Bitcoin Forum
November 20, 2018, 04:33:00 PM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
Author Topic: About the recent server compromise  (Read 14954 times)
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3206
Merit: 3957


View Profile
May 25, 2015, 02:39:49 PM
 #1

On May 22 at 00:56 UTC, an attacker gained root access to the forum's server. He then proceeded to try to acquire a dump of the forum's database before I noticed this at around 1:08 and shut down the server. In the intervening time, it seems that he was able to collect some or all of the "members" table. You should assume that the following information about your account was leaked:
- Email address
- Password hash (see below)
- Last-used IP address and registration IP address
- Secret question and a basic (not brute-force-resistant) hash of your secret answer
- Various settings

As such, you should change your password here and anywhere else you used that same password. You should disable your secret question and assume that the attacker now knows your answer to your secret question. You should prepare to receive phishing emails at your forum email address.

While nothing can ever be ruled out in these sorts of situations, I do not believe that the attacker was able to collect any personal messages or other sensitive data beyond what I listed above.

Passwords are hashed with 7500 rounds of sha256crypt. This is pretty good, but certainly not beyond attack. Note that even though SHA-256 is used here, sha256crypt is different enough from Bitcoin's SHA-256d PoW algorithm that Bitcoin mining ASICs almost certainly cannot be modified to crack forum passwords.

I will now go into detail about how well you can expect your password to fare against a determined attacker. However, regardless of how strong your password is, the only prudent course of action is for you to immediately change your password here and everywhere else you used it or a similar password.

The following table shows how long it will take on average for a rather powerful attacker to recover RANDOM passwords using current technology, depending on the password's alphabet and length. If your password is not completely random (ie. generated with the help of dice or a computer random number generator), then you should assume that your password is already broken.

It is not especially helpful to turn words into leetspeak or put stuff between words. If you have a password like "w0rd71Voc4b", then you should count that as just 2 words to be safe. In reality, your extra stuff will slow an attacker down, but the effect is probably much less than you'd think. Again, the times listed in the table only apply if the words were chosen at random from a word list. If the words are significant in any way, and especially if they form a grammatical sentence or are a quote from a book/webpage/article/etc., then you should consider your password to be broken.

Code:
Estimated time (conservative) for an attacker to break randomly-constructed
bitcointalk.org passwords with current technology

s=second; m=minute; h=hour; d=day; y=year; ky=1000 years; My=1 million years

Password length  a-z  a-zA-Z  a-zA-Z0-9  <all standard>
              8    0      3s        12s              2m
              9    0      2m        13m              3h
             10   8s      2h        13h             13d
             11   3m      5d        34d              1y
             12   1h    261d         3y            260y
             13   1d     37y       366y            22ky
             14  43d   1938y       22ky             1My
             15   1y   100ky        1My           160My
-------------------------------------------------------
         1 word  0
        2 words  0
        3 words  0
        4 words  3m
        5 words  19d
        6 words  405y
        7 words  3My

Each password has its own 12-byte random salt, so it isn't possible to attack more than one password with the same work. If it takes someone 5 days to recover your password, that time will all have to be spent on your password. Therefore, it's likely that only weak passwords will be recovered en masse -- more complicated passwords will be recovered only in targeted attacks against certain people.

If your account is compromised due to this, email acctcomp15@theymos.e4ward.com from the email that was previously associated with your account.

For security reasons, I deleted all drafts. If you need a deleted draft, contact me soon and I can probably give it to you.

A few people might have broken avatars now. Just upload your avatar again to fix it.

Unproxyban fee processing isn't working right now. If you want to register and you can't, get someone to post in Meta for you and you'll be whitelisted.

Searching is temporarily disabled, though it won't be disabled for as long as last time because I improved the reindexing code.

If you changed your password in the short time when the forum was online a little over a day ago, the change didn't stick. You'll have to change it again.

How the compromise happened:

The attacker was able to acquire KVM access credentials for the server. The investigation into how this was possible is still ongoing, so I don't know everything, and I don't yet want to publish everything that I do know, but it seems almost certain that it was a problem on the ISP's end.

After he got KVM access, the attacker convinced the ISP NFOrce that he was me (using his KVM access as part of his evidence) and said that he had locked himself out of the server. So NFOrce reset the server's root password for him, giving him complete access to the server and bypassing most of our carefully-designed security measures. I originally assumed that the attacker gained access entirely via social engineering, but later investigation showed that this was probably only part of the overall attack. As far as I know, NFOrce's overall security practices are no worse than average.

To reduce downtime and avoid temporarily-broken features, I was originally going to stay in NFOrce's data center. However, some things made me suspicious and I moved everything elsewhere. That's where the extra day+ of downtime came from after a short period of uptime. No additional data was leaked.

The forum will pay up to 15 XAU (converted to BTC) for information about the attacker's real-world identity. Exact payment amounts will depend on the quality and usefulness of information as well as what information I've already acquired, but if for example you're the first person to contact me and your info allows me to successfully prosecute this person, then you will get the full 15 XAU. You need to actually convince me that your info is accurate -- just sending me someone's name is useless.

The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
lopaz291@safe-mail.net

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
1542731581
Hero Member
*
Offline Offline

Posts: 1542731581

View Profile Personal Message (Offline)

Ignore
1542731581
Reply with quote  #2

1542731581
Report to moderator
1542731581
Hero Member
*
Offline Offline

Posts: 1542731581

View Profile Personal Message (Offline)

Ignore
1542731581
Reply with quote  #2

1542731581
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
LondonMP
Sr. Member
****
Offline Offline

Activity: 361
Merit: 250


I/O Digital Where Dreams Become Technology


View Profile
May 25, 2015, 02:41:27 PM
 #2

Thank you Theymos for your hard work

DailyModo
Hero Member
*****
Offline Offline

Activity: 812
Merit: 1000


www.gamebet.gg


View Profile
May 25, 2015, 02:43:57 PM
 #3

Thanks for your hard work to keep this forum safe from hackers
Hats off

Betting on esports with crypto's and steam items has never been easier.
CONTACT
dailymodo@gamebet.gg @GamebetGg
ajareselde
Legendary
*
Offline Offline

Activity: 1708
Merit: 1000

Satoshi is rolling in his grave. #bitcoin


View Profile
May 25, 2015, 02:48:45 PM
 #4

Well i sure hope thats that, and we can just reset our pass, and leave this behind us. Good thing that there's not more damage done.
Nicely done, Theymos

cheers
Check-0
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
May 25, 2015, 02:48:57 PM
 #5

so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?

He иcкyшaй мeня, ибo нeoбyздaн я в жeлaнияx cвoиx...
Xoчeшь я взopвy вce звeзды и Зaвтpa нe нacтyпит никoгдa..?
LFC_Bitcoin
Copper Member
Legendary
*
Offline Offline

Activity: 1526
Merit: 1288


One of the world's leading Bitcoin-powered casinos


View Profile
May 25, 2015, 02:50:58 PM
 #6

Disgraceful that it's happened again imo.
We're having to change passwords & change email addresses.
I've just closed down the email account I first used as it has some sensitive info on.
Not the first time this has happened either.
Heads need to roll over this  Grin
Hope nobody had any coins stolen over this.




Code:
[center][table][tr][td][url=http://bit.ly/WelcomeToBitcasino][size=2pt][tt][color=#FF5111]    ▀   ▄   ▀
▀      ███  ▄   ▀
    ▀   ▄  ███  ▄   ▀
▀      ███     ███  ▄   ▀
    ▀   ▄   ▀   ▄  ███
▀      ███  ▄  ███      ▀
    ▀   ▄  ███  ▄   ▀
▀      ███     ███  ▄   ▀
    ▀   ▄   ▀   ▄  ███
▀      ███  ▄  ███      ▀
    ▀   ▄  ███      ▀
▀      ███      ▀
    ▀       ▀[/size][/td]
[td][color=transparent][size=2pt].[/size][/color]
[url=http://bit.ly/WelcomeToBitcasino][color=#444][font=ubuntu,arial][size=18pt]Bitcasino[color=#FF5111].[/color]io[/size][/font][/td][td][/td][td][/td][td][/td]
[td][size=20pt][color=#ccc]│[/size][/td]
[td][color=transparent][size=1pt].[/size][/color]
[url=http://bit.ly/WelcomeToBitcasino][size=11pt][font=arial black][glow=#241651,2][size=10pt][color=#241651].....[/color][/size][font=calibri,arial][b][color=#fff]First licensed[font=arial black][size=10pt][color=#241651]......
.....[/size][/font][color=#FF5111]Bitcoin casino[font=arial black][size=10pt][color=#241651]....[size=9pt].[/size][/color][/size][/glow][/font][/td]
[td][color=transparent][size=1pt].[/size][/color]
[url=http://bit.ly/WelcomeToBitcasino][size=11pt][font=arial black][glow=#241651,2][size=10pt][color=#241651].....[/color][/size][font=calibri,arial][b][color=#fff]100% bonus[font=arial black][size=10pt][color=#241651].....
.....[/size][/font][color=#FF5111]Up to 1 BTC[font=arial black][size=10pt][color=#241651].....[size=7pt].[/size][/color][/size][/glow][/font][/td]
[td][color=transparent][size=1pt].[/size][/color]
[url=http://bit.ly/WelcomeToBitcasino][size=11pt][font=arial black][glow=#241651,2][size=10pt][color=#241651].....[/color][/size][font=calibri,arial][b][color=#fff]24/7 Support[font=arial black]
Amph
Legendary
*
Offline Offline

Activity: 2044
Merit: 1003



View Profile
May 25, 2015, 02:54:40 PM
 #7

it must be someone internal, i can't believe everytime there is someone from the outside, that can hack a forum like this, and like nothing

i still think someone gave to him the info for login
Insert_Bitcoin
Newbie
*
Offline Offline

Activity: 20
Merit: 0


View Profile
May 25, 2015, 02:55:50 PM
 #8

You got a lot done for only a few days of down time. Have you slept yet?
foxkyu
Hero Member
*****
Offline Offline

Activity: 938
Merit: 1000


View Profile
May 25, 2015, 02:56:21 PM
 #9

Thank you Theymos for your hardwork Smiley
hope it's not going down again for the long time. this is the longest downtime ever i know since i register here last year
cmiiw
SpanishSoldier
Sr. Member
****
Offline Offline

Activity: 392
Merit: 250


View Profile
May 25, 2015, 02:58:22 PM
 #10

The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
lopaz291@safe-mail.net

Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1596
Merit: 1210

in 2 min-groin injury, dildo on field, & 6-9 score


View Profile WWW
May 25, 2015, 03:00:04 PM
 #11

so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.

I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this

edit: it appears that theymos has changed the HTTPS keys and GPG signed the new keys earlier today.

Quote
gpg: Signature made Mon May 25 10:53:03 2015 EDT using DSA key ID DAB591E7
gpg: Good signature from "Michael Marquardt <michael_m+pgp@mm.st>"
gpg:                 aka "theymos <theymos+pgp@mm.st>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: 5E6B 3F3B A961 193C 5C9B  4435 C655 5693 DAB5 91E7

3PjXm2XYDKLV5mN3oiKzNTyVvSkqP3ujeq <-- tipping address Advertise here
Check-0
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile
May 25, 2015, 03:00:29 PM
 #12

so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
NO update on Twitter or Reddit.
We assume that you are fake theymos.
Nice done hacking man !

He иcкyшaй мeня, ибo нeoбyздaн я в жeлaнияx cвoиx...
Xoчeшь я взopвy вce звeзды и Зaвтpa нe нacтyпит никoгдa..?
mitzie
Staff
Hero Member
*****
Offline Offline

Activity: 927
Merit: 1001



View Profile
May 25, 2015, 03:02:36 PM
 #13

so where is our update on Twitter about that "all is fine" ?!
Prove that you are real Theymos ?
NO update on Twitter or Reddit.
We assume that you are fake theymos.
Nice done hacking man !
It's ok, don't worry. We have spoken with the "real" one
okae
Legendary
*
Offline Offline

Activity: 1162
Merit: 1001


northern exposure


View Profile WWW
May 25, 2015, 03:04:45 PM
 #14

Thank you Theymos&Staff for your hard work!!

i already change my password, just in case Wink


You got a lot done for only a few days of down time. Have you slept yet?

jaja i hope so, btw before sleep, drink some beer Wink
galbros
Legendary
*
Offline Offline

Activity: 1022
Merit: 1000


View Profile
May 25, 2015, 03:07:18 PM
 #15

First and foremost thanks for the forum, it is unfortunate that it has become such a target.

Second, thanks for laying all this out.  I especially appreciate the table of how long to crack our passwords.  I have to admit, I'm a little shocked at how easy they are to crack.

Good luck to you!
Quickseller
Copper Member
Legendary
*
Offline Offline

Activity: 1596
Merit: 1210

in 2 min-groin injury, dildo on field, & 6-9 score


View Profile WWW
May 25, 2015, 03:07:25 PM
 #16

The attacker used the following IPs/email:
37.48.77.227
66.172.27.160
lopaz291@safe-mail.net

Seems Tor IP. Did he mail you anything ? If yes, may we get to know the content ?
What are you talking about? Neither IP address shows up as a tor exit node.

66.172.27.160 has very little information on it's WHOIS, however the company Cyberverse, Inc. does show up and their website does show both colocation and cloud services offered by them. It appears that only credit card payments are accepted (more importantly bitcoin does not appear to be accepted), so there is a good chance that (assuming that a similar attack was not launched against them) this could be a lead.

edit: it appears that ChunkHost also shows up in the above WHOIS and according to their blog, it appears they accept Bitcoin. Their website is also not less professional then Cyberverse so it is possible they simply are hosted by Cyberverse and the attacker was using ChunkHost :/

3PjXm2XYDKLV5mN3oiKzNTyVvSkqP3ujeq <-- tipping address Advertise here
marcotheminer
Legendary
*
Offline Offline

Activity: 1274
Merit: 1004


View Profile
May 25, 2015, 03:08:49 PM
 #17

Launch the new forum Theymos, come on! We were supposed to see something concrete by the end of February.. It's been 3 months!

Build a better world.
achow101_alt
Sr. Member
****
Offline Offline

Activity: 268
Merit: 250


View Profile
May 25, 2015, 03:08:59 PM
 #18

]I would prefer a GPG signed message over a twitter message for confirmation, however theymos did send out a GPG signed email advising to change your passwords when he last brought the forum online (the signature was good and was signed within minutes of the google timestamp of this thread previously being created). The google cashe of this thread says that theymos had encrypted the DB to prevent a similar attack in the future. Your password should be considered to be compromised regardless.

I would personally avoid doing any kind of business on here until theymos can prove his identity. I would also suggest treating anyone you deal with to be an imposter until you can get either a GPG or bitcoin signed message to confirm their identity.
Thanks theymos for all the time/effort you put into this
What was the message of the email, since I can't find any email from Bitcointalk or Theymos.

Tip Me!: 1AQx99s7q1wVinbgXbA48BaZQVWpHe5gYM | My PGP Key: Fingerprint 0x17565732E08E5E41
LFC_Bitcoin
Copper Member
Legendary
*
Offline Offline

Activity: 1526
Merit: 1288


One of the world's leading Bitcoin-powered casinos


View Profile
May 25, 2015, 03:09:57 PM
 #19

Why can't 1.5 million USD donated in bitcoin protect this forum from attack?
Is there any proof that the entire 1.5 million went into this forum & not into theymos' Carribean Island retirement pot?
Wallet transactions etc?




Code:
[center][table][tr][td][url=http://bit.ly/WelcomeToBitcasino][size=2pt][tt][color=#FF5111]    ▀   ▄   ▀
▀      ███  ▄   ▀
    ▀   ▄  ███  ▄   ▀
▀      ███     ███  ▄   ▀
    ▀   ▄   ▀   ▄  ███
▀      ███  ▄  ███      ▀
    ▀   ▄  ███  ▄   ▀
▀      ███     ███  ▄   ▀
    ▀   ▄   ▀   ▄  ███
▀      ███  ▄  ███      ▀
    ▀   ▄  ███      ▀
▀      ███      ▀
    ▀       ▀[/size][/td]
[td][color=transparent][size=2pt].[/size][/color]
[url=http://bit.ly/WelcomeToBitcasino][color=#444][font=ubuntu,arial][size=18pt]Bitcasino[color=#FF5111].[/color]io[/size][/font][/td][td][/td][td][/td][td][/td]
[td][size=20pt][color=#ccc]│[/size][/td]
[td][color=transparent][size=1pt].[/size][/color]
[url=http://bit.ly/WelcomeToBitcasino][size=11pt][font=arial black][glow=#241651,2][size=10pt][color=#241651].....[/color][/size][font=calibri,arial][b][color=#fff]First licensed[font=arial black][size=10pt][color=#241651]......
.....[/size][/font][color=#FF5111]Bitcoin casino[font=arial black][size=10pt][color=#241651]....[size=9pt].[/size][/color][/size][/glow][/font][/td]
[td][color=transparent][size=1pt].[/size][/color]
[url=http://bit.ly/WelcomeToBitcasino][size=11pt][font=arial black][glow=#241651,2][size=10pt][color=#241651].....[/color][/size][font=calibri,arial][b][color=#fff]100% bonus[font=arial black][size=10pt][color=#241651].....
.....[/size][/font][color=#FF5111]Up to 1 BTC[font=arial black][size=10pt][color=#241651].....[size=7pt].[/size][/color][/size][/glow][/font][/td]
[td][color=transparent][size=1pt].[/size][/color]
[url=http://bit.ly/WelcomeToBitcasino][size=11pt][font=arial black][glow=#241651,2][size=10pt][color=#241651].....[/color][/size][font=calibri,arial][b][color=#fff]24/7 Support[font=arial black]
CanaryInTheMine
Donator
Legendary
*
Offline Offline

Activity: 1904
Merit: 1004


between a rock and a block!


View Profile
May 25, 2015, 03:10:18 PM
 #20

The number of security breaches is unacceptable... It's now a joke theymos...
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!