Topic: Wallet just got emptied (Read 4686 times)

yes you are right about that, but will try this more easy way until i find a good trojan to hijack my wallet.dat

 

Possibly.  The more secure route is not to use your host for ANYTHING except hosting virtual machines.  Then have a virtual machine for day to day activities.  If that virtual machine gets infected it can't compromise the host or any other virtual machines (like the one used for Bitcoin & fiat banking).

i'm using a virtual machine on my pc where i store my wallets and my btc client and i'm very curious about something.
if my pc get's infected will my virtual machine be infected too?

Mt. Gox is the only place I have ever sent any bitcoins.  All they ever got was my sending address.  I used different sending addresses.  I did check there but the coins didn't go there.  Organofcorti has been tracking them and apparantly they are part of a larger scheme.  I think I just got some malware and that is what did the damage.  I found a couple of Trojans right after this happened.  Since I deleted them everything is checking out clean.  I use several anti-virus and anti-spyware apps to check my system and it looks like the malware slipped in and did its ripoff in between times when I checked my system.

Here's an important question:
Have you gave any other sites your private keys?
I had the same issue with 5BTC once, and I was worried for over an hour til I realized I gave mtgox my privatekey for the address they were received at...
In the end, all my BTC was simply sweeped into my mtgox account. So yeah, if you can check if you gave any of your private keys to sites like blockchain.info wallet or mtgox, you might find that's where your BTC went.

I don't use any warez.  The pirate name is just from the fact that I wear an eyepatch.  I am not too well versed in how RPC works but I am finding out.  I tend to think the problem was some of the malware that I found.  I have deleted my guiminer and bitcoin software and have not downloaded any replacements.  I have not had any other problems and everything keeps checking out clean.  I may wait until I get my Bit Force Singles to start up again.  I think I will use the Armory wallet and make sure everything has new and good passwords.  I think that if some kind of keylogger was involved that didn't show up on any of my anti-virus or anti-spyware apps that something would have happened by now to my other accounts instead of just my bitcoin wallet.

No. Of course not. But it would for sure treat his warez addiction, if he has one I didn't strike the part where it says he must understand RPC settings, did I?
And his RPC wansn't open per se. It had a username and password, alebeit a weak one. Also he didn't say if the RPC port was forwarded in the router, which it might not be.
I suggested that it could be the problem, but there is no evidence. More inclined to think it's malware for the time being. My whole point on asking about RPC was to try and save the dude some time on a OS reinstall that might not be needed if RPC proved to be the problem.

wow really, someone that left rpc open would somehow be protected if they used linux?

Now should be better.

pirate1? If that username is supposed to imply what kind of activity you do, I wouldn't be surprised if you had malware. Piracy is very often monetized by malware these days. If you use warez/cracks/keygens you're asking to get screwed.

Reformat your machine from scratch, don't touch warez, use an encrypted wallet and make sure you understand RPC settings!

I wouldn't be so sure:

http://www.bit-tech.net/news/bits/2009/03/24/researchers-create-bios-malware/1

First thing this morning (Asian time) The money started moving again, to two addresses at a time. Most of it has ended up at the following addresses:

http://blockexplorer.com/address/1K2n1K7WUqsUfEyTr4QPagxffSqsT7f8Sy
http://blockexplorer.com/address/13BeKS3FCguWgYXyJy23ZMe2utAycpsgmg
http://blockexplorer.com/address/1FrtkNXastDoMAaorowys27AKQERxgmZjY
http://blockexplorer.com/address/1J2yiVk7oisnMELibVko4thHhHxRDwwtUV


It also went to other addresses that are well established and look like Tx fees and maybe a purchase of something. At least it's obvious you're not the only one stung. There's 21000 coins in one of those addresses which was started only a couple of weeks ago. Your coins might already be partly laundered.

Edit:

In fact, a portion of your coins went here:

http://blockexplorer.com/address/1kTt7jVHZ614g44LEjS1HtxHYpzE96Lkk

which just receives coin and then send it on, at least some of which has gone to bitcoinduit:

http://bitcoinduit.com/rounds/155

You might be able to start asking questions there.

I'm sorry, but there is just too many ways to discretely copy and transmit an unencrypted wallet.dat for such efforts to be worthwhile.  I'm of the opinion that Windows isn't secure enough of an operating system to safely handle bitcoin of any significant amount at all, even if there isn't existing evidence of a breech.  There are simply too many ways to infect a windows machine, check to see that a bitcoin instance exists, copy & transmit the wallet.dat file (encrypted or not) and do the same for a keylogger stream.  I may be paranoid, but I wouldn't put much on any machine I don't have administrative rights upon, even if it was a GNU/Linux machine owned by someone that I trust and believe to have the skills.  If windows is all you have, IMHO you'd be much safer putting your spending money onto your android smartphone and using bitcoinspinner.  At least, for now, there are no know wallet.dat stealing viruses for android.  Or perhaps a split-wallet type online storage service, that permits two-factor logins.  If you use windows, you are already trusting the security model of some faceless entity for which you have no real recourse against in a dispute.  IMHO your odds of getting burned at an online wallet service are actually lower than your odds of being pwned with your own bitcoin client on a windows machine.

I don't know if there might be anything in the logs worth keeping on the off chance that this guy gets caught eventually, by him or others, but I'm fairly certain that there is nothing there that is going to tell you how he got pwned.  Not in the bitcoin logs, anway.  It's very unlikely that the thief targeted him specificly, and sent those coinds from his client.  If he had, the client would have displayed the loss immediately, rather than have to catch up to the blockchain first.

For reference, when you create a new wallet with Armory, you can print a paper-backup with every address ever created by that wallet on one sheet of paper (it's 128 characters from which all private keys are generated).  You technically don't have to print it, you can just copy it down by hand if you can't get the printer working.  You can recover all of your funds at any time in the future if you have those 128 characters.  (although if you import any keys, they have to be backed up separately...)

Further, if you instead wanted to switch to another program, you can copy or print the individual private keys for each address you've used, which can then be imported into another application or service that supports importing addresses.  I'm not sure if that's what people mean when they say "paper wallets".

Yeah. Only the how is important now, so you can decide on what to do next.
The who, screw that. You're not seeing your bitcoins back, that's for sure

MoonShadow, that makes sense.  I am taking it as a fairly cheap lesson in security.  I am going to go ahead and do the delete and redownload.  I am still considering a full reinstall of my OS.  I am waiting for my first couple of Bit Force Singles so now is the time to get this secure.  I am also leaning toward trying the Armory wallet app.  I am looking into the paper wallet a little more too.  I did find a couple of Trojans in my temp files with my SuperAntiSpyware right after this happened.  After I deleted them nothing else has been detected by any of the anti-virus or anti-spyware apps that I have run and I have ran several.  I am thinking that is where the problem was but as I am not sure it worries me.  People have talked about a hacking of the computer through the RPC interface.  I do have RPC turned off for my computer but I don't know if the Bitcoin app goes around that somehow.  It seems like becoming a Bitcoin guru may be a little time consuming.  I want to know as much as I can and definitely enough to be secure but spending the time to learn everything would probably be prohibitive.  I plan on getting an SSD in the next couple of months so I am thinking that will be the time to reinstall my OS and my programs.  I won't have any appreciable amount of bitcoins in my wallet until after that anyway so for now I'll see how it goes with the deletion, new download and maybe the Armory wallet.

Hey Psy, I just saw your new post.  You bring up exactly what I am really wanting to find out.  Just how did it happen?  I am thinking it was malware and one of the Trojans that my anti-spyware found but I really would like to be sure.

MoonShadow, I didn't siad that he should look at the debug.log to track the guy. It was more in a way to try to find if he got jacked by RPC or malware installed in his computer.
You understand the inner workings of bitcoin a lot more than me, so you may be the right person to help.
Isn't there any way to find in any of the logs how that transaction was initiated? Was it from his computer? Did the thieve copied his wallet.dat and swept the funds? Was it RPC?
It could save the man 48hrs, by not having to format his computer and reinstall, in case he could be certain it was his RPC password that got exploited and not malware.

There is nothing useful to be found that can't also be found at blockexplorer.  If you are certain that the funds have been transfered out of your control, and it sounds like that is the case, then there is nothing that can be done.  That is, nothing within the context of the bitcoin system.  If you're determined enough & willing to teach yourself to be a bitcoin guru, it's possible that you could track this guy down eventually.  In which case, you'd need your existing data for prosecution.  But this requires that 1) you learn to be very good at digital forensics, 2) you have the time to put into it and 3) the thief eventually makes a mistake with the funds in those addresses.  For a value of about $50, it's probably best to take it all in as a fairly cheap lesson in security.  If the same thing were to happen to me, I'd be out thousands of $.  I keep about 10 btc on my cell phone.

I looked and found several with the tx ID.  Some saying "ask for tx" and others saying "getdata: tx.....".  I really can't make much out of it.  I am wanting to delete the whole wallet and my bitcoin client along with my guiminer and then redownload everything.  I am keeping it all for now in the hope that maybe I can discover something useful by looking through the files like these.  Trouble is, I don't really know what to look for or what it means when I see it.

Usually the debug.log file is huge.
Try to look for the tx ID. It should show it there if it's recent. Hopefully it can tell you something.
Most transactions only appear with the first 20chars. Only transactions initiated from your client will appear with the full tx ID.