Perhaps he brute forced the root password and got into SSH/SFTP? If so, Fail2ban could have prevented that and i recommend every server user to install it. Those VPS mining guides, while useful, did not take malicious intent into account.
Sucks man...
Topic: [XPM] 7800 STOLEN - Please read / help - page 3. (Read 3382 times)
Ouch! Over $5000 worth. You must have had a pretty mean VPS set up. Sorry to hear about your loss, hopefully some coins are returned. Something similar happened to me a while back as well.
On Friday night GMT I had a little over 7000 XPM stolen from a wallet that was encrypted. My entire holding of XPM. Just to add salt to the wound, I had been mining heavily for the 2 days prior and had over 1800 coins maturing. Over the weekend the thief continued to steal those remaining coins as they matured. I'm now trying to piece together how this has happened.
Firstly I shut down all of my VPS's and personal machines. Since maturing coins were still being stolen it meant that they must have had a copy of my wallet.dat rather than using my RPC. I turned on a single miner and set it running a script to sendtoaddress 10 XPM and ran it as fast as I could in an effort to beat the thief. Many thanks to spekk and a few others @ mcxnow for their help and quick thinking with this solution on Friday night. The thief was obviously doing the same with a script attempting to sendtoaddress 10, as we "battled" all weekend to beat each other to send the matured amount. I increased the number of miners running the script and with this method I managed to salvage 1100 coins over the weekend whilst the thief got 800. So all up I have lost a little over 7800 coins.
Here is an example of one of the many transactions the thief made:
The thief sent all coins to this address Aca1dndvLHK1BLWEGsJE2Ci35Wg4azZy2F. Pool owners, please could you check to see whether this key is in one of your wallets and PM me if it is. If not, is there anyway to check the transaction history/debug.log for incoming transactions from this address? It's a long shot, but I'm determined to do go down every avenue to track down this person. The only pool owner I know is RealSolid@mcxNow. Please could people forward this to other owners so they can also check?
The wallet was encrypted, but I had been using it since the early days of XPM so there is a slight possibility that there was an unencrypted version on a VPS drive somewhere (that I'm no longer using). I should state though that I have NOT been mining for several weeks until the 2 days last week when I tried out something new with Amazon ec2's - those instances were 100% using an encrypted wallet. This can only indicate the wallet was stolen earlier.
I have only ever copied the wallet using scp so it does not exist on public dropbox or anything like that.
I have checked for a keylogger / trojan and don't think I have one, but who can be sure without a reinstall these days?
I have used VPS's from Digital Ocean, Amazon, Azure, and GoGrid. Other than the new ec2's last week, all other VPS's were shut down several weeks ago.
I'm at a loss as to how this could have happened but I welcome any suggestions so that I can ensure it doesn't happen again. As you can imagine I am absolutely devastated. I am not a rich person and don't hold a lot of coins. XPM was the first time that I had gotten in early and figured out how to scale cloud mining successfully and I manged to mine around 10k before I felt it was no longer profitable. I sold some a few weeks ago to buy some mcxNow fee shares, 3k last week to pay off my early VPS fees, and the remaining 7k was my long term investment. So other than the fee shares I had taken no profit at all out of what I had mined. I'm now left with a very large bill for the ec2's I used last week and only the 1100 XPM I salvage to pay it with.
To the thief:- you probably think that stealing crypto is easy and inconsequential. It might have been easy, but it is certainly not without consequence. You're not the one who has to explain to their wife where this money has gone or why we have a large amazon bill to pay. You're not the one feeling sick at the thought of having such significant amounts of money stolen. You're not the one who has lost confidence in crypto. But there is a very small chance you have a conscience - if you do please return my money to me at AKmhQzmDAPK8DCT97aVps87pN565kHzS1v and this will be forgotten about.
To everyone else, I urge you do make sure your wallets are encrypted and you are taking every precaution possible to secure your setups.
Thanks, a very gutted
paulthetafy aka paulscreen
Firstly I shut down all of my VPS's and personal machines. Since maturing coins were still being stolen it meant that they must have had a copy of my wallet.dat rather than using my RPC. I turned on a single miner and set it running a script to sendtoaddress 10 XPM and ran it as fast as I could in an effort to beat the thief. Many thanks to spekk and a few others @ mcxnow for their help and quick thinking with this solution on Friday night. The thief was obviously doing the same with a script attempting to sendtoaddress 10, as we "battled" all weekend to beat each other to send the matured amount. I increased the number of miners running the script and with this method I managed to salvage 1100 coins over the weekend whilst the thief got 800. So all up I have lost a little over 7800 coins.
Here is an example of one of the many transactions the thief made:
Code:
Status: 724 confirmations
Date: 19/08/2013 07:18
To: Aca1dndvLHK1BLWEGsJE2Ci35Wg4azZy2F
Debit: -10.00 XPM
Transaction fee: -0.01 XPM
Net amount: -10.01 XPM
Transaction ID: c0bcfde4fa1ac44d96edeb448bd5d7fa3ecf73f525e69058d69a01cf695c0400
The thief sent all coins to this address Aca1dndvLHK1BLWEGsJE2Ci35Wg4azZy2F. Pool owners, please could you check to see whether this key is in one of your wallets and PM me if it is. If not, is there anyway to check the transaction history/debug.log for incoming transactions from this address? It's a long shot, but I'm determined to do go down every avenue to track down this person. The only pool owner I know is RealSolid@mcxNow. Please could people forward this to other owners so they can also check?
The wallet was encrypted, but I had been using it since the early days of XPM so there is a slight possibility that there was an unencrypted version on a VPS drive somewhere (that I'm no longer using). I should state though that I have NOT been mining for several weeks until the 2 days last week when I tried out something new with Amazon ec2's - those instances were 100% using an encrypted wallet. This can only indicate the wallet was stolen earlier.
I have only ever copied the wallet using scp so it does not exist on public dropbox or anything like that.
I have checked for a keylogger / trojan and don't think I have one, but who can be sure without a reinstall these days?
I have used VPS's from Digital Ocean, Amazon, Azure, and GoGrid. Other than the new ec2's last week, all other VPS's were shut down several weeks ago.
I'm at a loss as to how this could have happened but I welcome any suggestions so that I can ensure it doesn't happen again. As you can imagine I am absolutely devastated. I am not a rich person and don't hold a lot of coins. XPM was the first time that I had gotten in early and figured out how to scale cloud mining successfully and I manged to mine around 10k before I felt it was no longer profitable. I sold some a few weeks ago to buy some mcxNow fee shares, 3k last week to pay off my early VPS fees, and the remaining 7k was my long term investment. So other than the fee shares I had taken no profit at all out of what I had mined. I'm now left with a very large bill for the ec2's I used last week and only the 1100 XPM I salvage to pay it with.
To the thief:- you probably think that stealing crypto is easy and inconsequential. It might have been easy, but it is certainly not without consequence. You're not the one who has to explain to their wife where this money has gone or why we have a large amazon bill to pay. You're not the one feeling sick at the thought of having such significant amounts of money stolen. You're not the one who has lost confidence in crypto. But there is a very small chance you have a conscience - if you do please return my money to me at AKmhQzmDAPK8DCT97aVps87pN565kHzS1v and this will be forgotten about.
To everyone else, I urge you do make sure your wallets are encrypted and you are taking every precaution possible to secure your setups.
Thanks, a very gutted
paulthetafy aka paulscreen
Jump to: