Pages:
Author

Topic: Openex hacked but coins recovered - page 13. (Read 14317 times)

member
Activity: 98
Merit: 10
January 14, 2014, 01:16:22 AM
#21
Well just letting other users know that withdrawing other coins works fine and is quick.
legendary
Activity: 868
Merit: 1000
January 14, 2014, 01:15:15 AM
#20
1CxwZYMmprkY6Dx4crFCXVBFBjXRit7oDg

1) Withdrawal: 0.20402197 BTC

Destination: 1PafQJLSQSjV5AYVHzBRyjTFScGCJknoT9

TXID: 6603ea056688752ab9bf9c3b4c7bc2a7f4fd2dc53347ca2630ef93c3bdba3c6c


So I Guess it was my account you were looking into and you found out the issue
sr. member
Activity: 266
Merit: 250
January 14, 2014, 01:09:42 AM
#19

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing


i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.


here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing


Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.
use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons!
full member
Activity: 196
Merit: 100
January 14, 2014, 01:09:01 AM
#18
r3wt is a trusted man, so, dont blame anything before he repay to all of your lost, so in this time, we must patient
member
Activity: 84
Merit: 10
January 14, 2014, 01:05:22 AM
#17
I'm astounded.  root login, password ugh!

1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction

OMGOMGOMG Spend the $400.00 on someone to secure your server.

I am sorry for your loss, but holy $h1t dude.
hero member
Activity: 686
Merit: 504
always the student, never the master.
January 14, 2014, 12:56:04 AM
#16
let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.

yes unfortunately it was. i thought about cold storaging the majority of the coins but alot of people complain about slow withdrawal times. it was an honest mistake, one i will pay dearly for i'm sure.
full member
Activity: 140
Merit: 100
Don't fear Crypto Exchanges go with honest well kn
January 14, 2014, 12:47:13 AM
#15
let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.
full member
Activity: 140
Merit: 100
Don't fear Crypto Exchanges go with honest well kn
January 14, 2014, 12:45:59 AM
#14
absolutely degusting degenerate people can't earn shyt for themselves so they have to steal it from the people who can.
hero member
Activity: 686
Merit: 504
always the student, never the master.
January 14, 2014, 12:45:30 AM
#13
What is the address of the wallet?

i don't know. he took the wallet.dat

i can provide what my account address was and the account address of others who mentioned it in support emails, and anyone else who deposited to the exchange can provide theirs if they can find it in transactions of their personal wallet, but other than that i have no idea what the "main" address was.

and yes, i will repay this somehow. i have no other choice but to repay it. i'm sorry
sr. member
Activity: 560
Merit: 250
"Trading Platform of The Future!"
January 14, 2014, 12:41:22 AM
#12
What is the address of the wallet?
hero member
Activity: 686
Merit: 504
always the student, never the master.
January 14, 2014, 12:21:40 AM
#11
Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2

First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2

left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)

I think that's justin's ip(http://www.geoiptool.com/en/?IP=66.87.94.161) he has the server pass, i have the server pass. funny thing is justin's supposedly from oklahoma.


he started the crons last night so i'm pretty sure it wasn't him atleast that is consistent with what i know.

the attacker was probably not stupid enough to leave the log unchanged. if you will notice there is no activity for 6 minutes in between the last failed attempt and where i logged in (173.216.136.127)
full member
Activity: 154
Merit: 100
January 14, 2014, 12:19:54 AM
#10
I think it only hurts the community and *coin in general when large scale theft happens. S'all we need is a bunch of articles telling people to invest in gold instead because of the wild wild west theft that occurs etc. I understand it though. Anything worth anything gets stolen.

The most I hold to my name is 1 Litecoin and almost 4 RonPauls. Not much, but after mining them myself (even though it's not worth much), I would feel devastated. People suck.

sr. member
Activity: 812
Merit: 250
The Fourth Generation of Blockchain in DeFi
January 14, 2014, 12:17:03 AM
#9
Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2

First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2

left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)

exact time of theft would be useful.
legendary
Activity: 1512
Merit: 1124
Invest in your knowledge
January 14, 2014, 12:16:20 AM
#8
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.

worth a shot. its all i have.

I hope you get them back dude, even a partial refund. Mr. Grey Fox may be reading this, with a conscious.
legendary
Activity: 1498
Merit: 1000
January 14, 2014, 12:10:11 AM
#7
Wait did you use a password for your ssh login? Please use SSH Keys next time, they are the most secure way to do ssh. Also run bitcoind, under it's own user account. Disable root and use sudoers file instead, then you can ban bitcoind commands. Also cold storage should always be used.
hero member
Activity: 686
Merit: 504
always the student, never the master.
January 14, 2014, 12:11:25 AM
#7
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.

worth a shot. its all i have.
full member
Activity: 168
Merit: 100
Captain Jack Fenderson
January 14, 2014, 12:05:32 AM
#6
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.
sr. member
Activity: 812
Merit: 250
The Fourth Generation of Blockchain in DeFi
January 14, 2014, 12:03:05 AM
#5
http://www.fail2ban.org/wiki/index.php/Main_Page
Oops yeah you know that already. @ every server owner: install that.
hero member
Activity: 686
Merit: 504
always the student, never the master.
January 14, 2014, 12:02:33 AM
#4
nice security...
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?

i could have swore i installed fail2ban
full member
Activity: 154
Merit: 100
January 14, 2014, 12:02:02 AM
#3
Quote
We'll find you eventually you little cock sucker. return our shit or ******************

Edit: Good idea removing that part.

Wow that sucks.

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
Pages:
Jump to: