Topic: Openex hacked but coins recovered - page 13. (Read 14287 times)
Well just letting other users know that withdrawing other coins works fine and is quick.
1CxwZYMmprkY6Dx4crFCXVBFBjXRit7oDg
1) Withdrawal: 0.20402197 BTC
Destination: 1PafQJLSQSjV5AYVHzBRyjTFScGCJknoT9
TXID: 6603ea056688752ab9bf9c3b4c7bc2a7f4fd2dc53347ca2630ef93c3bdba3c6c
So I Guess it was my account you were looking into and you found out the issue
1) Withdrawal: 0.20402197 BTC
Destination: 1PafQJLSQSjV5AYVHzBRyjTFScGCJknoT9
TXID: 6603ea056688752ab9bf9c3b4c7bc2a7f4fd2dc53347ca2630ef93c3bdba3c6c
So I Guess it was my account you were looking into and you found out the issue
attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing
i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.
here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing
Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.
r3wt is a trusted man, so, dont blame anything before he repay to all of your lost, so in this time, we must patient
I'm astounded. root login, password ugh!
1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction
OMGOMGOMG Spend the $400.00 on someone to secure your server.
I am sorry for your loss, but holy $h1t dude.
1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction
OMGOMGOMG Spend the $400.00 on someone to secure your server.
I am sorry for your loss, but holy $h1t dude.
let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.
yes unfortunately it was. i thought about cold storaging the majority of the coins but alot of people complain about slow withdrawal times. it was an honest mistake, one i will pay dearly for i'm sure.
let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.
absolutely degusting degenerate people can't earn shyt for themselves so they have to steal it from the people who can.
What is the address of the wallet?
i don't know. he took the wallet.dat
i can provide what my account address was and the account address of others who mentioned it in support emails, and anyone else who deposited to the exchange can provide theirs if they can find it in transactions of their personal wallet, but other than that i have no idea what the "main" address was.
and yes, i will repay this somehow. i have no other choice but to repay it. i'm sorry
What is the address of the wallet?
Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2
First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2
left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2
First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2
left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)
I think that's justin's ip(http://www.geoiptool.com/en/?IP=66.87.94.161) he has the server pass, i have the server pass. funny thing is justin's supposedly from oklahoma.
he started the crons last night so
the attacker was probably not stupid enough to leave the log unchanged. if you will notice there is no activity for 6 minutes in between the last failed attempt and where i logged in (173.216.136.127)
I think it only hurts the community and *coin in general when large scale theft happens. S'all we need is a bunch of articles telling people to invest in gold instead because of the wild wild west theft that occurs etc. I understand it though. Anything worth anything gets stolen.
The most I hold to my name is 1 Litecoin and almost 4 RonPauls. Not much, but after mining them myself (even though it's not worth much), I would feel devastated. People suck.
The most I hold to my name is 1 Litecoin and almost 4 RonPauls. Not much, but after mining them myself (even though it's not worth much), I would feel devastated. People suck.
Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2
First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2
left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)
exact time of theft would be useful.
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2
First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2
left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)
exact time of theft would be useful.
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
I think he's hoping the attacker feels guilty. He/she probably doesn't.
worth a shot. its all i have.
I hope you get them back dude, even a partial refund. Mr. Grey Fox may be reading this, with a conscious.
Wait did you use a password for your ssh login? Please use SSH Keys next time, they are the most secure way to do ssh. Also run bitcoind, under it's own user account. Disable root and use sudoers file instead, then you can ban bitcoind commands. Also cold storage should always be used.
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
I think he's hoping the attacker feels guilty. He/she probably doesn't.
worth a shot. its all i have.
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
I think he's hoping the attacker feels guilty. He/she probably doesn't.
http://www.fail2ban.org/wiki/index.php/Main_Page
Oops yeah you know that already. @ every server owner: install that.
Oops yeah you know that already. @ every server owner: install that.
nice security...
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?
i could have swore i installed fail2ban
Quote
We'll find you eventually you little cock sucker. return our shit or ******************
Edit: Good idea removing that part.
Wow that sucks.
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
Jump to: