Topic: Looks like my BTC wallet was hacked - page 3. (Read 7215 times)

show us www logs right around the rpc call was made. do you see any POSTS or strange files being called by the webserver?

give us 100 lines before and after the time the rpc call was made.

and i have to admit the faster you feed us info the better.

Lets say that's it, would there be anything I could check to confirm this happened?

the server would have logs in /var/log/messages saying the server noticed HDs removed.
you cannot yank hard drives without the server knowing. well in most cases i know of. raid controllers are pretty
verbose when it comes to drives just being pulled.

been speaking to tommo on tompool.org and ive thought of one possible way that the coins were taken.

The server has a mirrored raid setup so it would be easy for the hosting provide to take out the second set of HDDs and set them put in a secondary system and make the commands to send the coins. It seems very simple but it could have been done.

Imagine I somehow exploit vanilla forum to upload a php file. This php file allows me to run commands and get output as the www user (whatver it is, nobody, www, apache, etc..)

I then search for any file that contains sensitive info. I find your bitcoin password in a www config file. Or I find it in a /tmp folder, or a user dir with permits that allow read, etc...

I then make a command as www to do a rpc command that runs on the server itself as 127.0.0.1

But before all that I examine your website, have friends in the hacking community, and see this:

http://vanillaforums.org/discussion/25668/dec-2013-security-update-2-0-18-10-and-2-1b2

You are running

""

2.0.18.8 I imagine. word on the street is that you have a problem. the update checker in the forum. i checked. you still have that code in your forum. the new version removes it.

I could spend more time and figure it out.. as in the actual exploit.. but that is my best guess right now without having root on the server for an hour.

Its version 2.0.18.8 of vanilla, I don't have the root login details anywhere on the server. I'll start to work through the www logs, but its very very long and verbose, I'm not really sure what I'm looking for.

What I'm yet to understand is the RPC queries can only be done from local host, but there is not evidence to suggest someone else logged into the server to perform these queries.

I edited post. More questions above.

Most are open but secured with long passwords, I need the ports to be open to communicate with other TomPool servers.

No the uid can't read the bitcoin config file, they're under differen't users.

And not only that you have forum software on the server. Can the uid running the webserver read bitcoins config file? What version of vanilla is that? Do you have a config file in www root that attacker could read to get passwd info? Or anywhere else on the server? Cause i am leaning towards that vector. Check www logs during timestamp of sendfrom.

Tommo, what open ports where to the world on that box?

I'm running on Ubuntu 12.04.3 LTS, latest patches installed. BTC config file example with jumbled user and password:

rpcuser=blahblah
rpcpassword=P9xOA2ewIjgJaoA7RyWK6RJ8D6fnh8A5AEZvAheGLDbO
rpcallowip=localhost
rpcport=9170
port=9171
daemon=1
server=1
listen=1
noirc=0
maxconnections=30

I've copied 1000 lines from the debug log to http://tompool.org:81/btclog.out - the transaction takes place around line 420. This is the transaction from the wallet:

    {
        "account" : "Main",
        "address" : "1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt",
        "category" : "send",
        "amount" : -0.52100000,
        "fee" : -0.00010000,
        "confirmations" : 38,
        "blockhash" : "000000000000000051d2e759c63a26e247f185ecb7926ed7a6624bc31c2a717b",
        "blockindex" : 156,
        "blocktime" : 1392660808,
        "txid" : "b64fc823455f24566a2de3827caf1f1080bf0e5d72ffa49ea19cf5e6dd289927",
        "time" : 1392660930,
        "timereceived" : 1392660930
    }

The pool runs MPOS behind the scenes but the front end is a custom site, however this BTC wallet has no link between MPOS or the website, its basically a holding place for daily BTC payouts from TomCoin. I use sendtoaddress not sendfrom so I know the transaction wasn't done by any of the software I've written for the pool.

The wallets use the same rpcpassword.

Well post your config file first. Remove or scramble your passwd but at least demonstrate how tough it was.

Then hopefully your debug.log has timestamps. Find out what time couns were stolen and paste a good 1000 line chunk of it with the withdraw in the middle that stole your coins.

Did every coin daemon have same passwd?

I assume running up to date linux with patches? What software were u running on pool? Home made?

I'm with Versaweb, its a dedicated server so I'm the only one who accesses it. What sort of logging information should I post?

What hosting provider are you with? Is it a dedicated server only can can get into via password or is their an isp control panel?

Share pieces of the logs and your config please.

Well after locking down the pools wallets to localhost it happened again, this time all of the other wallets were emptied so I guess its pretty much the end of my pool. Well done you bastard whoever you are.

At least this time I have the logs, there wasn't any SSH accessed gained, looks to be RPC to the wallet. Not really sure what debug data could be of use or where I can go from here, its useless continuing as it'll just keep happening until I figure out how its happening.

Yeah I wish the logs were still there, or that logs were appended to after a wallet restart rather than a new file being created.

The servers at one of your standard web hosts, so I guess it'd be as susceptible as any other dedicated server hosted in a DC. I did a brief top to check processes before I restarted, I didn't notice anything out of the ordinary, this would've been before the transfers occurred.

i know this might be tinfoil hat territory but is the server hosted some place where an employee or someone else can sniff packets?

Otherwise how does one explain the high load except by brute forcing? and brute forcing might not use as much bandwidth as you think.. but it would create really high load on the server.

too bad the logs are gone.. that would be the best hint.

I used to allow all but after today I've changed it to localhost, its a pain as I remote to the wallet from a number of different machines, some with dynamic IP's so I guess I'll need to work out another way to go about my business. I would've thought such a long password would be secure, this particular wallets only been in service for a couple of weeks.

If the password was indeed hacked, I guess by brute force, it seems pretty incredible it was done within such a sort period of time given similar passwords I've tried in password calculators estimate over 100 years to break the code. Not to mention I'd surely notice a huge spike in network activity if such an attempt was made.

Do you allow rpc access to bitcoin from all remote ips or just trusted subnets like localhost and your workstation?

Its always a possibility but seems pretty far fetched that someone in the hosting company would do it, word would travel pretty fast if that was the case and they wouldn't be in business for long.