - [16/Feb/2014:15:14:11 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
77.109.138.42 - - [17/Feb/2014:10:15:30 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Both IP's are located in Switzerland according to a Google search, the Smarty/2/send.php doesn't exist in the folder anymore. Am I onto something?
fcmatt
legendary
Activity: 2072
Merit: 1001
Re: Looks like my BTC wallet was hacked
February 17, 2014, 09:19:45 PM
#27
Quote from: theonegilly on February 17, 2014, 09:16:33 PM
true.. true.. but the company might be dodgie... setting up things so if they did want to do anything they could.

i admit the idea has merit but i have not encountered a single linux box in my career that did not complain loudly in the logs that disks were removed. raid controller bios has no option to disable that stuff. that would mean a custom linux distro was installed to disable it? doubtful.

but going through message files looking for the disks being removed is pretty simple.. depending on how far back you wish to look. log rotation might only allow several days to look back.

what would concern me more is some automated backup process they offer that is automagically installed on the server for the customer or he is using iscsi from the server to a large storage box. THEN the isp could view the backups of that or even connect to the storage box themselves.
Tommo_Aus
sr. member
Activity: 420
Merit: 250
Re: Looks like my BTC wallet was hacked
February 17, 2014, 09:17:37 PM
#26
Quote from: fcmatt on February 17, 2014, 08:59:20 PM
and i have to admit the faster you feed us info the better.

I'll grab it ASAP, unfortunately some real life bits and pieces have to be attended to before I can grab this info.
theonegilly
member
Activity: 106
Merit: 10
Your Pool Your Way - Admin
Re: Looks like my BTC wallet was hacked
February 17, 2014, 09:16:33 PM
#25
true.. true.. but the company might be dodgie... setting up things so if they did want to do anything they could.
Pages:
Bitcoin Forum>Bitcoin>Bitcoin Technical Support
Jump to: