Bitcoin Forum

Hi all,

On February 18th at 20:46 UTC, an attacker used the dynamic scripting function of an ElasticSearch instance to steal 149.34 BTC and 7397 LTC from my computer. I'm looking for any assistance in finding/locating the coins/attacker, and also want to inform the community that if they receive coins from 1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjvin, they are likely my stolen coins.

All the Bitcoin was sent to 1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjvin one lump. Since it was stolen on Tuesday, it hasn't moved anywhere else yet. This makes me slightly hopeful it will be returned to me.

The transaction was bf22138b74c3b3528410126ac41f821f71e065a5b0e3a6d819df30f120fda3c4.

The Litecoin was taken in chunks, but it all went to the Litecoin address Li5k5sYdyWD5gDR9TkaU5vk6tDB63XdQRw under a few transactions. There is one other transaction in that Litecoin account (26.846 LTC) which is unrelated to my coins, but may be useful in tracking down the one who stole mine.

The attacker showed up to ElasticSearch from the following IPs:

178.217.187.39
185.27.115.201
188.124.19.114
192.99.8.96
193.37.152.241
194.132.32.42
37.221.161.234
76.104.78.60
77.247.181.165
88.80.187.215
93.114.45.194
94.242.243.166
95.211.167.171
95.211.60.34
96.44.189.100

It seems the 93.114.45.194 IP was fairly central to the attack, since it was the IP the nmap and other intrusion tests were done from, while the actual attack went via the IPs above (mostly seem to be Tor). This may have been a targeted attack, but I'm still investigating all the evidence left behind. The elasticsearch script was using a variable called "counte", which would be found in the exploit software's methods.

It's also clear this was done manually by a human, and not via an automated bot/botnet to do the actual theft.

Any further assistance with this would be appreciated, and anything that leads to a return of coins will be rewarded. Unfortunately, the stolen coins were being used to pay for the ongoing web services like pastebin.ca, so without the return, the group of sites will likely have to shutdown.

Thanks.

I'm a little unclear on what vulnerability was exploited to gain access to your wallet. Please keep us updated with details as you uncover them, you never know what might lead to the perp. The notable IP above appears to be a VPN endpoint for perfect-privacy.org, so it's probably not going to be much help.

It wasn't an exploit, but theft nonetheless. The attacker used the ElasticSearch API to create a 'dynamic script' inside the search software, which is capable of running any shell commands, etc. the attacker wants. This is in fact a feature of ElasticSearch, though one they don't show in the configurations an example of disabling. So, the software ships with a gaping security hole for anyone to walk into (and one has to search for the documentation this feature exists), it looks like.

By using this API, they were able to connect to the Bitcoin and Litecoin daemons and transfer all the coins off the server. Running this dynamic script inside ElasticSearch puts results of the commands into the search index, and the only identifier in there of what the initial request may have been is a field called "counte" (which then has results of the command), and I've looked around to see if this field shows up in any examples, but it doesn't, meaning the code itself is slightly unique (and someone somewhere knows who wrote it and who uses it).

The Perfect Privacy thing I noticed, where they also do state an AUP limiting illegal activities, so I'm trying to contact them for any assistance.

For where I got the information, it's all first hand. All connection flow to/from the servers are logged, so the IPs and so forth were gathered from those connection logs, associated web server logs, etc.

whyyou bothering your self? Keep logs go to the police, they work with interpol to dedect hacker.

Why you were even holding that 100+ BTC and 7000+ BTC on a server/PC.
You can do Police report and ask perfect-privacy to provide real ip address of that user.

That's the question I've been asking myself all week. It was only recently I had consolidated it down into a few addresses, preparing to shuffle it off to some cold storage and exchanges. However, other things happened over the last month and I didn't get the chance to do it all, so it left them sitting there. The method they used to steal them all stunned me, though, I had never suspected ElasticSearch would allow full command line access by default, so a development project using that is at the core of the event.

For the police side of it, I'm collecting the last of what evidence I can find for them.

Were the wallets password protected?

They were supposed to be, but judging by the lack of difficulty the attacker had (total attack time was about two hours from first connections to last), I'd guess not.

that sucks :(

perhaps some malware ...
keylogger

or other stuff like that.

Goodluck, btw how did that hacker knew you have funds in that PC, I mean it's not like some genie told him that "Hack this pc and you will get a lot of money",  There must be some kind of leak. (Relay IP or something?), or someone else knew that you have bitcoins in your pc.

Also did you were running JAVA in your pc and browser?

I think they found it via some random port scans, perhaps. There are other indications it may have been scanned as part of a list of Bitcoin daemons that were online or relay nodes, yes, but that's harder to determine. Looking at the attack pattern once they found a way to get through, they were browsing around and seem to have possibly taken all the coins as a sudden opportunity, and maybe not the original goal. It appears they did a little more looking around on the filesystem after they transferred the coins. They never actually stole the wallet itself, as far as I can tell, though I'm still reviewing traffic flows.

I'm hoping the person has some sort of conscience in all this and returns them, which would be ideal, but in reality, the traces left behind seem very amateur.

And no, not running Java as a browser plugin or anything. The compromised system isn't used as a desktop.

Wait you had 100 BTC on a server with public access and you didn't even know if the wallet was encrypted or not?

It isn't and wasn't a public server, but as part of development of an application, ElasticSearch was open to the Internet for a time. Apparently just long enough. The wallet was encrypted, but it looks like there may have been unencrypted backups used. The bitcoin/litecoin daemons were restarted and the debug logs wiped.

:) keeping Bitcoin backups without a password is like setting pin number in your credit card to null :P

This convince me again that cold storage is really important when dealing with important stash of BTC

Good luck to find the thief, try everything you can; do you have any left somewhere else?

Buy back some BTC if you don't

Cold storage was my plan for those, it just hadn't happened yet. The only coins I have left are elsewhere, but it isn't a very large sum compared to what they took. A total of about $7 worth of BTC and LTC was returned to my wallet a change on the transactions.

The problem with replacing them is the size of them is a bit more than I could ever afford again. I started working with Bitcoin and Litecoin years ago, and a short gap of insecurity cost me them all. Part of what's difficult to deal with is that I can't afford to keep pastebin.ca and filebin.ca and such running without the Bitcoins I had (they used to run on ads, but those haven't paid their way in a long time), so after a decade I'll be shutting those down, I imagine. It's been a bit of a rough week, reworking the future.

Hopefully, the attacker will reconsider their actions and return some or all of them to me.

So let me get this straight... You just had a wallet sitting on a dev server running test code with $100k on it?

There is no possible way you could be that stupid. Why on EARTH would you EVER store you wallet on there? Thats just beyond dumb..... You also kept unencrypted backups? I just cant comprehend this. I have very few bitcoin all stored in offline computers. It just makes no sense.

Maybe he/they were developing an app that used and transacted bitcoins, and that was their hot wallet.

I'm still confused  about the wallet password.
It either had one or it didn't ?

It sounds like their is more to this story.

I get the impression bitcoin-qt was open and  running without a password on wallet.

Feel sorry for you for the loss :(

For the earlier posts, yes, the development stuff was on the same computer, because it's just a computer at home. It's behind all the appropriate firewalls and rules, but there was another circumstance that ended up leaving the ElasticSearch API open to the Internet, which is where the breach took place.

The bitcoind was running, it was then stopped, a backup wallet was moved into place, bitcoind restarted, and all the coins were stolen. The backup copy didn't have encryption on it, but the backups hadn't been deleted (because, well, they were backups) on another system.

As I pick through the pieces, it's pretty clear what could have been done to prevent any of this, but I'm still trying to track down where the thief originally discovered this specific system and setup (and timing) to take advantage of it.

ah ok so you have some older backups without encryption and the hacker some how go access to those files ??
Is that what you are saying ?

I thought originally you meant you had encryption and the hacker made a backup which didnt have encryption, but then i read  your post again.

Hope you manage to track down the thief. I was on IRC a few weeks ago and people were talking about using 'getpeerinfo' to see who else is mining (and other methods) and then port scanning them so i'm sure alot of people are doing that.

The encrypted wallet on that box was a recent adjustment after some private key consolidation, backups were made shortly before the encryption in case it broke. I just hadn't made it to my next set of steps to verify everything was fine, forgot about it for a little while due to other events in life, and when I went back to finish it off, it had all disappeared hours earlier.

ah well, doesn't really matter now they are gone.  You could of had it encrypted and someone used a keylogger, either way, same result.
You are just in for a few weeks of sleepless nights, well, depending on your finances.

Well, the coins are on the move again. They sat idle for the last 10 days, but were just (some of them, anyway) deposited into BTC-e. I've contacted BTC-e and they seem to be working with me on tracking them down, which is nice.

Sorry to hear that.  Make sure you contact elastic search and ask them to disable this back door.

What was the operating system on the computer?

Anyway,  I got hacked back in July 2013.  Hacker somehow got access to an unencrypted backup of the wallet.  Not sure how he got into my macbook pro.

well, this is an old thread, but it looks like the coins never moved after they were transfered:

https://blockchain.info/address/1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjv

I wonder why anyone would perform a live-hack and then forget about the coins?

probably just moved it straight into a cold storage acct.
they might have 10000 wallets with same amounts of bitcoins :(
plus the longer you wait less chance of anyone noticing when they finally do move.
so so so many exchanges these days. be hard to trace!

obv hodling lol

even hackers like the get value for their money and wait for the price to go up!

I doubt interpol would get involved in a relatively small theft.

Hello everyone, after finding a way we have destroyed 60% of the premined as promised. We did it in a simple way, deleted permanently a newly generated wallet and video is uploaded to Youtube.
Program used: Rylstim Screen Recorder.
You can watch it here:
http://icons.iconarchive.com/icons/icontexto/social-inside/256/social-inside-youtube-icon.png (https://www.youtube.com/watch?v=wMFbOhK8JK0&feature=youtu.be)

Now we will not keep the 40% left, that is around 50,000 coins , as you have seen this coins is very difficult to mine, there are currently only around 100k in circulation, so we will bring the opportunity to investors who dint mine it, or people who cant mine it due to the currently high difficulty.

We will make a mini IPO so deliver those coins to people who want to invest in this project.

The IPO will last 24 hours, and will consist on two phases of maximum 200 shares in total each one, they will represent 25,000 coins each one.

There is no minimum, so if only half of the shares are sold in one batch, the total coins will be divided into those shares sold.
Each share has cost of 0.01 BTC.

First batch of 200 maximum shares have a guaranteed amount of 12,000 coins/btc. This means, each share will deliver a minimum of 120 coins.

Once first batch is sold, Second batch of 200 will have a guaranteed amount of 8,000 coins/btc. Share minimum of 90 coins each one.

BTC Unique Address for first batch

18joTFGDMdGjQDX6UBJyDChk1e7WKWPd24

BTC Unique Address for second batch

1NX3jidJRR3M9ZMy54LztVxYLzRMnHWoyS


Don't use online wallets or exchange wallets to send the funds, with the exception of blockchain, this will be required later to send you the TLC.
After sending the funds, send me a PM with the shares purchased , tx id, and TLC address.

The ipo will last 24 hours on August 30 8:00pm Forum time, you can easily see if some batch is fully sold by checking each blockchain address, if it has more than 2 BTC the batch is sold, dont send more funds, funds sent over the 200 shares limit will be returned to user.

The funds will be used to continue the development of the coin as well as our current project: The last shop.

The Last Shop

This shop will be an online marketplace to buy and sell goods between users in the same style as bitmit.net was.
We started to developing it and the ETA is around 1 month, the online shop will only use Bitcoin and TLC.


Best, TLC team