Title: Dealing with Bitcoin hackers Post by: seekoin on January 26, 2018, 06:50:27 PM Hello mates !
As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server. Most of those lamers are trying to check if ever I would host an online wallet and try to download it. See for instance those evidences I recorded: 2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat 2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup 2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak 2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz 2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip 2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip 2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz 2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar 2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar 2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat 2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup 2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak 2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz 2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip But since I used to be a bad guy too long time ago, I had the following ideas:
They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc. Be careful also as they are trying to access to those critical directories: /backup/ /bitcoin/ /btc/ I would advise you not to use them anymore or simply reject the incoming traffic. So to setup my tricky projects, I simply use those statments inside my .htaccess: RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L] RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L] RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L] RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L] RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L] RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L] RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L] This is working pretty well, even better you could make some money with those villains ;D Enjoy ! Title: Re: Dealing with Bitcoin hackers Post by: jackg on January 26, 2018, 09:19:16 PM Hello mates ! As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server. Most of those lamers are trying to check if ever I would host an online wallet and try to download it. See for instance those evidences I recorded: 2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat 2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup 2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak 2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz 2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip 2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip 2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz 2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar 2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar 2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat 2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup 2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak 2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz 2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip But since I used to be a bad guy too long time ago, I had the following ideas:
They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc. Be careful also as they are trying to access to those critical directories: /backup/ /bitcoin/ /btc/ I would advise you not to use them anymore or simply reject the incoming traffic. So to setup my tricky projects, I simply use those statments inside my .htaccess: RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L] RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L] RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L] RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L] RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L] RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L] RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L] This is working pretty well, even better you could make some money with those villains ;D Enjoy ! If you fancy doing something good. Secure a connection from your server to them, search for their bitcoin config file and attempt to run their bitcoin daemon app to send all their coins to you and attempt to return them to the person who sent it. Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that. You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid... Title: Re: Dealing with Bitcoin hackers Post by: seekoin on January 26, 2018, 09:44:13 PM Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that. Obviously several webmasters host their wallets online, considering the number of attacks I observed. I guess they are running a local bitcoind deamon to handle their payments. Having your financial transactions handled by a third party remains very risky for the meantime. You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid... Waste of time: most of those addresses are already blacklisted or come from zombie hosts. And staying in a rural area, I know for sure our local cops do not even know what is Bitcoin ;D Cheers. Title: Re: Dealing with Bitcoin hackers Post by: achow101 on January 29, 2018, 12:39:24 AM
|