Dealing with Bitcoin hackers

[seekoin]

Hello mates !

As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.

See for instance those evidences I recorded:

2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip

But since I used to be a bad guy too long time ago, I had the following ideas:

• Redirect them to an easy affiliate link, like Chaturbate for example
• Redirect them to a file which contain a malware, a virus or an insult
• Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
• Redirect them to the CIA or the NSA.

They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.

Be careful also as they are trying to access to those critical directories:

/backup/
/bitcoin/
/btc/

I would advise you not to use them anymore or simply reject the incoming traffic.

So to setup my tricky projects, I simply use those statments inside my .htaccess:

RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]

RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]

This is working pretty well, even better you could make some money with those villains

Enjoy !

[1714950616]

1714950616

[1714950616]

1714950616

[1714950616]

1714950616

[jackg]

Hello mates !

As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.

See for instance those evidences I recorded:

2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip

But since I used to be a bad guy too long time ago, I had the following ideas:

• Redirect them to an easy affiliate link, like Chaturbate for example
• Redirect them to a file which contain a malware, a virus or an insult
• Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
• Redirect them to the CIA or the NSA.

They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.

Be careful also as they are trying to access to those critical directories:

/backup/
/bitcoin/
/btc/

I would advise you not to use them anymore or simply reject the incoming traffic.

So to setup my tricky projects, I simply use those statments inside my .htaccess:

RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]

RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]

This is working pretty well, even better you could make some money with those villains

Enjoy !

If you fancy doing something good. Secure a connection from your server to them, search for their bitcoin config file and attempt to run their bitcoin daemon app to send all their coins to you and attempt to return them to the person who sent it.

Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that.

You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid...

[seekoin]

Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that.

Obviously several webmasters host their wallets online, considering the number of attacks I observed. I guess they are running a local bitcoind deamon to handle their payments. Having your financial transactions handled by a third party remains very risky for the meantime.

You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid...

Waste of time: most of those addresses are already blacklisted or come from zombie hosts.
And staying in a rural area, I know for sure our local cops do not even know what is Bitcoin  

Cheers.

[achow101]

• Redirect them to a file which contain a malware, a virus or an insult
• Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)

I would suggest that you not try these as those are things that can get you in trouble with the law. Well, having an insult is fine, but distributing malware is not.