Well, the coins are on the move again. They sat idle for the last 10 days, but were just (some of them, anyway) deposited into BTC-e. I've contacted BTC-e and they seem to be working with me on tracking them down, which is nice.

The encrypted wallet on that box was a recent adjustment after some private key consolidation, backups were made shortly before the encryption in case it broke. I just hadn't made it to my next set of steps to verify everything was fine, forgot about it for a little while due to other events in life, and when I went back to finish it off, it had all disappeared hours earlier.

For the earlier posts, yes, the development stuff was on the same computer, because it's just a computer at home. It's behind all the appropriate firewalls and rules, but there was another circumstance that ended up leaving the ElasticSearch API open to the Internet, which is where the breach took place.

The bitcoind was running, it was then stopped, a backup wallet was moved into place, bitcoind restarted, and all the coins were stolen. The backup copy didn't have encryption on it, but the backups hadn't been deleted (because, well, they were backups) on another system.

As I pick through the pieces, it's pretty clear what could have been done to prevent any of this, but I'm still trying to track down where the thief originally discovered this specific system and setup (and timing) to take advantage of it.

Cold storage was my plan for those, it just hadn't happened yet. The only coins I have left are elsewhere, but it isn't a very large sum compared to what they took. A total of about $7 worth of BTC and LTC was returned to my wallet a change on the transactions.

The problem with replacing them is the size of them is a bit more than I could ever afford again. I started working with Bitcoin and Litecoin years ago, and a short gap of insecurity cost me them all. Part of what's difficult to deal with is that I can't afford to keep pastebin.ca and filebin.ca and such running without the Bitcoins I had (they used to run on ads, but those haven't paid their way in a long time), so after a decade I'll be shutting those down, I imagine. It's been a bit of a rough week, reworking the future.

Hopefully, the attacker will reconsider their actions and return some or all of them to me.

It isn't and wasn't a public server, but as part of development of an application, ElasticSearch was open to the Internet for a time. Apparently just long enough. The wallet was encrypted, but it looks like there may have been unencrypted backups used. The bitcoin/litecoin daemons were restarted and the debug logs wiped.

I think they found it via some random port scans, perhaps. There are other indications it may have been scanned as part of a list of Bitcoin daemons that were online or relay nodes, yes, but that's harder to determine. Looking at the attack pattern once they found a way to get through, they were browsing around and seem to have possibly taken all the coins as a sudden opportunity, and maybe not the original goal. It appears they did a little more looking around on the filesystem after they transferred the coins. They never actually stole the wallet itself, as far as I can tell, though I'm still reviewing traffic flows.

I'm hoping the person has some sort of conscience in all this and returns them, which would be ideal, but in reality, the traces left behind seem very amateur.

And no, not running Java as a browser plugin or anything. The compromised system isn't used as a desktop.

They were supposed to be, but judging by the lack of difficulty the attacker had (total attack time was about two hours from first connections to last), I'd guess not.

That's the question I've been asking myself all week. It was only recently I had consolidated it down into a few addresses, preparing to shuffle it off to some cold storage and exchanges. However, other things happened over the last month and I didn't get the chance to do it all, so it left them sitting there. The method they used to steal them all stunned me, though, I had never suspected ElasticSearch would allow full command line access by default, so a development project using that is at the core of the event.

For the police side of it, I'm collecting the last of what evidence I can find for them.

I wonder if the recent theft of my coins qualifies for this list. The combined value at time of theft of the BTC and LTC was ~333 BTC (149.34 BTC, 7397 LTC). It was stolen via the ElasticSearch API. More details over at https://bitcointalk.org/index.php?topic=485194

It wasn't an exploit, but theft nonetheless. The attacker used the ElasticSearch API to create a 'dynamic script' inside the search software, which is capable of running any shell commands, etc. the attacker wants. This is in fact a feature of ElasticSearch, though one they don't show in the configurations an example of disabling. So, the software ships with a gaping security hole for anyone to walk into (and one has to search for the documentation this feature exists), it looks like.

By using this API, they were able to connect to the Bitcoin and Litecoin daemons and transfer all the coins off the server. Running this dynamic script inside ElasticSearch puts results of the commands into the search index, and the only identifier in there of what the initial request may have been is a field called "counte" (which then has results of the command), and I've looked around to see if this field shows up in any examples, but it doesn't, meaning the code itself is slightly unique (and someone somewhere knows who wrote it and who uses it).

The Perfect Privacy thing I noticed, where they also do state an AUP limiting illegal activities, so I'm trying to contact them for any assistance.

For where I got the information, it's all first hand. All connection flow to/from the servers are logged, so the IPs and so forth were gathered from those connection logs, associated web server logs, etc.

Hi all,

On February 18th at 20:46 UTC, an attacker used the dynamic scripting function of an ElasticSearch instance to steal 149.34 BTC and 7397 LTC from my computer. I'm looking for any assistance in finding/locating the coins/attacker, and also want to inform the community that if they receive coins from 1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjvin, they are likely my stolen coins.

All the Bitcoin was sent to 1Jzfd4LXB4i8Txm8F457QaHDmHxZJAJYjvin one lump. Since it was stolen on Tuesday, it hasn't moved anywhere else yet. This makes me slightly hopeful it will be returned to me.

The transaction was bf22138b74c3b3528410126ac41f821f71e065a5b0e3a6d819df30f120fda3c4.

The Litecoin was taken in chunks, but it all went to the Litecoin address Li5k5sYdyWD5gDR9TkaU5vk6tDB63XdQRw under a few transactions. There is one other transaction in that Litecoin account (26.846 LTC) which is unrelated to my coins, but may be useful in tracking down the one who stole mine.

The attacker showed up to ElasticSearch from the following IPs:

178.217.187.39
185.27.115.201
188.124.19.114
192.99.8.96
193.37.152.241
194.132.32.42
37.221.161.234
76.104.78.60
77.247.181.165
88.80.187.215
93.114.45.194
94.242.243.166
95.211.167.171
95.211.60.34
96.44.189.100

It seems the 93.114.45.194 IP was fairly central to the attack, since it was the IP the nmap and other intrusion tests were done from, while the actual attack went via the IPs above (mostly seem to be Tor). This may have been a targeted attack, but I'm still investigating all the evidence left behind. The elasticsearch script was using a variable called "counte", which would be found in the exploit software's methods.

It's also clear this was done manually by a human, and not via an automated bot/botnet to do the actual theft.

Any further assistance with this would be appreciated, and anything that leads to a return of coins will be rewarded. Unfortunately, the stolen coins were being used to pay for the ongoing web services like pastebin.ca, so without the return, the group of sites will likely have to shutdown.

Thanks.