Topic: Wallet just got emptied - page 2. (Read 4686 times)

Use a linux live cd to do antivirus on the velociraptors, and look through recent files for anything suspicius. Delete anything you don't recognise. Then reinstall the base Win7 to a new hard drive - I use a smallish SSD (keep your system files physically separate so you don't need to partition).

This way you'll at least get around the possibility of a remaining file reinfecting your system. At least if the antivirus finds malware, anyway.

The problem being that you can't trust a website to create a private key for you.  One needs to create a single address/private key set completely offline and print it out before destroying the wallet.dat that produced it.  I have exactly one address set up this way, but instead of paper it's on a couple of very well encrypted thumbdrives; one in my gunsafe and one in my safety deposit box.  That private key has never touched a computer that has had any Internet access since creation, either the thumbdrives nor the offline computer, and the offline computer has had it's ethernet card physically removed, and itself resides in my gunsafe.

I figure if you can get into my gunsafe, I'm already past screwed.

Psy I don't use the same user name but it was a variation with added letters and symbol.  It is different now.  Thanks for letting me know about the ip address.  I have reset the rcpallow to my home IP address.  I went ahead and started my miner and checked my wallet would still update and they did.  I closed the wallet but for now I am leaving the miner running.
Cypherdoc thanks for the feedback about the Armory wallet.  It sounds like a great setup and I am really thinking I will download and use it this weekend.
Psy, I checked the debug file but I don't know what to look for.  I don't see anything that says sent coins but I don't imagine it would be that obvious.

I just remembered... If the transaction was initiated from a RPC command shouldn't it be registered on the debug.log? Along with the IP that made the connection and some other useful info?

i have this exact setup and it works well.

rcpallowip sets the IP's allowed to access the RCP interface. 8332 is the port, not the IP. Having it set to * is an invitation to thieves.
Set rcpallowip=127.0.0.1 or to any other local IP you need to access the service.
Do you by any chance use that same username in pools? If you do, with only a 5 letter dictionary word as password, it would be easy to brute force if someone targeted you by taking your username and IP from some pool logs or database.

The rcpallow line was set to "*" which I assume is open to all.  I have reset it to 8332.  The user id was two words, 11 letters, a number and a symbol.  The password was just a 5 letter word.  I am changing both.

no rcpallowip line in there?
Also, is the password strong?
Because even if they just knew your username, brute forcing the password on a system that does nothing to block failed login attempts will be easy if the passowrd is a dictionary word or less than 8 chars.

Does the user ID in the bitcoin.conf matches the username you use in mining pools? Mining pools are always geting hacked it would be easy to get a list of targets with valuable info.
You may well be a victim of an hacker stealing your coins on the RPC interface and not malware. Happened before.

Hey psy, I checked my bitcoin.conf file and I do have a user id and password set.  The port is set to "*" which I believe is open to all.  However, when I set up my guiminer I did set it to 8332 for BitClockers pool.  Should I change the bitcoin.conf file to just use port 8332 instead of a *?  That seems like it would be a good idea.

Hey etotheipi, I am not sure about reinstalling everything but am thinking seriously about it.  I do like the idea of really being sure that nothing is there.  I am running two OS(Windows 7 Pro 64 and Windows XP Pro 32) and have three 300gb velociraptors.  I hardly ever use the XP anymore and think I would just have to reinstall my Windows 7.  I just have pretty much filled up all three hard drives and don't want to lose any of that.  The problem there is I will be afraid to save that stuff now as I wouldn't want to accidently save any virus hiding somewhere.  I am sure that most of it will already be on the backup I have but it is a few weeks old and I am not sure what will not be covered.  I know I should do backups more often but I always seem to put them off.  I believe the backups I do have would be clean.  It must be something new as the 10 bitcoins has been in there for a bit.  I have tried to not be selling until the price hits $6 so I was just waiting.  I will decide this weekend what to do.  Until then I've stopped mining and am keeping the guiminer and bitcoin wallet turned off except when I am looking at them to help get this figured out.
   I have an old computer sitting in our spare room that might be perfect for the Armory wallet.  I would just need to hook it up to get it all set up and then just turn it on when I need the digital signature.  It looks like the Armory site has pretty good instructions and it looks pretty straightforward.  I will let you know if I have any problems and need help if I decide to go that way.  I am thinking I will but I would like to hear from anyone else using the Armory wallet how it is working our for them.  I don't mind derailing the thread a little as I want it to cover how to stop things like this to prevent them from occurring.  I want to use this as an opportunity to tighten up my security and try to ensure that something like this doesn't happen again.  I think it would be useful to me and others to have this thread cover all that.  I know that whenever I restart everything I will set new passwords on all my accounts.  Thanks to all of you for your help and suggestions on this.

I would advise re-installing your operating system.  Any "respectable" virus has embedded itself in your OS, and there's no way to know if it's truly been purged.  Sure, some A/V can get rid of certain viruses... But in my experience, it's actually easier and much more secure to just wipe your whole hard-drive and reinstall the OS.  But I'm slightly biased ... I have done this so many times (for a variety of reasons, not usually viruses) that I can be back up and running like before the reinstall in one evening.  Either way, there's a lot of peace of mind knowing that no virus can survive an OS reinstallation...

Feel free to PM me if you have any questions about Armory.  I'll be happy to help you get setup with it, or answer any questions you have about security or usage.  (or ask the questions here, if you don't mind derailing your own thread )

P.S. -- Here's the official forum thread on Armory, though I haven't been updating this page much anymore.  I've been trying to use the bitcoinarmory website more for such things...

Here is the transaction id;8dce4c12698bcd7588b82b84e2c325e63c336b3b1a1c30d4b19cda6e09fb05bd.  I am trying to follow it through Block Explorer but have never used it before and it will take me a little bit to understand it.  I am leaning toward just deleting my all my bitcoin software including the wallet then redownloading them.  I am also thinking about the Armory offline wallet.  The way that is set up looks pretty good and definitely secure.  No one could send anything out without getting a signature from my offline computer.  Does anyone know anything about Armory?  Can tracking the transaction tell me anything useful?  From what I see it goes to the receive address which has 31 transactions for a total of 24.3 bitcoins all of which were immediately transferred.  My 10.33 is in there.

I have an idea that might prevent this. What about generating a paper wallet? I know a site that can do that and the wallets generated would basically be like paper money once loaded. When unloaded, the paper would be shredded.

Obviously your wife just robbed you.

Your money seems to have ended up here:

18yFjBtEsf9CgzAnVJdvSdPJ2i3Fb2AXrY

And there seems to be an additional 13 btc in mostly large bitdust from from other sources mixed with it. You might not be the only one affected.

you just need to check on your bitcoin.conf file if you have rpc user and password set, and port also, if you don't have user and password set, nor IP restriction for rpc access, check if you have port 8333 open(or is it 8332?).

Check the wiki for the correct port.

Here is the address the coins went to; 1PVc7JCJp3L3LqjzjjUw5Mm1NQHGFTj1fP.  I am not sure about the RPC port.  I think I have access turned off to everyone but our home network.  That is just my wife and I.  I know how to go to services and close RPC ports but I don't know which ports to close.  I can pull up a list of all my listening and established ports but am not sure where to go from there.  I'll be looking into it and making sure that everything is closed.  Any help would be apprecieated.

Or instead of Malware was another case o0f someone with the RPC port open and accepting rpc commands from any IP in ther internet and a weak or non-existant password. Happened before...

Maybe you also want to disclose the transaction or address where the 10 BTC went to? It might be helpful in finding out if the thief has emptied other wallets too...

This looks really interesting.  I will be looking into it.  I see a pretty high level of security in the Armory setup.  I like that nothing can be sent without going to the offline computer and getting it signed.  That would have saved my 10 BC tonight.  I want to make sure I am secure when I start mining with a much higher hash rate.

Or use Armory Offline Wallets to keep your Bitcoins off the internet completely.  It's designed to protect against exactly this...

I just made an Armory-plus-all-dependencies bundle that will work out of the box on Ubuntu 10.04 without ever touching the internet.  Especially good if you have an old laptop laying around with 256 MB of RAM.  Disable the wifi & bluetooth & ethernet in the BIOS, install Ubuntu 10.04 32-bit with all defaults, and then copy this file on there and run the "Install_All_Armory.sh" script.  Create your wallet, and make a watching-only copy to put on your internet-connected computer.   Of course, you need Armory on the online computer, too, but it's not a problem if it is Windows, even if the offline system is Linux. 

For more information, there's an Offline Wallet Tutorial on my website.