were you using a yubikey?
i recently activated mine and i would like to think that my funds are now safe..
Topic: Possible false alarm: MtGox break in - page 8. (Read 15376 times)
I would like to add some information. The IP address is 46.250.12.63. It appears to be an endpoint for a p2p pptp based VPN.
So this looks like a reasonably sophisticated attacker.
I would also like to add that I have confidence in Diablo-D3's personal computer security practices. (ie he is most certainly not sharing passwords between the forums and mtgox).
So this looks like a reasonably sophisticated attacker.
I would also like to add that I have confidence in Diablo-D3's personal computer security practices. (ie he is most certainly not sharing passwords between the forums and mtgox).
Code:
# nmap -sS -sV -O -PN -n -p 1-65535 -vvvv -T5 46.250.12.63
Starting Nmap 5.00 ( http://nmap.org ) at 2011-09-12 18:52 BST
NSE: Loaded 3 scripts for scanning.
Initiating SYN Stealth Scan at 18:52
Scanning 46.250.12.63 [65535 ports]
Discovered open port 1723/tcp on 46.250.12.63
Warning: Giving up on port early because retransmission cap hit.
SYN Stealth Scan Timing: About 10.81% done; ETC: 18:57 (0:04:16 remaining)
SYN Stealth Scan Timing: About 51.13% done; ETC: 18:54 (0:00:58 remaining)
Discovered open port 14891/tcp on 46.250.12.63
Completed SYN Stealth Scan at 18:54, 90.67s elapsed (65535 total ports)
Initiating Service scan at 18:54
Scanning 2 services on 46.250.12.63
Service scan Timing: About 50.00% done; ETC: 18:58 (0:01:57 remaining)
Completed Service scan at 18:56, 117.08s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 46.250.12.63
Retrying OS detection (try #2) against 46.250.12.63
NSE: Script scanning 46.250.12.63.
NSE: Starting runlevel 1 scan
Initiating NSE at 18:56
Completed NSE at 18:56, 29.76s elapsed
NSE: Script Scanning completed.
Host 46.250.12.63 is up (0.034s latency).
Scanned at 2011-09-12 18:52:51 BST for 241s
Interesting ports on 46.250.12.63:
Not shown: 65528 closed ports
PORT STATE SERVICE VERSION
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
445/tcp filtered microsoft-ds
1723/tcp open pptp Microsoft Windows NT (Firmware: 2600)
14891/tcp open unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port14891-TCP:V=5.00%I=7%D=9/12%Time=4E6E4789%P=x86_64-unknown-linux-gnu%r(SMBProgNeg,F0,"\x1aPm\xc4\xb8\.\xd0\xee1\x93\x82\x9f\xcb\xb8s\x9bB\xf9\
SF:x95\x17{\x13\xecm\]\xad\xc8\xa2\x19\x08w\xee\xed}:2GuJ-\xc8'\xb3\x0e\x8
SF:btH<\xbb%N\0\]\xba\x12q\xfe\xffy1~\xb1\\Lv\x10;T\x12c\xda\xda\x18\x16\x
SF:91j\xa4#g\xa8\x9cv\x8d\*\xe4\x9fq>I~\t\+qB\x11\xad\x9ee#\x13\x08\xe5D\x
SF:1d&\xdd\[\x14\xad\xd9@W\xdaA\xb41t\xbb\x08b\x08\xfe\x82\xc9gs7#\xe6C\xa
SF:6\nW\xfc\xd2\x8a\x9e\xdc}\.\x12\xb8\xbc\xc7\xb9\xcf\x8dj\xf5z\x98\t7Xw\
SF:xb0\xd3\x1f\xfe\x97\xe9eq\x8a~\xec5\^L&\x88I\xce\x95\xd5\xb7\xe6\xec\xa
SF:0C#V=\xde\xe4\xb2\x870U\xe4\x9b\xf6\x0fRp\x0fnU\xe4N\xb6\xca\xc0X\xfc\x
SF:a52/dY\x11{D\xe7M\xeem\x98\xb8\xb0\xe0\x92\xef\x13u\xa7\*\xf2\?\xc7\x80
SF:\xeb\xae\x9b37\xa3\xac{k")%r(FourOhFourRequest,6C,"HTTP/1\.1\x20400\x20
SF:ERROR\r\nConnection:\x20keep-alive\r\nContent-Length:\x2017\r\nContent-
SF:Type:\x20text/html\r\n\r\n\r\ninvalid\x20request")%r(SIPOptions,7C,"!K\
SF:x10\xa0K\|\xf0\xd6\xed8\x05\x9f\x9c\xf8\x9b\x89\xbe\xa7\x96\x9d\xb7_=\^
SF:\xb7\xc5\xa8Q\x13\x0e\]\xdf\xfa\xc6\xb8\x8e\xd9~y\xc2\xe2\x10s\x14\xf2o
SF:\x92\0yH\x16\xeaV\xbam\xa5\xe2\x9c\x1d}A9\x8aVW\x94\x95\xf1\xbe\x88Y\xe
SF:56\xdcp\xd6\xca\xf7\xd3<\xea\x861\xd4\x8c\xeb\x8e\x95\xb9\xf8\x10\x0e\x
SF:d7M&\xbf\xf1\xaaf\xbc\x82NH\xb9p61\xf6\xfc\xcc\n\)\xe1c\xd2j\?\x01o<\x9
SF:cN\t#")%r(WMSRequest,144,"\xd8kk\x17e\xb7\x91\xa8C\x83\xae\xd6\x0ciO\x9
SF:8\xf3cVZE\x05\xe6\.T\xed\xb2<\xb3\xa4\x17\xcb\xd7\xecM\^wl\x1e\x9e\xbd\
SF:x89\xe2\xaf3\x19~i\xea\x92\x1d\x08\+\x95V\xae\x95\)\xd4\xf8\xa3\xab\xae
SF:c\xef\xe0\xaa\xd55\xe5\xb2\xa1\x16\$G\xe33\xb5\xe0\xf9\xdc\xe4\xa7\+sqB
SF:\x8f\xc2\xf2\xe9\xfd\xf2\x0ey\x1f\xbd\xaf}i\x0c\?}\xf5\(\xad\$\xd8\xcar
SF:\xc0\x9b\x17d\xbb3\xae;\xe5WX\x9e\x1b\xac\xb1\xba\xd6f\xe8\x9c\xb2`\xca
SF:\x8dH\xde{\x9e\x14\xf0\)~\xf8\r\xd6L\xecx\x17\xc5\x962\x13\x0cN\xda/\x9
SF:1\(\x1a\x88\xb8fU\xd5\xccf\xbaD\+\xcb\.8\xd3U\(\xd7\x91@\x19\xf7\x894\x
SF:ac`\x08\xb3\x88w\x8e\x7f\x15n\xe4\x8c/\xf3Y\nK=x\x1a\xa0\xd8\"\x20\x94\
SF:x9c\x8a\x82P\xf0h\xfapv\x0f\x15Q\xc0\xc9\xd0\x8c\xde3\x10\x90\x8a\xb9\x
SF:84y\xd4rB\x0f\xff\x7f\*R\xc2k\xd3~z\xa8\x89@\x93\"3\xa1x\xc5\xb7\xb3H\x
SF:d9\xb8\xfd\x9a\x1f\x12\xd2\xae\xd9\xdb\x1e>>#lD\xd6q\x92\xd6\x82\xfd\xb
SF:4F!\x89\xd2#\]%U\x08RSj\x15\x7f\xcb\xe1\x8c\xd8\xbf\xd3\x0f\xed\xfb\x88
SF:=I=\xc2D&\x16\x1c\x02\x88\xcb_\x92\xf5\xff\xc4\xe2\x18\x20H");
Device type: general purpose|PDA|terminal|media device|phone
Running (JUST GUESSING) : Microsoft Windows XP|2000|2003|PocketPC/CE|Me (96%), Fujitsu Siemens Windows PocketPC/CE (91%), HP Windows PocketPC/CE (91%), Microsoft embedded (91%), AT&T Windows PocketPC/CE (89%)
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Microsoft Windows XP Professional SP2 (96%), Microsoft Windows XP SP2 (95%), Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows Server 2003 SP2 (x64) (93%), Microsoft Windows XP SP3 (93%), Microsoft Windows XP Professional SP2 or Windows Server 2003 (92%), Microsoft Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 or SP3, or Windows Server 2003 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=5.00%D=9/12%OT=1723%CT=1%CU=38423%PV=N%DS=7%G=N%TM=4E6E47E4%P=x86_64-unknown-linux-gnu)
SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=0)
OPS(O1=M550NW0NNT00NNS%O2=M550NW0NNT00NNS%O3=M550NW0NNT00%O4=M550NW0NNT00NNS%O5=M550NW0NNT00NNS%O6=M550NNT00NNS)
WIN(W1=4510%W2=4510%W3=4100%W4=40E8%W5=40E8%W6=402E)
ECN(R=Y%DF=Y%T=81%W=4510%O=M550NW0NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=81%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=81%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=81%W=402E%S=O%A=S+%F=AS%O=M550NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=81%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=81%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=81%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=S%T=81%CD=Z)
Network Distance: 7 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 241.35 seconds
Raw packets sent: 68143 (3.000MB) | Rcvd: 67683 (2.708MB)
let me guess, you used the same password at mtgox and at bitcointalk.org?
It seems Mt Gox has been broken into again. My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. I assume I was targeted because I'm a Bitcoin developer.
Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.
Everyone: Clear out your accounts if you have anything in them.
Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.
Everyone: Clear out your accounts if you have anything in them.
Jump to: