markm
Legendary
Offline
Activity: 3010
Merit: 1121
|
|
September 28, 2012, 09:30:44 PM |
|
Ah so likely they logged your keystrokes to get any passwords you typed, or maybe even were able to access decrypted keys in RAM depending on what kind of "secure RAM" system might be used for keys.
Quite likely you are rootkitted too, so that pretty much anything and everything on your system is suspect, unless they weren't keylogging last time you logged in as a user who can write to the executable files areas and do not have a root exploit that can work from whatever user the logged in as.
-MarkM-
|
|
|
|
Cdecker (OP)
|
|
September 28, 2012, 09:38:35 PM |
|
Still reconstructing everything that happened, but it seems that broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] was able to log into my machine: Sep 28 20:45:36 nb-10391 sshd[19170]: reverse mapping checking getaddrinfo for broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] failed - POSSIBLE BREAK-IN ATTEMPT! Sep 28 20:45:37 nb-10391 sshd[19170]: Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2 Sep 28 20:45:37 nb-10391 sshd[19173]: subsystem request for sftp by user cdecker Same happened a few minutes later on my machine at home (my bash history must have told him were to find it), and from there he must have been able to find my wallet backup (which is really old, but was kept unencrypted, so any key that was in there is compromised). I'll write everything down and file a report, we'll see how open to technology the swiss police are
|
|
|
|
markm
Legendary
Offline
Activity: 3010
Merit: 1121
|
|
September 28, 2012, 09:43:24 PM |
|
What is "Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2" about? Does that mean he had the private key corresponding to your public key so was able to respond to some kind of asymmetric crypto challenge to auto-login through sshd?
-MarkM-
|
|
|
|
nobbynobbynoob
|
|
September 28, 2012, 09:46:24 PM |
|
Cdecker, I'm so sorry to hear this, regardless of how it happened. Russkies cracked into your computer and pilfered your wallet? That's a lesson to all of us.
|
|
|
|
proudhon
Legendary
Offline
Activity: 2198
Merit: 1311
|
|
September 28, 2012, 09:47:33 PM |
|
Still reconstructing everything that happened, but it seems that broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] was able to log into my machine: Sep 28 20:45:36 nb-10391 sshd[19170]: reverse mapping checking getaddrinfo for broadband-178-140-220-181.nationalcablenetworks.ru [178.140.220.181] failed - POSSIBLE BREAK-IN ATTEMPT! Sep 28 20:45:37 nb-10391 sshd[19170]: Accepted publickey for cdecker from 178.140.220.181 port 28384 ssh2 Sep 28 20:45:37 nb-10391 sshd[19173]: subsystem request for sftp by user cdecker Same happened a few minutes later on my machine at home (my bash history must have told him were to find it), and from there he must have been able to find my wallet backup (which is really old, but was kept unencrypted, so any key that was in there is compromised). I'll write everything down and file a report, we'll see how open to technology the swiss police are Really sorry. The best thing I've ever done is create a bunch of paper wallet backups on a un-networked Linux machine with Armory and then do a military grade wipe of the drive. I suggest everyone holding significant amounts do something similar. I remember when Gavin started talking about wallet encryption and how he made it a point to say that it couldn't fend of attacks such as the one you've unfortunately fallen victim to. Real bummer.
|
Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
|
|
|
flatfly
Legendary
Offline
Activity: 1092
Merit: 1016
760930
|
|
September 28, 2012, 09:51:35 PM |
|
This incident also proves, if need be, that using linux rather than windows does not automagically protect you from cybercriminals.
Whatever the OS, it's your security procedures that make all the difference.
|
|
|
|
Richy_T
Legendary
Offline
Activity: 2604
Merit: 2321
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
September 28, 2012, 09:55:05 PM |
|
I've started closing down SSH as much as possible. The one time I got hacked, it was via a temporary account with a stupidly simple password and a privilege escalation. Fortunately, as far as I can tell, nothing substantial happened but with the world as it is at the moment, leaving the port open to the world when I only ever occasionally need to access it from the internet and then for only short periods of time seems unwise.
|
1RichyTrEwPYjZSeAYxeiFBNnKC9UjC5k
|
|
|
apetersson
|
|
September 28, 2012, 10:02:20 PM |
|
i do feel 50% more paranoid now - if even security researchers get hacked, who can even say his hot wallet is secure?
|
|
|
|
bg002h
Donator
Legendary
Offline
Activity: 1466
Merit: 1048
I outlived my lifetime membership:)
|
|
September 28, 2012, 10:03:40 PM |
|
Good investigating. Someone needs to build a physical device that generates address/key pairs offline so you can take a Polaroid of it and stick it in a safety deposit box.
|
|
|
|
Cdecker (OP)
|
|
September 28, 2012, 10:13:22 PM |
|
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.
|
|
|
|
alexanderanon
|
|
September 28, 2012, 10:46:04 PM |
|
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.
wait so..was the primary error that you left your backup wallet unencrypted? Or were there others?
|
|
|
|
BC12345
Newbie
Offline
Activity: 57
Merit: 0
|
|
September 28, 2012, 10:47:53 PM |
|
Well I'm not a security researcher, I'm researching Distributed Computing. And yes the errors were stupid.
wait so..was the primary error that you left your backup wallet unencrypted? Or were there others? I was going to ask the same thing. Could someone please explain (in simple words?) how the coins got stolen?
|
|
|
|
phelix
Legendary
Offline
Activity: 1708
Merit: 1020
|
|
September 28, 2012, 10:51:48 PM Last edit: September 28, 2012, 11:08:04 PM by phelix |
|
could this be someone trying to launder your coins? I will try and dig out when the first peak occured.
edit: [namecoin chart with odd peak]
no it was much too early. sorry for the confusion and good luck with getting back your coins. with this large a stash you really should have been more careful.
|
|
|
|
The-Real-Link
|
|
September 28, 2012, 10:56:03 PM |
|
Wow sorry to hear that. I've since gone and removed all unencrypted wallets I had backed up just in case. If there's any possible way of getting things back, I wish you luck. Was about to say I hope you didn't have much but.. yeah, sorry.
Thank you for being strong and sharing everything you did so that others in the future may be more protected now. It sucks but your story will help others!
|
Oh Loaded, who art up in Mt. Gox, hallowed be thy name! Thy dollars rain, thy will be done, on BTCUSD. Give us this day our daily 10% 30%, and forgive the bears, as we have bought their bitcoins. And lead us into quadruple digits
|
|
|
mobile4ever
|
|
September 28, 2012, 11:22:58 PM |
|
That sucks, bro.
If it's any consolation (probably not), I heard a story on this forum once about a guy that formatted a drive with tens of thousands of coins on it. He said the worst part was his wife knowing about it.
If it was just formatted one time, they are probably recoverable.
|
|
|
|
BkkCoins
|
|
September 29, 2012, 12:27:08 AM |
|
That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.
People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.
|
|
|
|
Cdecker (OP)
|
|
September 29, 2012, 12:30:00 AM |
|
That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.
People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.
I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how.
|
|
|
|
labestiol
|
|
September 29, 2012, 12:44:26 AM |
|
That ssh log message indicates they accessed using your public key. How on earth did they get that? Did you access from some other systems that they may have also got access to? This is pretty common. This means you need to check all other computers that previously you used to connect to your laptop. A public key is not more safe than a password if it's left laying around on various systems.
People often use a key for automated access (scripts etc). If you do that it should be for a different, limited user that can only do the very limited functions you intent to automate.
I don't understand it either, apparently they got first into my home machine (with password auth enabled), grabbed the private key for my work machine and logged in there. No idea as to how. Keylogger somewhere ? Password shared with a compromised website ? Sorry for you loss, and good luck with your research. And thanks for doing research on bitcoin
|
1BestioLC7YBVh8Q5LfH6RYURD6MrpP8y6
|
|
|
caffeinewriter
|
|
September 29, 2012, 12:48:49 AM |
|
2 things:
1. I sent an email to the ISP that controls the IP that hacked you. I doubt much will come of it, but I figured "Hey, worth a shot".
2. I can check your computer through Teamviewer if you're comfortable with letting me have access to it. I'd just check the startup processes. However, I won't be of much help on Linux if that's what you use. I'm not comfortable enough with Linux to do much. :/
|
|
|
|
Cdecker (OP)
|
|
September 29, 2012, 12:58:58 AM |
|
Thanks caffeinewriter, any help is appreciated. I will file a report on Monday, and see what they say.
As for the cleaning up I think I'm OK. Just running clamscan over all the files, rkhunter had nothing to complain, but I don't know whether an eventual rootkit wouldn't be smart enough to fool them, any experience about that?
|
|
|
|
|