Pages:
Author

Topic: Looks like my BTC wallet was hacked - page 3. (Read 7215 times)

legendary
Activity: 2072
Merit: 1001
February 17, 2014, 09:15:55 PM
#24
2.0.18.8 I imagine. word on the street is that you have a problem. the update checker in the forum. i checked. you still have that code in your forum. the new version removes it.

Lets say that's it, would there be anything I could check to confirm this happened?

show us www logs right around the rpc call was made. do you see any POSTS or strange files being called by the webserver?

give us 100 lines before and after the time the rpc call was made.

and i have to admit the faster you feed us info the better.
sr. member
Activity: 420
Merit: 250
February 17, 2014, 09:14:29 PM
#23
2.0.18.8 I imagine. word on the street is that you have a problem. the update checker in the forum. i checked. you still have that code in your forum. the new version removes it.

Lets say that's it, would there be anything I could check to confirm this happened?
legendary
Activity: 2072
Merit: 1001
February 17, 2014, 09:09:00 PM
#22
been speaking to tommo on tompool.org and ive thought of one possible way that the coins were taken.

The server has a mirrored raid setup so it would be easy for the hosting provide to take out the second set of HDDs and set them put in a secondary system and make the commands to send the coins. It seems very simple but it could have been done.

the server would have logs in /var/log/messages saying the server noticed HDs removed.
you cannot yank hard drives without the server knowing. well in most cases i know of. raid controllers are pretty
verbose when it comes to drives just being pulled.
member
Activity: 106
Merit: 10
Your Pool Your Way - Admin
February 17, 2014, 09:00:47 PM
#21
been speaking to tommo on tompool.org and ive thought of one possible way that the coins were taken.

The server has a mirrored raid setup so it would be easy for the hosting provide to take out the second set of HDDs and set them put in a secondary system and make the commands to send the coins. It seems very simple but it could have been done.
legendary
Activity: 2072
Merit: 1001
February 17, 2014, 08:59:20 PM
#20
Its version 2.0.18.8 of vanilla, I don't have the root login details anywhere on the server. I'll start to work through the www logs, but its very very long and verbose, I'm not really sure what I'm looking for.

What I'm yet to understand is the RPC queries can only be done from local host, but there is not evidence to suggest someone else logged into the server to perform these queries.

Imagine I somehow exploit vanilla forum to upload a php file. This php file allows me to run commands and get output as the www user (whatver it is, nobody, www, apache, etc..)

I then search for any file that contains sensitive info. I find your bitcoin password in a www config file. Or I find it in a /tmp folder, or a user dir with permits that allow read, etc...

I then make a command as www to do a rpc command that runs on the server itself as 127.0.0.1

But before all that I examine your website, have friends in the hacking community, and see this:

http://vanillaforums.org/discussion/25668/dec-2013-security-update-2-0-18-10-and-2-1b2

You are running

""

2.0.18.8 I imagine. word on the street is that you have a problem. the update checker in the forum. i checked. you still have that code in your forum. the new version removes it.

I could spend more time and figure it out.. as in the actual exploit.. but that is my best guess right now without having root on the server for an hour.

sr. member
Activity: 420
Merit: 250
February 17, 2014, 08:51:47 PM
#19
Its version 2.0.18.8 of vanilla, I don't have the root login details anywhere on the server. I'll start to work through the www logs, but its very very long and verbose, I'm not really sure what I'm looking for.

What I'm yet to understand is the RPC queries can only be done from local host, but there is not evidence to suggest someone else logged into the server to perform these queries.
legendary
Activity: 2072
Merit: 1001
February 17, 2014, 08:36:33 PM
#18
Most are open but secured with long passwords, I need the ports to be open to communicate with other TomPool servers.

No the uid can't read the bitcoin config file, they're under differen't users.

I edited post. More questions above.
sr. member
Activity: 420
Merit: 250
February 17, 2014, 08:34:50 PM
#17
Most are open but secured with long passwords, I need the ports to be open to communicate with other TomPool servers.

No the uid can't read the bitcoin config file, they're under differen't users.
legendary
Activity: 2072
Merit: 1001
February 17, 2014, 08:31:56 PM
#16
Tommo, what open ports where to the world on that box?

And not only that you have forum software on the server. Can the uid running the webserver read bitcoins config file? What version of vanilla is that? Do you have a config file in www root that attacker could read to get passwd info? Or anywhere else on the server? Cause i am leaning towards that vector. Check www logs during timestamp of sendfrom.
member
Activity: 116
Merit: 10
February 17, 2014, 08:28:44 PM
#15
Tommo, what open ports where to the world on that box?
sr. member
Activity: 420
Merit: 250
February 17, 2014, 07:37:21 PM
#14
I'm running on Ubuntu 12.04.3 LTS, latest patches installed. BTC config file example with jumbled user and password:

rpcuser=blahblah
rpcpassword=P9xOA2ewIjgJaoA7RyWK6RJ8D6fnh8A5AEZvAheGLDbO
rpcallowip=localhost
rpcport=9170
port=9171
daemon=1
server=1
listen=1
noirc=0
maxconnections=30

I've copied 1000 lines from the debug log to http://tompool.org:81/btclog.out - the transaction takes place around line 420. This is the transaction from the wallet:

    {
        "account" : "Main",
        "address" : "1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt",
        "category" : "send",
        "amount" : -0.52100000,
        "fee" : -0.00010000,
        "confirmations" : 38,
        "blockhash" : "000000000000000051d2e759c63a26e247f185ecb7926ed7a6624bc31c2a717b",
        "blockindex" : 156,
        "blocktime" : 1392660808,
        "txid" : "b64fc823455f24566a2de3827caf1f1080bf0e5d72ffa49ea19cf5e6dd289927",
        "time" : 1392660930,
        "timereceived" : 1392660930
    }

The pool runs MPOS behind the scenes but the front end is a custom site, however this BTC wallet has no link between MPOS or the website, its basically a holding place for daily BTC payouts from TomCoin. I use sendtoaddress not sendfrom so I know the transaction wasn't done by any of the software I've written for the pool.

The wallets use the same rpcpassword.
legendary
Activity: 2072
Merit: 1001
February 17, 2014, 07:19:57 PM
#13
I'm with Versaweb, its a dedicated server so I'm the only one who accesses it. What sort of logging information should I post?

Well post your config file first. Remove or scramble your passwd but at least demonstrate how tough it was.

Then hopefully your debug.log has timestamps. Find out what time couns were stolen and paste a good 1000 line chunk of it with the withdraw in the middle that stole your coins.

Did every coin daemon have same passwd?

I assume running up to date linux with patches? What software were u running on pool? Home made?
sr. member
Activity: 420
Merit: 250
February 17, 2014, 07:00:05 PM
#12
I'm with Versaweb, its a dedicated server so I'm the only one who accesses it. What sort of logging information should I post?
legendary
Activity: 2072
Merit: 1001
February 17, 2014, 06:57:02 PM
#11
Well after locking down the pools wallets to localhost it happened again, this time all of the other wallets were emptied so I guess its pretty much the end of my pool. Well done you bastard whoever you are.

At least this time I have the logs, there wasn't any SSH accessed gained, looks to be RPC to the wallet. Not really sure what debug data could be of use or where I can go from here, its useless continuing as it'll just keep happening until I figure out how its happening.

What hosting provider are you with? Is it a dedicated server only can can get into via password or is their an isp control panel?

Share pieces of the logs and your config please.
sr. member
Activity: 420
Merit: 250
February 17, 2014, 06:54:06 PM
#10
Well after locking down the pools wallets to localhost it happened again, this time all of the other wallets were emptied so I guess its pretty much the end of my pool. Well done you bastard whoever you are.

At least this time I have the logs, there wasn't any SSH accessed gained, looks to be RPC to the wallet. Not really sure what debug data could be of use or where I can go from here, its useless continuing as it'll just keep happening until I figure out how its happening.
sr. member
Activity: 420
Merit: 250
February 17, 2014, 12:33:56 AM
#9
Yeah I wish the logs were still there, or that logs were appended to after a wallet restart rather than a new file being created.

The servers at one of your standard web hosts, so I guess it'd be as susceptible as any other dedicated server hosted in a DC. I did a brief top to check processes before I restarted, I didn't notice anything out of the ordinary, this would've been before the transfers occurred.
legendary
Activity: 2072
Merit: 1001
February 17, 2014, 12:09:36 AM
#8
I used to allow all but after today I've changed it to localhost, its a pain as I remote to the wallet from a number of different machines, some with dynamic IP's so I guess I'll need to work out another way to go about my business. I would've thought such a long password would be secure, this particular wallets only been in service for a couple of weeks.

If the password was indeed hacked, I guess by brute force, it seems pretty incredible it was done within such a sort period of time given similar passwords I've tried in password calculators estimate over 100 years to break the code. Not to mention I'd surely notice a huge spike in network activity if such an attempt was made.

i know this might be tinfoil hat territory but is the server hosted some place where an employee or someone else can sniff packets?

Otherwise how does one explain the high load except by brute forcing? and brute forcing might not use as much bandwidth as you think.. but it would create really high load on the server.

too bad the logs are gone.. that would be the best hint.
sr. member
Activity: 420
Merit: 250
February 16, 2014, 11:39:53 PM
#7
I used to allow all but after today I've changed it to localhost, its a pain as I remote to the wallet from a number of different machines, some with dynamic IP's so I guess I'll need to work out another way to go about my business. I would've thought such a long password would be secure, this particular wallets only been in service for a couple of weeks.

If the password was indeed hacked, I guess by brute force, it seems pretty incredible it was done within such a sort period of time given similar passwords I've tried in password calculators estimate over 100 years to break the code. Not to mention I'd surely notice a huge spike in network activity if such an attempt was made.
legendary
Activity: 2072
Merit: 1001
February 16, 2014, 11:19:01 PM
#6
Do you allow rpc access to bitcoin from all remote ips or just trusted subnets like localhost and your workstation?
sr. member
Activity: 420
Merit: 250
February 16, 2014, 11:15:28 PM
#5
Its always a possibility but seems pretty far fetched that someone in the hosting company would do it, word would travel pretty fast if that was the case and they wouldn't be in business for long.
Pages:
Jump to: