Pages:
Author

Topic: My wallet was just hacked - page 2. (Read 2380 times)

legendary
Activity: 1274
Merit: 1004
June 18, 2013, 01:44:19 AM
#45
You said you restored wallet from a backup.

Does backup wallet was encrypted?
Does backup wallet was in a safe place?
Someone else can physically access your pc or not?
b!z
legendary
Activity: 1582
Merit: 1010
June 18, 2013, 01:23:17 AM
#44
Ok, macs don't really get malware. unless specifically targeted for it. Macs are also very secure, and I really doubt you were hacked.

So question you locked your wallet, and then when you unlocked it crash, that means two things, one that your wallet was never unlocked. Which is the theory I am going with. I do think once you restored from a backup you should click new address and see if that address pops up. It also doesn't contain any fee so did you change your tx fee? I think this is just a freak thing and you have the address sitting your wallet. Unless did you run any java applications from the web, that is the only other way.

Also use -rescan, that will help a lot as well.

PFFT - Macs are less secure than everything exactly because of this bad information that has been marketed by Apple. I do virus removals for a living. OSX is ~15% of the market right now (and that's being very kind) but more than 60% of the virus removals I do are on macs. Mac users are generally clueless about computer security because it's 'well known' that 'macs don't get viruses'. They always seem amazed and confused when I find and remove whatever infection they have.

My advice would be - get a real os (there's nothing wrong with mac hardware, you can run freeBSD or other linux on it just fine). Or if you don't want to bother learning about computer security - get a nice android device and keep your wallet on that.

At the very least - get some sort of security software on your mac and/or some help to track down the infection.

Security software seems much easier for the average user than changing their OS.
sr. member
Activity: 420
Merit: 250
June 18, 2013, 01:22:11 AM
#43
Ok, macs don't really get malware. unless specifically targeted for it. Macs are also very secure, and I really doubt you were hacked.

So question you locked your wallet, and then when you unlocked it crash, that means two things, one that your wallet was never unlocked. Which is the theory I am going with. I do think once you restored from a backup you should click new address and see if that address pops up. It also doesn't contain any fee so did you change your tx fee? I think this is just a freak thing and you have the address sitting your wallet. Unless did you run any java applications from the web, that is the only other way.

Also use -rescan, that will help a lot as well.

PFFT - Macs are less secure than everything exactly because of this bad information that has been marketed by Apple. I do virus removals for a living. OSX is ~15% of the market right now (and that's being very kind) but more than 60% of the virus removals I do are on macs. Mac users are generally clueless about computer security because it's 'well known' that 'macs don't get viruses'. They always seem amazed and confused when I find and remove whatever infection they have.

My advice would be - get a real os (there's nothing wrong with mac hardware, you can run freeBSD or other linux on it just fine). Or if you don't want to bother learning about computer security - get a nice android device and keep your wallet on that.

At the very least - get some sort of security software on your mac and/or some help to track down the infection.
newbie
Activity: 12
Merit: 0
June 18, 2013, 01:09:00 AM
#42
so bad
member
Activity: 60
Merit: 10
June 18, 2013, 12:15:24 AM
#41
The perils of virtual money :-/
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
June 17, 2013, 11:26:49 PM
#40
Would be great if you could do a virus scan and find out the virus signature.

I doubt it is a virius, I have yet to see a wallet stealing trojan, or virius for mac. It was probably some java application he got from the web and it stole his wallet file.
Once they got his wallet.dat they also had to set some kind of trap to get his password.  I believe they got the wallet.dat between 2013-05-28 and 2013-06-03 but were only able to get his password at 2013-06-18 00:35:46.

This is based on the fact they totally cleaned out the previous victim but left 0.01 in this wallet.


Good news of sorts:  only two victims so far  Angry

The also left exactly 0.01 for the previous victim here:  

https://blockchain.info/address/1FoNFsB6xgWnY1xFqAdZbteKhvW1HVGA5G

and it is still there.  The previous victim may not even know the BTC are missing yet (?)
newbie
Activity: 7
Merit: 0
June 17, 2013, 11:15:39 PM
#39
Would be great if you could do a virus scan and find out the virus signature.
newbie
Activity: 31
Merit: 0
June 17, 2013, 10:51:45 PM
#38
In firefox I can right click on my downloads and go to the page I downloaded it from -- does Safari (or whatever you used) have something like that? 
I'm using Chrome, but unfortunately, I deleted the download file once I installed the wallet app.

Random8
newbie
Activity: 31
Merit: 0
June 17, 2013, 10:49:38 PM
#37
Please retrace the exact steps you did to find the Mac version of the client you downloaded (searches, sites visited etc.) and let us know if you can find the place you downloaded from again.
I'll try, using my browser history, but it's going to be a long slog.

Random8
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
June 17, 2013, 10:45:15 PM
#36
In firefox I can right click on my downloads and go to the page I downloaded it from -- does Safari (or whatever you used) have something like that? 
newbie
Activity: 31
Merit: 0
June 17, 2013, 10:39:52 PM
#35
I can't think of anything that could have lead to a copy of my wallet.dat file getting out. The iMac that I'm using never leaves my desktop, my Wifi is secured with decent security, the wallet.dat only gets backed up to my Time Capsule.

I really appreciate the comments and suggestions by the more experienced members. I'm not going to be putting any more BTC in this wallet. I'm going to be much more security-conscious when I set up the next wallet.

One of the ways that I believe someone could have hacked it is by connecting to my wallet client via a socket. I ran a little Perl server that listens on port 8333, but nobody connected to it. Unfortunately, that was after I closed down all incoming ports on my router firewall (I had only ssh, http, and minecraft ports open, and they were not directed to my Mac), so that's not conclusive.

Random8
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
June 17, 2013, 10:35:49 PM
#34
Please retrace the exact steps you did to find the Mac version of the client you downloaded (searches, sites visited etc.) and let us know if you can find the place you downloaded from again.
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
June 17, 2013, 10:32:36 PM
#33
I have a theory related to your 0.01 remaining.  I assume they got a copy of your balance between 2013-05-28 and 2013-06-03, that would explain why they were off by 0.01 when they issued the transaction.

Perhaps you can think back to what you did between these dates.  Specifically anything that may have lead to anyone getting a copy of your encrypted wallet.dat file.  Any downloads?  Any strange behaviour?  Visit a public WiFi?  Visit any suspect sites, etc. between those specific days?  Did you backup your wallet.dat (encrypted) to any suspect sites?
newbie
Activity: 31
Merit: 0
June 17, 2013, 10:31:48 PM
#32
Where did you download the wallet client from?
Yes, which client are you using.  That might help.

Is 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx in your address book? 
Bitcoin-Qt version v0.8.1-beta.

It looks like the address book is stored in the wallet.dat file. Since my current wallet.dat file is one that was restored from before the theft, it doesn't show that address. I saved a copy of the hacked wallet.dat file before I did the restore, but it's corrupted, so the wallet client can't read it. I can't see any addresses in the corrupted file when I use the UNIX 'strings' tool on it, even though I see some of my legitimate addresses when I do 'strings' on the current, good wallet.dat file.

Random8
donator
Activity: 294
Merit: 250
June 17, 2013, 10:31:31 PM
#31
Where did you download the wallet client from?

ahhhh very good question.
newbie
Activity: 31
Merit: 0
June 17, 2013, 10:24:52 PM
#30
Where did you download the wallet client from?
Sorry, I don't remember. I do recall that it wasn't easy to find one for Mac OS X. I did not build it on my machine, but downloaded a binary. It's Bitcoin-Qt version v0.8.1-beta.

What could possibly go wrong when you download a binary from an untrusted source and run it on your computer? Shocked

Random8
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
June 17, 2013, 10:23:08 PM
#29
Where did you download the wallet client from?
Yes, which client are you using.  That might help.

Is 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx in your address book? 
cp1
hero member
Activity: 616
Merit: 500
Stop using branwallets
June 17, 2013, 10:15:49 PM
#28
Where did you download the wallet client from?
newbie
Activity: 10
Merit: 0
June 17, 2013, 10:14:59 PM
#27
Ok, macs don't really get malware. unless specifically targeted for it. Macs are also very secure, and I really doubt you were hacked.

So question you locked your wallet, and then when you unlocked it crash, that means two things, one that your wallet was never unlocked. Which is the theory I am going with. I do think once you restored from a backup you should click new address and see if that address pops up. It also doesn't contain any fee so did you change your tx fee? I think this is just a freak thing and you have the address sitting your wallet. Unless did you run any java applications from the web, that is the only other way.

Also use -rescan, that will help a lot as well.

The problem is that the 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx address his coins were sent to already had 6.2 BTC from May 23.  The OP said he only had 3 BTC to his name, so unless he forgot about an additional 6 BTC he purchased earlier then it doesn't look good for him.

Is there any virus scanner on mac?
newbie
Activity: 31
Merit: 0
June 17, 2013, 10:14:09 PM
#26
I'm pretty sure that somebody else got my BTC, and that they are not lurking in my wallet.  Here are some suspicious-looking lines from the wallet's debug.log file. Note the 1HeAK... address in the log, also the c60852... transaction address. For reference, here's how the wallet shows the transaction details:
=============================
Date: 6/17/13 19:42
    To: 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx
    Debit: -3.17115309 BTC
    Net amount: -3.17115309 BTC
    Transaction ID: c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2
=============================debug.log excerpt:
NotifyKeyStoreStatusChanged
SelectCoins() best subset: 1.36 1.04 0.23 0.19 0.19 0.09 0.01017547 0.01000882 0.01 0.01 0.01 0.01 0.01 0.000168 0.0000752 0.0000736 0.00007 0.0000576 0.0000576 0.0000496 0.0000496 0.00004 0.00004 0.00004 0.00004 0.00004 0.0000272 0.0000256 0.0000256 0.0000216 0.00002 0.0000176 0.0000104 0.0000096 0.000006 0.000004 total 3.17115309
CommitTransaction:
CTransaction(hash=c60852ef78, ver=1, vin.size=36, vout.size=1, nLockTime=0)
    CTxIn(COutPoint(b9e681b76b, 552), scriptSig=30450220563e080d95a17264)
    CTxIn(COutPoint(1dd8186b9b, 36), scriptSig=3045022058f6a23cb1df5e93)
... (similar lines omitted)
    CTxIn(COutPoint(327470ddcf, 813), scriptSig=3046022100d8f12b8c7f8f2b)
    CTxOut(nValue=3.17115309, scriptPubKey=OP_DUP OP_HASH160 b6892d5dd8bd)
AddToWallet c60852ef78  new
WalletUpdateSpent found spent coin 0.000004bc b9e681b76b4e0a1f015b9b8e1dee7da504be83bd8214231eb3dc4ad3d769dae3
NotifyTransactionChanged b9e681b76b4e0a1f015b9b8e1dee7da504be83bd8214231eb3dc4ad3d769dae3 status=1
WalletUpdateSpent found spent coin 0.01017547bc c224e8734f10f85a502605eeff4525b6fb0648cfd9cd0b5842a40b3841de6854
NotifyTransactionChanged c224e8734f10f85a502605eeff4525b6fb0648cfd9cd0b5842a40b3841de6854 status=1
... (similar lines omitted)
WalletUpdateSpent found spent coin 0.00004bc 327470ddcf344fc9124fbc2158e4227c4c963d07353e66923eeea6c660c43ed9
NotifyTransactionChanged 327470ddcf344fc9124fbc2158e4227c4c963d07353e66923eeea6c660c43ed9 status=1
NotifyTransactionChanged c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2 status=0
... (similar lines omitted)
AddToWallet c60852ef78 
NotifyTransactionChanged c60852ef789ed44c4d7ff67e0e43c49a16eed18815b4001e3887e273a4b9a0a2 status=1
CTxMemPool::accept() : accepted c60852ef78 (poolsz 760)
Relaying wtx c60852ef78
NotifyAddressBookChanged 1HeAK9siHVWYfWGBVBcGz13WUZkYs5aUGx  isMine=0 status=0
=========================
Pages:
Jump to: