Pages:
Author

Topic: Looks like my BTC wallet was hacked - page 4. (Read 7207 times)

sr. member
Activity: 364
Merit: 257
February 16, 2014, 11:10:46 PM
#4
The people who work in the hosting company?
sr. member
Activity: 420
Merit: 250
February 16, 2014, 11:03:24 PM
#3
Nope, I'm the only one with access to the server. I've been through the access logs and each entry matches when I've logged in so I'm pretty sure I can rule that out.

I'd like to be able to say it was possible because of xxxxx and now I've closed that hole, but I still don't know how it happened.
newbie
Activity: 19
Merit: 0
February 16, 2014, 10:55:19 PM
#2
Worth ruling out the obvious--did anyone have access to your machine while you were asleep like an ex-gf or ex-roommate.

I too have about 1.5 btc in an online wallet so I'm very interested in my own btcoinage.

Please keep us updated. I've subbed to this thread.

sr. member
Activity: 420
Merit: 250
February 16, 2014, 10:38:33 PM
#1
I logged into my server this morning but it was running slowly, so I thought I'd restart it and see if that helped, which it didn't. Turned out to be some connectivity issues as far as I could see, the server would be available for 40 seconds, then drop out for 20 seconds and be back up again. It wasn't a DDOS as looking at the 24 hours server statistics from my web host there wasn't any spike in network traffic.

These issues eventually subsided so I went to process the daily TomCoin payouts where I transfer BTC from other sources to the one wallet and make payments according to share contributions (its a BTC payout multipool). The pool has a 0.01 BTC minimum payout meaning the wallet has some residual funds that carry over from previous days, checking the incoming BTC transactions for the payouts I noticed the wallet was lower on funds than I'd expect. I checked the transactions and noticed these two:

{
        "address" : "1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt",
        "category" : "send",
        "amount" : -2.00000000,
        "fee" : 0.00000000,
        "confirmations" : 31,
        "blockhash" : "0000000000000000cf924f2bf8543fd4448b741be87c3faaa769dbf92d95d37b",
        "blockindex" : 34,
        "blocktime" : 1392593790,
        "txid" : "23ad0f3424c038b00f8b4113edf8b9d2725a38b20f2b63ba05e84359e5ae7262",
        "time" : 1392592307,
        "timereceived" : 1392592307
    },
    {
        "address" : "1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt",
        "category" : "send",
        "amount" : -0.83000000,
        "fee" : -0.00010000,
        "confirmations" : 31,
        "blockhash" : "0000000000000000cf924f2bf8543fd4448b741be87c3faaa769dbf92d95d37b",
        "blockindex" : 298,
        "blocktime" : 1392593790,
        "txid" : "c673db0fe09107b9ef3239571fbd5718fdc38691ff4badeb1b4d52fbc31a08fb",
        "time" : 1392592452,
        "timereceived" : 1392592452
    }

They occurred perhaps half an hour before I restarted the server, no payout jobs were running at this time and I didn't perform any manual transfers during this time. This address has never mined with my pool.

I've been able to find the txid's in the blockchain explorer, strangely the 2 BTC transaction above doesn't match the blockchain explorer, instead its listed as 2.39021875 BTC.

I've looked through the server logs and the only successful logins are from myself, although yet again I have various failed login attempts from Chinese IP addresses. Unfortunately I can't get anything useful from the BTC wallets debug.log as it starts fresh each time the wallet starts, and seeing as I restarted the server I had to restart the wallet.

I'm guessing that's it for the BTC, I accept there probably isn't any chance of recovering it as the transactions can't be rolled back, but what I haven't figured out yet is how it happened. All I can think of so far is someone cracked a random 45 character wallet password but the probability is so low it shouldn't even be a possibility, and in any case a lot more of us would be in trouble if password that long are being quickly cracked.

Is there a way I can track the funds to see where they're used or find out more about the transactions? I can't see where I should go from here if anywhere, and I'm worried it could happen again. Just another fun part of being a pool operator I guess.
Pages:
Jump to: