Author

Topic: 【Resolved - Thanks escrow.ms】Possible BTC-e hack! HTML-Injection!?! (Read 1827 times)

member
Activity: 88
Merit: 10
That source came from dogecoin/peercoin price ticker extension and yeah if you have some free time and there's no important stuff, you can do a reinstall. Don't forget to take back of imp documents,downloaded files,desktop data (whatever comes in c drive).
no, of course i wont forget to backup. but i have a 4tb d drive so thats no problem, i have 2tb spare space left.
i'm an engineer myself, i just hate cleaning up desktops :p especially my own. I prefer linux servers to work on, u just need windows for tons of stuff impractical on linux! damn commercial crap.
the installation is straightforward, i have build an unattended install, its just every little piece of software that you need to install after the os is ready.
legendary
Activity: 1274
Merit: 1004
That source came from dogecoin/peercoin price ticker extension and yeah if you have some free time and there's no important stuff, you can do a reinstall. Don't forget to take back of imp documents,downloaded files,desktop data (whatever comes in c drive).
member
Activity: 88
Merit: 10
Quote
you mean "GoogleChromeAutoLaunch_A199C6FC886122F66FF15DDAA4146851"?
Yes, as a precaution .

I can see "1Mega XG1bd6mT EQCdAMjVz GexcYrF5LJKv"  (Added spaces so you can see properly) and If Mbam shows your PC clean, you can just remove chrome and do a reinstall or use firefox till then.


ok, thats the correct address.
i removed it already. so far i see the correct nmc address on btc-e... i'm crossing my fingers.
but as i mentioned before, right after my first post and when i explained my findings to btc-e i was able to see the address correctly, it was like it/he knew i was looking for answers. lol
it could be coincidence but anyway, it was weird.
member
Activity: 88
Merit: 10
Ps: If you have teamviewer let me know TV ID/Pass  I can try to help you directly.
Yes i have tv, version 6 however (licenced).

Thanks for the offer, but if something nasty happens to my computer, i always prefer a reinstall instead of a patched up computer; especially with bitcoin, antivirus providers are not yet into bitcoin so they do not always have the latest patches and detection techniques for bitcoin viruses or malware. i just do a reinstall tomorrow night and in the mean time i wont do any cryptocoin payments :-)

I do want to know myself "what is", "what was" or "what is going to be" wrong with my computer and my coins but in this case, we do not know the source yet; but we both know its malware related as the address was found in that pastebin you've showed, so its the same malware writer, definately. luckily he got only 19$ from me! :-)

do you know from wich extention the source code came? i want to dig deeper into this.

Anyway thanks for the help so far!
legendary
Activity: 1274
Merit: 1004
Quote
you mean "GoogleChromeAutoLaunch_A199C6FC886122F66FF15DDAA4146851"?
Yes, as a precaution .

I can see "1Mega XG1bd6mT EQCdAMjVz GexcYrF5LJKv"  (Added spaces so you can see properly) and If Mbam shows your PC clean, you can just remove chrome and do a reinstall or use firefox till then.
member
Activity: 88
Merit: 10
You should disable and remove that GoogleChromeAutoRun entry and scan your pc btw what happens when you copy paste some address on chrome? it stays same or changes?

it's possible that your pc got infected by some malware version of that extension.
you mean "GoogleChromeAutoLaunch_A199C6FC886122F66FF15DDAA4146851"?
the address stays the same.

i'm also noticing my signature address on btc-e bitcointalk is not always starting with 1MegaX witch is my custom vanity address. what is the one you see in my signature?
i have just noticed this 2 times but on the next page view it was back, i was almost thinking i was getting nuts. next time i notice it i'll make note of it.
is was an address starting with 1Ba...blablabla

anyway, i think i should do a reinstall tomorrow, only thing is i did not have time to do that.
but i guess its necessary!
legendary
Activity: 1274
Merit: 1004
You should disable and remove that GoogleChromeAutoRun entry and scan your pc btw what happens when you copy paste some address on chrome? it stays same or changes?

it's possible that your pc got infected by some malware version of that extension.

Ps: If you have teamviewer let me know TV ID/Pass  I can try to help you directly.
member
Activity: 88
Merit: 10

And whats in chrome's tab?  Tongue
Main reason to use ccleaner is, it shows all extensions even if they are hidden in browser and their folder locations.



not really a lot more than from within chrome itself.
legendary
Activity: 1274
Merit: 1004

And whats in chrome's tab?  Tongue
Main reason to use ccleaner is, it shows all extensions even if they are hidden in browser and their folder locations.
member
Activity: 88
Merit: 10
Umm, no click on "Gereedschap" and then click on "startup" and check startup entries and browser extension entries.
oh, lol, my bad. miss understood you the first time.




the image is not showing completely here...
that is the url: http://i57.tinypic.com/2v3k8hy.png
legendary
Activity: 1274
Merit: 1004
Umm, no click on "Gereedschap" and then click on "startup" and check startup entries and browser extension entries.
member
Activity: 88
Merit: 10
Download CCleaner, install and click on tools -> Startup -> Chrome and check if any extension which you have not installed is added.

Take a screenshot of your windows startup entries too if possible and post image here.

i use ccleaner regularly, it was a while back however.


And this is my startup folder:



After all, my computer could definitely use a cleanup, but i can not seem to find the source of the problem so far.
I have eset smart security, but in the mean time i'm also running a full system scan with an online antivirus,
After that i'm going to run a malwarebites scan in the hope it brings something to the front.
legendary
Activity: 1274
Merit: 1004
Download CCleaner, install and click on tools -> Startup -> Chrome and check if any extension which you have not installed is added.

Take a screenshot of your windows startup entries too if possible and post image here.
member
Activity: 88
Merit: 10

I'm aware of that.
The only one i have installed is this one, which i've wrote myself so i know the code.
So my guess is it has to be something else, but i have no idea a.t.m.

Are you sure? and this address "NKPkRSzrrhQx8ymzT2iNzQ2ktnE3C6QfRt" is in live ticker extension's source.

http://pastebin.com/UuvLSeft

Some weeks ago one guy lost his bitcoins due to same extension.
https://bitcointalksearch.org/topic/m.6354489

indeed, the address is in the pastebin you've send.
a list of the extensions installed:


So, what do you think?
legendary
Activity: 1274
Merit: 1004

I'm aware of that.
The only one i have installed is this one, which i've wrote myself so i know the code.
So my guess is it has to be something else, but i have no idea a.t.m.

Are you sure? and this address "NKPkRSzrrhQx8ymzT2iNzQ2ktnE3C6QfRt" is in live ticker extension's source.

http://pastebin.com/UuvLSeft

Some weeks ago one guy lost his bitcoins due to same extension.
https://bitcointalksearch.org/topic/m.6354489

member
Activity: 88
Merit: 10
There are some malicious ticker extensions for chrome. Perhaps you installed one of those? They replace addresses in web pages with the extension author's ones:

http://www.reddit.com/r/Bitcoin/comments/23sjle/chrome_extension_just_stole_my_btc/


Thanks.
I'm aware of that.
The only one i have installed is this one, which i've wrote myself so i know the code.
So my guess is it has to be something else, but i have no idea a.t.m.
legendary
Activity: 3682
Merit: 1580
There are some malicious ticker extensions for chrome. Perhaps you installed one of those? They replace addresses in web pages with the extension author's ones:

http://www.reddit.com/r/Bitcoin/comments/23sjle/chrome_extension_just_stole_my_btc/

member
Activity: 88
Merit: 10
Hi bitcoiners,

3 days ago i opened a new btc-e account seperated from my main account, just so i could use that account for nmc only.
I registered, verified and went to the funds page to generate a new namecoin address.
I copy pasted the namecoin address straight into my namecoin wallet and send out all my remaining local namecoins to the address i just copied.
After some time i was wondering why it was not visible on my account while confirmed by the network more than 100 times.
So i started to investigate:

On 2014-05-08 18:17:03 UTC i send 9.33907543 NMC to "NKPkRSzrrhQx8ymzT2iNzQ2ktnE3C6QfRt"
http://bitinfocharts.com/namecoin/address/NKPkRSzrrhQx8ymzT2iNzQ2ktnE3C6QfRt

Transaction details from namecoin-qt:
Code:
Status: 281 bevestigingen, uitgezonden naar 31 nodes
Datum: 8/05/2014 20:16
Aan: NMC-Trader BTC-E NKPkRSzrrhQx8ymzT2iNzQ2ktnE3C6QfRt
Debet: -9.33907543 NMC
Transactiekosten: -0.04453515 NMC
Netto bedrag: -9.38361058 NMC
Transactie-ID:: a529d4ccf0b5e7e8323924de0c078ae90c48620ccb403f6426e3222a3e0d0a37

A day later, someone from btc-e support answers me:
Code:
Good day, your account created only one wallet
NMC NGLfCraM75vgK2mdk1R3KckQFaLQWWSAY1 08.05.14 20:15
http://bitinfocharts.com/namecoin/NGLfCraM75vgK2mdk1R3KckQFaLQWWSAY1

So after a couple of mails left and right, they asked me to use chrome. And, well, guess what.... i was using chrome all the time.
So i went further looking and when i opened the html source of the page i saw that the address from the qr code was the one they told me was my address, but the one showed on the page was the one i send out all my remaining namecoins to.



I'm not tripping about the amount of namecoins lost, it wasn't that much.
But the thing is, this could have been with a lot more, for example if the same happend to my bitcoins.
So i want to advise anyone working with copy paste addresses, to double check everything, until now it is still unknown to me what happened and how, and most importantly, where did it happen.

What i do want to know is if anyone is aware of anything that could have hit me somehow or somewhere.

Thanks in advance!

EDIT: After writing this and informing btc-e support of what i found out lastly, i went back to the account page, and guess what the address is shown normal now. How is this possible?? Luckily i've got print screens of what i saw, so i know i'm not crazy. But meanwhile, the namecoins are still on an account out of my control.
Jump to: