UnhappyDay (OP)
Newbie
 Offline
Activity: 9
Merit: 0
|
 |
October 22, 2014, 09:43:04 AM
Last edit: October 22, 2014, 10:31:33 AM by UnhappyDay |
|
Hi All,
Firstly I am not going to give up the coins name for the wallet that got hacked in case it's my own negligence and don't want to ruin the coins reputation if it was totally my fault for not protecting myself more.
Background:
Windows 7 OS, was not running any malware checkers like malwarebytes.
The coin devs released a new version of the wallet on the friday which included new features, for the windows version it came with a install program. After full extraction the wallet is
over 100mb with a whole bunch of DLLs.
When I ran malwarebytes it picked up mindspark which I believe is normal.
I also use the same PC to run other wallets which have never been hacked.
This is also a POS/POW hybrid and in order to stake I have to leave my wallet unlocked.
What happened:
When I checked on the wallet Sunday morning it displayed a error "wallet.dat corrupt, salvage failed" , I tried opening the wallet again and got the same message.
I then restored from backup and to my horror saw that over 90% of my coins had been transferred out in a single transaction. The transactionid itself also looks like
a self made one as it ended with 4 aaaa 's.
I know I didn't protect myself as best I could but want to find out from experienced people on btctalk what the above looks like to you?
Your responses will be greatly appreciated.
|
|
|
|
|
yop850
Newbie
Offline
Activity: 47
Merit: 0
|
|
October 22, 2014, 10:01:31 AM |
|
Have you tried scanning the installer with the online service linked to below? https://www.virustotal.com/It scans a file through 50+ virus scanners and lists the results. There are often one or two false positives (especially trendmicro), but if you get more than 2 or 3 then the file is probably infected. |
|
|
|
|
|
bee7
|
|
October 22, 2014, 10:07:10 AM |
|
check if you have in the wallet's data directory any 'conf' file. If it exists then open it with notepad and check if it contains a row starting with 'rpcallowip='
if such a row exists, then post this row here (if you are comfortable to reveal it)
|
|
|
|
|
UnhappyDay (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
October 22, 2014, 10:23:53 AM |
|
Have you tried scanning the installer with the online service linked to below? https://www.virustotal.com/It scans a file through 50+ virus scanners and lists the results. There are often one or two false positives (especially trendmicro), but if you get more than 2 or 3 then the file is probably infected. 0 detected on url and install file itself, thanks for the link though for future ref. |
|
|
|
|
|
bee7
|
|
October 22, 2014, 10:25:23 AM |
|
Have you tried scanning the installer with the online service linked to below? https://www.virustotal.com/It scans a file through 50+ virus scanners and lists the results. There are often one or two false positives (especially trendmicro), but if you get more than 2 or 3 then the file is probably infected. 0 detected on url and install file itself, thanks for the link though for future ref. Also scan the wallet executable file itself and any accompanying dlls. |
|
|
|
|
|
futurebit640
|
|
October 22, 2014, 10:27:41 AM |
|
was easy to find the coin ...
|
|
|
|
|
UnhappyDay (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
October 22, 2014, 10:48:43 AM |
|
check if you have in the wallet's data directory any 'conf' file. If it exists then open it with notepad and check if it contains a row starting with 'rpcallowip='
if such a row exists, then post this row here (if you are comfortable to reveal it)
No Conf file and checked for rpcallowip= on entire PC to see if the entry existed anywhere else and nothing returned. |
|
|
|
|
UnhappyDay (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
October 22, 2014, 11:01:26 AM |
|
next time use a VM or a sandbox to handle new POS coins.
I also recommend you to use the encryption inside the wallet + use a extern file encrypter.
Antivirus is a old tech and works only for some low tech viruses/trojaner. Today you can easy hide them so no one will find anything.
This is why you need a good firewall to detect any strange connection.
If you can't do all of this just use a second PC/Virtual machine.
It was a requirement to encrypt the wallet before we can stake, but had to unlock it for staking, but will use a VM going forward. Just curious why I get the corruption error and the wallet.dat file being damaged, if the wallet.dat file was copied I would of just seen the transfer of my funds but the wallet itself would of been fine, it's almost like something got altered within a dll or the wallet exe to cause the wallet.dat to corrupt. |
|
|
|
|
LuckyBtc
Legendary
Offline
Activity: 1288
Merit: 1011
|
|
October 22, 2014, 11:09:11 AM |
|
"wallet.dat corrupt, salvage failed" i think this error shows up when you place some other coin's wallet.dat?? did you try to repair your wallet?
|
|
|
|
|
|
futurebit640
|
|
October 22, 2014, 11:10:06 AM |
|
check if you have in the wallet's data directory any 'conf' file. If it exists then open it with notepad and check if it contains a row starting with 'rpcallowip='
if such a row exists, then post this row here (if you are comfortable to reveal it)
No Conf file and checked for rpcallowip= on entire PC to see if the entry existed anywhere else and nothing returned. you tried this way  file:///C:/Users/name/AppData/Roaming/name of Coin/ |
|
|
|
|
UnhappyDay (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
October 22, 2014, 11:25:13 AM |
|
check if you have in the wallet's data directory any 'conf' file. If it exists then open it with notepad and check if it contains a row starting with 'rpcallowip='
if such a row exists, then post this row here (if you are comfortable to reveal it)
No Conf file and checked for rpcallowip= on entire PC to see if the entry existed anywhere else and nothing returned. you tried this way file:///C:/Users/name/AppData/Roaming/name of Coin/ Yeah no conf file in the roaming folder location for the coin, it does not seem to be installed with the install. |
|
|
|
|
UnhappyDay (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
October 22, 2014, 11:32:08 AM |
|
"wallet.dat corrupt, salvage failed" i think this error shows up when you place some other coin's wallet.dat?? did you try to repair your wallet?
Unfortunately I did not run the repair, the main thing though is that the wallet was online all night staking and that error appeared when I checked the next morning. So I replaced the wallet.dat file with the backup and that's when I saw my coins had been stolen/transferred. They still sitting in the address they were sent too and not staking currently. |
|
|
|
|
UnhappyDay (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
October 22, 2014, 12:56:43 PM |
|
Have you tried scanning the installer with the online service linked to below? https://www.virustotal.com/It scans a file through 50+ virus scanners and lists the results. There are often one or two false positives (especially trendmicro), but if you get more than 2 or 3 then the file is probably infected. Alright using this site and the wallet.exe it picked up the following. Malware.QVM20.Gen from antivirus Qihoo-360 which picked it up. Malware.QVM20.Gen is a trojan, does this mean the trojan was added to the exe by the developers or is it possible to be embedded by other means after it had been installed? |
|
|
|
|
jasemoney
Legendary
Offline
Activity: 1610
Merit: 1008
Forget-about-it
|
|
October 22, 2014, 01:30:18 PM |
|
was your wallet.dat passcode protected before you ran the new wallet? if you have an old wallet.dat backup and you create passcode on this new wallet you get a new addresspool for change addresses. if this wallet gets corrupted and you bring in the old one you have lost the keys... if you sent out a transaction after encrypting your wallet last night the rest may be in a change address. you need that corrupt file to try and repair.
*edit this may not be plausable in your case if you did not send any transactions from this new coin -qt
|
$MAID & $BTC other than that some short hodls and some long held garbage.
|
|
|
UnhappyDay (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
October 22, 2014, 01:36:47 PM |
|
was your wallet.dat passcode protected before you ran the new wallet? if you have an old wallet.dat backup and you create passcode on this new wallet you get a new addresspool for change addresses. if this wallet gets corrupted and you bring in the old one you have lost the keys... if you sent out a transaction after encrypting your wallet last night the rest may be in a change address. you need that corrupt file to try and repair.
*edit this may not be plausable in your case if you did not send any transactions from this new coin -qt
The backup had the same passcode as the one that got hacked, it also has the same addresses, everytime I add a new address to the wallet I do a backup. I only sent coins from the exchange to the wallet for staking and also was mining to one of the addresses in the wallet, but never had sent coins out the wallet before the hack occurred which was the first out of wallet transaction. |
|
|
|
|
jasemoney
Legendary
Offline
Activity: 1610
Merit: 1008
Forget-about-it
|
|
October 22, 2014, 01:38:02 PM |
|
was your wallet.dat passcode protected before you ran the new wallet? if you have an old wallet.dat backup and you create passcode on this new wallet you get a new addresspool for change addresses. if this wallet gets corrupted and you bring in the old one you have lost the keys... if you sent out a transaction after encrypting your wallet last night the rest may be in a change address. you need that corrupt file to try and repair.
*edit this may not be plausable in your case if you did not send any transactions from this new coin -qt
He staked, means the hacker could see the pass because computer was already compromised. We need to push people that devs start to use a secondary pass for staking which is logic and more secure. fair enough, this is just the first time im hearing of an event like this here. *Edit: sorry UnHappyDay it surely sucks terribly.  |
$MAID & $BTC other than that some short hodls and some long held garbage.
|
|
|
UnhappyDay (OP)
Newbie
Offline
Activity: 9
Merit: 0
|
|
October 22, 2014, 01:55:37 PM |
|
was your wallet.dat passcode protected before you ran the new wallet? if you have an old wallet.dat backup and you create passcode on this new wallet you get a new addresspool for change addresses. if this wallet gets corrupted and you bring in the old one you have lost the keys... if you sent out a transaction after encrypting your wallet last night the rest may be in a change address. you need that corrupt file to try and repair.
*edit this may not be plausable in your case if you did not send any transactions from this new coin -qt
He staked, means the hacker could see the pass because computer was already compromised. We need to push people that devs start to use a secondary pass for staking which is logic and more secure. fair enough, this is just the first time im hearing of an event like this here. *Edit: sorry UnHappyDay it surely sucks terribly. Thanks for the feedback Stealth and Jase. It is strange that something would happen shortly after I install the new wallet and I have never had problems on that system before this. Yeah it does suck, had put a bit too much investment into the coin too early. Expensive Lesson Learnt!! |
|
|
|
|
marco5109
Newbie
Offline
Activity: 27
Merit: 0
|
|
October 25, 2014, 01:01:27 PM |
|
hello guys,
i have a case where my coins are gone and lost i think , but i like to know from others
my problem began when i sent a couple of hundred coins from an exchange to 2 wallets
all the coins were received at the wallets but before i was able to back up or encrypt my wallets i had a power failure for couple of hours
when the power was up again i noticed to my horror that the hard disc crashed, and to make things worst file recovery shows no wallets at all besides other files not able to recover.
the coin explorer shows the coins were send from the exchange to the wallets.
so for me it's no wallets no coins anymore, and is there a fix for this, or was i hacked without knowing.
regards
|
|
|
|
|
|
BitcoinAddicts
|
|
October 25, 2014, 01:12:48 PM |
|
hello guys,
i have a case where my coins are gone and lost i think , but i like to know from others
my problem began when i sent a couple of hundred coins from an exchange to 2 wallets
all the coins were received at the wallets but before i was able to back up or encrypt my wallets i had a power failure for couple of hours
when the power was up again i noticed to my horror that the hard disc crashed, and to make things worst file recovery shows no wallets at all besides other files not able to recover.
the coin explorer shows the coins were send from the exchange to the wallets.
so for me it's no wallets no coins anymore, and is there a fix for this, or was i hacked without knowing.
regards
backup your wallet before sending the coin is best... but yeah that was one hell of a bad luck.. |
|
|
|
|
|
| ▄█
▄██▌
▄████
▀▀▀█████▀
▐███▀
██▀
▀ | . | ► | ▄▄▄███████▄▄▄
▄▄█████████████████▄▄
▄███████████████████████▄
███████████████████████████
█████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
█████████████████████████████
███████████████████████████
▀███████████████████████▀
▀▀█████████████████▀▀
▀▀▀███████▀▀▀ | | ► | ▄▄▄███████▄▄▄
▄▄█▀▀███████████▀▀█▄▄
▄████▄▄███████████▄▄████▄
████████▀▀▄▄▄▄▄▄▄▀▀████████
███████▀▄██████▀████▄▀███████
███████▀▄█████▀ ▐█████▄▀███████
██ ███ ████▀ ▀▀█████ ███ ██
███████▄▀█████ ▄█████▀▄███████
███████▄▀███▌▄██████▀▄███████
████████▄▄▀▀▀▀▀▀▀▄▄████████
▀████▀▀███████████▀▀████▀
▀▀█▄▄███████████▄▄█▀▀
▀▀▀███████▀▀▀ | | ► | ▄▀▀▀▀▀▀▀▀▀▀█████████
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄█
██████████████████████
██████████▄▀▀▀▀▀▀▀▀▀
█
▄▄▄████████████████████▄▄▄
████████████████████████████
██████████████████████████████
███████████████████████████████
███████████████████████████████
███████████████████████████████
▀███████████▀ ▀███████████▀
▀▀█████▀▀ ▀▀█████▀▀ | | .
..SPORTS │ CASINO │ ESPORTS.. | . | |
|
|
|
|
EvilDave
|
|
October 25, 2014, 05:55:00 PM |
|
@UnHappyday: Did the devs for the coin provide a SHA256 (or whatever) checksum for the updated wallet installer? It does look like you got Trojaned in some way, where did you download the installer ? What does this coins devs/community have to say about the issue? hello guys,
i have a case where my coins are gone and lost i think , but i like to know from others
my problem began when i sent a couple of hundred coins from an exchange to 2 wallets
all the coins were received at the wallets but before i was able to back up or encrypt my wallets i had a power failure for couple of hours
when the power was up again i noticed to my horror that the hard disc crashed, and to make things worst file recovery shows no wallets at all besides other files not able to recover.
the coin explorer shows the coins were send from the exchange to the wallets.
so for me it's no wallets no coins anymore, and is there a fix for this, or was i hacked without knowing.
regards
Looks like you fried your HD,a specialised recovery service may be able to get the wallets back for you. Maybe...... Check the block explorer again, if your coins move from the wallets: you've been hacked. If your coins are still on the wallets, try for recovery, if it's worth the costs. |
|
|
|
|
