Bitcoin Forum

I opened up my wallet to update it and catch up.  When I went to check to see if it was done all my bitcoins had been sent out.  It was only 10 but it was all I had.  I've got pretty good anti-spyware, anti-virus, and firewalls on my computer.  I can see the address but I don't figure that is any help at all.  Should I delete everything and redownload and start from scratch or what? Nobody ever gets on my computer but me so it didn't happen from here but somehow through the Internet.  Just how secure are the wallets and how often is this happening?  I was under the impression that they were pretty secure against this kind of thing.  Anyway, it seems like it will be hard to trust the one I have again.  That is why I am thinking of deleting everything and starting over with new downloads.  What does anyone think about that?  Any suggestions?

That sucks, sorry to hear.

What OS? Was your wallet encrypted? Did you ever back it up anywhere? Could a backup have leaked?

Do you see all the transactions in and there is a transaction out?

Shot in the dark:  Do you use any other "virtual currency?" 

No, I didn't have it encrypted.  I have never had any problems before and never bothered.  You can bet I will next time.  No, I don't use any other alternative currencies.  Yes, I can see the transaction out and the address though I don't see what good that will do me.  How often is this happening?  I think I am going to delete everything and start over.  I've got a couple of Bit Force Singles coming and I don't want this to happen again.  As it is 10 was about a month and a half of mining so that sucks but its not a real major hit.  I just want to make sure it doesn't happen again.  So if I delete everything and start over and next time I will encrypt my wallet what else should I do to make sure this doesn't happen?  I would like to understand how it happened this time.

Install any bitcoin related software lately?

Visit a bitcoin related website you haven't been to before, with javasccript turned on in your browser?

No to both.  I recently reloaded my guiminer since the last amd update seems to have killed my hashrate.  One of my cards went from about 275 m/hash to 30 and the other went from 275 to about 230.  I've been trying to get that figured out slowly for a week or so but I haven't visited anywhere new.  Just went by my pool, Bitclockers, to check on what I had there, and thought I would update my wallet with the new blocks.  I just ran my SuperAntiSpyware and it found a couple of things and a bunch of tracking cookies.  The two serious ones it found might have been my problem but I don't know for sure.  I am thinking the safest thing to do is to delete all my bitcoin stuff and start over though first I would like to understand exactly how this was done.

Common antivirus may not yet detect bitcoin related malware.  If you are infected, redownloading bitcoin may not be enough.  If the malware also has a keylogger, encryption won't help either.  I would make a wallet on an airgapped Linux system if you want to store significant coinage.  Personally, I would never trust a windows box with anything more than a few bitcents.

notme beat me to it.  I wrote:

You'll need to do more than re install the client.  Your system must have been compromised somehow.  If you install another client, encrypt your wallet and only use addresses after encrypting.  

The fact is that there is a more serious issue.  Somehow a malicious program was run.  If you have a malicious program on the computer than you can't rule out that you have a keylogger which would compromise the encryption.  

I think I'll put my next wallet on a flash drive and just plug it in for transfers.  I am doing a pretty serious search now for any kind of spyware.  Yeah, I am worried about some kind of keylogger or something so I am running several malware searches.

Or use Armory Offline Wallets (http://bitcoinarmory.com/index.php/get-armory) to keep your Bitcoins off the internet completely.  It's designed to protect against exactly this...

I just made an Armory-plus-all-dependencies bundle (https://github.com/downloads/etotheipi/BitcoinArmory/Armory_Offline_ALL_Ubuntu_10.04-32bit.zip) that will work out of the box on Ubuntu 10.04 without ever touching the internet.  Especially good if you have an old laptop laying around with 256 MB of RAM.  Disable the wifi & bluetooth & ethernet in the BIOS, install Ubuntu 10.04 32-bit with all defaults, and then copy this file on there and run the "Install_All_Armory.sh" script.  Create your wallet, and make a watching-only copy to put on your internet-connected computer.   Of course, you need Armory on the online computer, too, but it's not a problem if it is Windows, even if the offline system is Linux. 

For more information, there's an Offline Wallet Tutorial (http://bitcoinarmory.com/index.php/using-offline-wallets-in-armory) on my website.  
</spam>

This looks really interesting.  I will be looking into it.  I see a pretty high level of security in the Armory setup.  I like that nothing can be sent without going to the offline computer and getting it signed.  That would have saved my 10 BC tonight.  I want to make sure I am secure when I start mining with a much higher hash rate.

Maybe you also want to disclose the transaction or address where the 10 BTC went to? It might be helpful in finding out if the thief has emptied other wallets too...

Or instead of Malware was another case o0f someone with the RPC port open and accepting rpc commands from any IP in ther internet and a weak or non-existant password. Happened before...

Here is the address the coins went to; 1PVc7JCJp3L3LqjzjjUw5Mm1NQHGFTj1fP.  I am not sure about the RPC port.  I think I have access turned off to everyone but our home network.  That is just my wife and I.  I know how to go to services and close RPC ports but I don't know which ports to close.  I can pull up a list of all my listening and established ports but am not sure where to go from there.  I'll be looking into it and making sure that everything is closed.  Any help would be apprecieated.

you just need to check on your bitcoin.conf file if you have rpc user and password set, and port also, if you don't have user and password set, nor IP restriction for rpc access, check if you have port 8333 open(or is it 8332?).

Check the wiki for the correct port.

Your money seems to have ended up here:

18yFjBtEsf9CgzAnVJdvSdPJ2i3Fb2AXrY (http://blockexplorer.com/address/18yFjBtEsf9CgzAnVJdvSdPJ2i3Fb2AXrY)

And there seems to be an additional 13 btc in mostly large bitdust from from other sources mixed with it. You might not be the only one affected.

Obviously your wife just robbed you.

I have an idea that might prevent this. What about generating a paper wallet? I know a site that can do that and the wallets generated would basically be like paper money once loaded. When unloaded, the paper would be shredded.

Here is the transaction id;8dce4c12698bcd7588b82b84e2c325e63c336b3b1a1c30d4b19cda6e09fb05bd.  I am trying to follow it through Block Explorer but have never used it before and it will take me a little bit to understand it.  I am leaning toward just deleting my all my bitcoin software including the wallet then redownloading them.  I am also thinking about the Armory offline wallet.  The way that is set up looks pretty good and definitely secure.  No one could send anything out without getting a signature from my offline computer.  Does anyone know anything about Armory?  Can tracking the transaction tell me anything useful?  From what I see it goes to the receive address which has 31 transactions for a total of 24.3 bitcoins all of which were immediately transferred.  My 10.33 is in there.

I would advise re-installing your operating system.  Any "respectable" virus has embedded itself in your OS, and there's no way to know if it's truly been purged.  Sure, some A/V can get rid of certain viruses... But in my experience, it's actually easier and much more secure to just wipe your whole hard-drive and reinstall the OS.  But I'm slightly biased ... I have done this so many times (for a variety of reasons, not usually viruses) that I can be back up and running like before the reinstall in one evening.  Either way, there's a lot of peace of mind knowing that no virus can survive an OS reinstallation...

Feel free to PM me if you have any questions about Armory.  I'll be happy to help you get setup with it, or answer any questions you have about security or usage.  (or ask the questions here, if you don't mind derailing your own thread :))

P.S. -- Here's the official forum thread on Armory (https://bitcointalk.org/index.php?topic=56424.0), though I haven't been updating this page much anymore.  I've been trying to use the bitcoinarmory website more for such things...

Hey psy, I checked my bitcoin.conf file and I do have a user id and password set.  The port is set to "*" which I believe is open to all.  However, when I set up my guiminer I did set it to 8332 for BitClockers pool.  Should I change the bitcoin.conf file to just use port 8332 instead of a *?  That seems like it would be a good idea.

Hey etotheipi, I am not sure about reinstalling everything but am thinking seriously about it.  I do like the idea of really being sure that nothing is there.  I am running two OS(Windows 7 Pro 64 and Windows XP Pro 32) and have three 300gb velociraptors.  I hardly ever use the XP anymore and think I would just have to reinstall my Windows 7.  I just have pretty much filled up all three hard drives and don't want to lose any of that.  The problem there is I will be afraid to save that stuff now as I wouldn't want to accidently save any virus hiding somewhere.  I am sure that most of it will already be on the backup I have but it is a few weeks old and I am not sure what will not be covered.  I know I should do backups more often but I always seem to put them off.  I believe the backups I do have would be clean.  It must be something new as the 10 bitcoins has been in there for a bit.  I have tried to not be selling until the price hits $6 so I was just waiting.  I will decide this weekend what to do.  Until then I've stopped mining and am keeping the guiminer and bitcoin wallet turned off except when I am looking at them to help get this figured out.
   I have an old computer sitting in our spare room that might be perfect for the Armory wallet.  I would just need to hook it up to get it all set up and then just turn it on when I need the digital signature.  It looks like the Armory site has pretty good instructions and it looks pretty straightforward.  I will let you know if I have any problems and need help if I decide to go that way.  I am thinking I will but I would like to hear from anyone else using the Armory wallet how it is working our for them.  I don't mind derailing the thread a little as I want it to cover how to stop things like this to prevent them from occurring.  I want to use this as an opportunity to tighten up my security and try to ensure that something like this doesn't happen again.  I think it would be useful to me and others to have this thread cover all that.  I know that whenever I restart everything I will set new passwords on all my accounts.  Thanks to all of you for your help and suggestions on this.

no rcpallowip line in there?
Also, is the password strong?
Because even if they just knew your username, brute forcing the password on a system that does nothing to block failed login attempts will be easy if the passowrd is a dictionary word or less than 8 chars.

Does the user ID in the bitcoin.conf matches the username you use in mining pools? Mining pools are always geting hacked it would be easy to get a list of targets with valuable info.
You may well be a victim of an hacker stealing your coins on the RPC interface and not malware. Happened before.

The rcpallow line was set to "*" which I assume is open to all.  I have reset it to 8332.  The user id was two words, 11 letters, a number and a symbol.  The password was just a 5 letter word.  I am changing both.

rcpallowip sets the IP's allowed to access the RCP interface. 8332 is the port, not the IP. Having it set to * is an invitation to thieves.
Set rcpallowip=127.0.0.1 or to any other local IP you need to access the service.
Do you by any chance use that same username in pools? If you do, with only a 5 letter dictionary word as password, it would be easy to brute force if someone targeted you by taking your username and IP from some pool logs or database.

i have this exact setup and it works well.

I just remembered... If the transaction was initiated from a RPC command shouldn't it be registered on the debug.log? Along with the IP that made the connection and some other useful info?

Psy I don't use the same user name but it was a variation with added letters and symbol.  It is different now.  Thanks for letting me know about the ip address.  I have reset the rcpallow to my home IP address.  I went ahead and started my miner and checked my wallet would still update and they did.  I closed the wallet but for now I am leaving the miner running.
Cypherdoc thanks for the feedback about the Armory wallet.  It sounds like a great setup and I am really thinking I will download and use it this weekend.
Psy, I checked the debug file but I don't know what to look for.  I don't see anything that says sent coins but I don't imagine it would be that obvious.

The problem being that you can't trust a website to create a private key for you.  One needs to create a single address/private key set completely offline and print it out before destroying the wallet.dat that produced it.  I have exactly one address set up this way, but instead of paper it's on a couple of very well encrypted thumbdrives; one in my gunsafe and one in my safety deposit box.  That private key has never touched a computer that has had any Internet access since creation, either the thumbdrives nor the offline computer, and the offline computer has had it's ethernet card physically removed, and itself resides in my gunsafe.

I figure if you can get into my gunsafe, I'm already past screwed.

Use a linux live cd to do antivirus on the velociraptors, and look through recent files for anything suspicius. Delete anything you don't recognise. Then reinstall the base Win7 to a new hard drive - I use a smallish SSD (keep your system files physically separate so you don't need to partition).

This way you'll at least get around the possibility of a remaining file reinfecting your system. At least if the antivirus finds malware, anyway.

Usually the debug.log file is huge.
Try to look for the tx ID. It should show it there if it's recent. Hopefully it can tell you something.
Most transactions only appear with the first 20chars. Only transactions initiated from your client will appear with the full tx ID.

I looked and found several with the tx ID.  Some saying "ask for tx" and others saying "getdata: tx.....".  I really can't make much out of it.  I am wanting to delete the whole wallet and my bitcoin client along with my guiminer and then redownload everything.  I am keeping it all for now in the hope that maybe I can discover something useful by looking through the files like these.  Trouble is, I don't really know what to look for or what it means when I see it.

There is nothing useful to be found that can't also be found at blockexplorer.  If you are certain that the funds have been transfered out of your control, and it sounds like that is the case, then there is nothing that can be done.  That is, nothing within the context of the bitcoin system.  If you're determined enough & willing to teach yourself to be a bitcoin guru, it's possible that you could track this guy down eventually.  In which case, you'd need your existing data for prosecution.  But this requires that 1) you learn to be very good at digital forensics, 2) you have the time to put into it and 3) the thief eventually makes a mistake with the funds in those addresses.  For a value of about $50, it's probably best to take it all in as a fairly cheap lesson in security.  If the same thing were to happen to me, I'd be out thousands of $.  I keep about 10 btc on my cell phone.

MoonShadow, I didn't siad that he should look at the debug.log to track the guy. It was more in a way to try to find if he got jacked by RPC or malware installed in his computer.
You understand the inner workings of bitcoin a lot more than me, so you may be the right person to help.
Isn't there any way to find in any of the logs how that transaction was initiated? Was it from his computer? Did the thieve copied his wallet.dat and swept the funds? Was it RPC?
It could save the man 48hrs, by not having to format his computer and reinstall, in case he could be certain it was his RPC password that got exploited and not malware.

MoonShadow, that makes sense.  I am taking it as a fairly cheap lesson in security.  I am going to go ahead and do the delete and redownload.  I am still considering a full reinstall of my OS.  I am waiting for my first couple of Bit Force Singles so now is the time to get this secure.  I am also leaning toward trying the Armory wallet app.  I am looking into the paper wallet a little more too.  I did find a couple of Trojans in my temp files with my SuperAntiSpyware right after this happened.  After I deleted them nothing else has been detected by any of the anti-virus or anti-spyware apps that I have run and I have ran several.  I am thinking that is where the problem was but as I am not sure it worries me.  People have talked about a hacking of the computer through the RPC interface.  I do have RPC turned off for my computer but I don't know if the Bitcoin app goes around that somehow.  It seems like becoming a Bitcoin guru may be a little time consuming.  I want to know as much as I can and definitely enough to be secure but spending the time to learn everything would probably be prohibitive.  I plan on getting an SSD in the next couple of months so I am thinking that will be the time to reinstall my OS and my programs.  I won't have any appreciable amount of bitcoins in my wallet until after that anyway so for now I'll see how it goes with the deletion, new download and maybe the Armory wallet.

Hey Psy, I just saw your new post.  You bring up exactly what I am really wanting to find out.  Just how did it happen?  I am thinking it was malware and one of the Trojans that my anti-spyware found but I really would like to be sure.

Yeah. Only the how is important now, so you can decide on what to do next.
The who, screw that. You're not seeing your bitcoins back, that's for sure ;)

For reference, when you create a new wallet with Armory, you can print a paper-backup with every address ever created by that wallet on one sheet of paper (it's 128 characters from which all private keys are generated).  You technically don't have to print it, you can just copy it down by hand if you can't get the printer working.  You can recover all of your funds at any time in the future if you have those 128 characters.  (although if you import any keys, they have to be backed up separately...)

Further, if you instead wanted to switch to another program, you can copy or print the individual private keys for each address you've used, which can then be imported into another application or service that supports importing addresses.  I'm not sure if that's what people mean when they say "paper wallets".

I'm sorry, but there is just too many ways to discretely copy and transmit an unencrypted wallet.dat for such efforts to be worthwhile.  I'm of the opinion that Windows isn't secure enough of an operating system to safely handle bitcoin of any significant amount at all, even if there isn't existing evidence of a breech.  There are simply too many ways to infect a windows machine, check to see that a bitcoin instance exists, copy & transmit the wallet.dat file (encrypted or not) and do the same for a keylogger stream.  I may be paranoid, but I wouldn't put much on any machine I don't have administrative rights upon, even if it was a GNU/Linux machine owned by someone that I trust and believe to have the skills.  If windows is all you have, IMHO you'd be much safer putting your spending money onto your android smartphone and using bitcoinspinner.  At least, for now, there are no know wallet.dat stealing viruses for android.  Or perhaps a split-wallet type online storage service, that permits two-factor logins.  If you use windows, you are already trusting the security model of some faceless entity for which you have no real recourse against in a dispute.  IMHO your odds of getting burned at an online wallet service are actually lower than your odds of being pwned with your own bitcoin client on a windows machine.

I don't know if there might be anything in the logs worth keeping on the off chance that this guy gets caught eventually, by him or others, but I'm fairly certain that there is nothing there that is going to tell you how he got pwned.  Not in the bitcoin logs, anway.  It's very unlikely that the thief targeted him specificly, and sent those coinds from his client.  If he had, the client would have displayed the loss immediately, rather than have to catch up to the blockchain first.

First thing this morning (Asian time) The money started moving again, to two addresses at a time. Most of it has ended up at the following addresses:

http://blockexplorer.com/address/1K2n1K7WUqsUfEyTr4QPagxffSqsT7f8Sy
http://blockexplorer.com/address/13BeKS3FCguWgYXyJy23ZMe2utAycpsgmg
http://blockexplorer.com/address/1FrtkNXastDoMAaorowys27AKQERxgmZjY
http://blockexplorer.com/address/1J2yiVk7oisnMELibVko4thHhHxRDwwtUV


It also went to other addresses that are well established and look like Tx fees and maybe a purchase of something. At least it's obvious you're not the only one stung. There's 21000 coins in one of those addresses which was started only a couple of weeks ago. Your coins might already be partly laundered.

Edit:

In fact, a portion of your coins went here:

http://blockexplorer.com/address/1kTt7jVHZ614g44LEjS1HtxHYpzE96Lkk

which just receives coin and then send it on, at least some of which has gone to bitcoinduit:

http://bitcoinduit.com/rounds/155

You might be able to start asking questions there.

I wouldn't be so sure:

http://www.bit-tech.net/news/bits/2009/03/24/researchers-create-bios-malware/1

pirate1? If that username is supposed to imply what kind of activity you do, I wouldn't be surprised if you had malware. Piracy is very often monetized by malware these days. If you use warez/cracks/keygens you're asking to get screwed.

Reformat your machine from scratch, don't touch warez, use an encrypted wallet and make sure you understand RPC settings!

Now should be better.

wow really, someone that left rpc open would somehow be protected if they used linux?

No. Of course not. But it would for sure treat his warez addiction, if he has one ;) I didn't strike the part where it says he must understand RPC settings, did I?
And his RPC wansn't open per se. It had a username and password, alebeit a weak one. Also he didn't say if the RPC port was forwarded in the router, which it might not be.
I suggested that it could be the problem, but there is no evidence. More inclined to think it's malware for the time being. My whole point on asking about RPC was to try and save the dude some time on a OS reinstall that might not be needed if RPC proved to be the problem.

I don't use any warez.  The pirate name is just from the fact that I wear an eyepatch.  I am not too well versed in how RPC works but I am finding out.  I tend to think the problem was some of the malware that I found.  I have deleted my guiminer and bitcoin software and have not downloaded any replacements.  I have not had any other problems and everything keeps checking out clean.  I may wait until I get my Bit Force Singles to start up again.  I think I will use the Armory wallet and make sure everything has new and good passwords.  I think that if some kind of keylogger was involved that didn't show up on any of my anti-virus or anti-spyware apps that something would have happened by now to my other accounts instead of just my bitcoin wallet.

Here's an important question:
Have you gave any other sites your private keys?
I had the same issue with 5BTC once, and I was worried for over an hour til I realized I gave mtgox my privatekey for the address they were received at...
In the end, all my BTC was simply sweeped into my mtgox account. So yeah, if you can check if you gave any of your private keys to sites like blockchain.info wallet or mtgox, you might find that's where your BTC went.

Mt. Gox is the only place I have ever sent any bitcoins.  All they ever got was my sending address.  I used different sending addresses.  I did check there but the coins didn't go there.  Organofcorti has been tracking them and apparantly they are part of a larger scheme.  I think I just got some malware and that is what did the damage.  I found a couple of Trojans right after this happened.  Since I deleted them everything is checking out clean.  I use several anti-virus and anti-spyware apps to check my system and it looks like the malware slipped in and did its ripoff in between times when I checked my system.

i'm using a virtual machine on my pc where i store my wallets and my btc client and i'm very curious about something.
if my pc get's infected will my virtual machine be infected too?

Possibly.  The more secure route is not to use your host for ANYTHING except hosting virtual machines.  Then have a virtual machine for day to day activities.  If that virtual machine gets infected it can't compromise the host or any other virtual machines (like the one used for Bitcoin & fiat banking).

yes you are right about that, but will try this more easy way until i find a good trojan to hijack my wallet.dat