[XPM] 7800 STOLEN - Please read / help

[Fernandez]

Sounds great, Im a bit new...what a cold wallet?

Is it one that does stay online and up-to-date with the blockchain?

Exactly the opposite 

[1713903750]

1713903750

[1713903750]

1713903750

[1713903750]

1713903750

[hathmill]

Sorry for your loss. In the future, run Ubuntu from CD, install Qt, disconnect from internet physically, never mind syncing blocks, create new wallet, extract private key and save on paper or somerhing, switch of power to computer. Now when you do mining, send all proceeds to this cold storage and do it at once you get the coins.

[itsAj]

Sorry to hear about your loss. Use multiple wallets and strong passwords next time.

[Entz]

I am sorry for your loss as well.

In an effort to help prevent this from happening to others I have a question:
- You mentioned "those instances were 100% using an encrypted wallet." I thought you couldn't mine with an encrypted wallet?
- On EC2 where you running windows or linux instances? I know with linux instances you can only log in with your keypair (pem) and all ports are blocked unless you open them with a custom security group config. Not sure on windows (I believe you can set a custom administrator password and clone with the same windows login ID and RPD easily to it)

As you mentioned this likely happened earlier though... This is why I do not use shared wallets. Or store my central wallets on windows =/


The problem with cold wallets is, by design, you have no access to it. Which makes it hard to "sell" coins to recoup expenses (and opens it up to being stolen via a compromised system)

[01BTC10]

Perhaps he brute forced the root password and got into SSH/SFTP? If so, Fail2ban could have prevented that and i recommend every server user to install it. Those VPS mining guides, while useful, did not take malicious intent into account.
Sucks man...

Fail2ban is vulnerable to DOS of the entire server via log poisoning.

Deactivate password login and only use key-based authentication, problem solved.

[psybits]

I wonder if these guys can help:

http://bitcoinprbuzz.com/worlds-first-stolen-bitcoin-tracing-service-and-bitcoin-data-recovery-high-profile-digital-forensic-services-company-sytech-embraces-bitcoin/

[Qantaqa]

Thats a lot of XPM, hope my donation helps cover a small piece of the costs. Please keep us updated on your findings. You could make a good guide about securely using your wallet on different machines, which in itself could be worth some nice donations.

Good luck and I hope the XPM will come back to you.

[cryptohunter]

I don't have any coin i guess worth anything like 7k  however would be good to know there is a way to thwart people stealing your coins to some degree. I don't see how it would work ? why was he only trying to draw 10xpm at one time, why did he not extract the coins in one large transaction?

I would guess because the block value is a little over 10 XPM right now.

Really sorry to hear what happened to you, Paul. I had my Bter account hacked a couple of months back, and while my losses pales in comparison to yours, they were quite significant to me and hurt a lot.

Mail the shit out of all the exchanges and tell them not to accept any transactions from that address. Also keep a lookout to see where the coins move.

Indeed 7068 were taken in one hit, then 10 XPM at a time when each block matured.  The blocks were all around 10.5 in value to be on the safe side and account for fees he was sending 10 at a time.  The script was simply...

Code:

#!/bin/bash
while true; do ./primecoind sendtoaddress <myaddress> 10.4; done;

Ah, thanks i understand now. Sorry to hear this.

"Mail the shit out of all the exchanges and tell them not to accept any transactions from that address"   - would that work?  could they just not create another wallet on another machine and clean them through that?
I wonder in the future if the actual coins can be identified and black listed if proven to be stolen. Probably not i guess since that would have been done, and who would decide if they were really stolen or not hmmm

Sadly the sort of person that would hack into your machine and take every single coin is probably not going to give any back.

[paulthetafy]

In an effort to help prevent this from happening to others I have a question:
- You mentioned "those instances were 100% using an encrypted wallet." I thought you couldn't mine with an encrypted wallet?
- On EC2 where you running windows or linux instances? I know with linux instances you can only log in with your keypair (pem) and all ports are blocked unless you open them with a custom security group config. Not sure on windows (I believe you can set a custom administrator password and clone with the same windows login ID and RPD easily to it)

As you mentioned this likely happened earlier though... This is why I do not use shared wallets. Or store my central wallets on windows =/

Yes mining with an encrypted wallet is fine.  You can't use sendtoaddress while encrypted though.
I was using Linux instances with all incoming ports closed except 22 for SSH.

I've learned my lesson with shared wallets.  Even though it is significantly easier to manage across lots of machines, I'll never do it again!

Thats a lot of XPM, hope my donation helps cover a small piece of the costs. Please keep us updated on your findings. You could make a good guide about securely using your wallet on different machines, which in itself could be worth some nice donations.

Good luck and I hope the XPM will come back to you.

Thanks, that's very kind of you

[Boomsling]

Sounds great, Im a bit new...what a cold wallet?

Is it one that does stay online and up-to-date with the blockchain?

Exactly the opposite  

Typo, meant Doesn't

Cheers!

UPDATEAdmin from ypool has responded.


:jh00: I have already contacted paulthetafy. Sadly we have no transaction that involves the thief's XPM address.

Hope some other avenue opens up.

[hendo420]

Sounds great, Im a bit new...what a cold wallet?

Is it one that does stay online and up-to-date with the blockchain?

You keep it in the freezer.  

The cold wallet does not stay synced to the block chain. You just backup your wallet.dat Once you have the address you can send coins to it and all you have to do to use thoes coins is to import the wallet.dat into a wallet/client.

I'm not sure how clear i'm being. lol

[Boomsling]

I think Ive got it.

Im gonna do something else which I hope is just as good.

Create a bootable USB with Ubuntu or similar on it and have a wllaet on there and keep my saving on it.

I just plug it in every now and again to update the wallet with coins Ive sent.

Is there a expiry time for transfere?

e.g.

I send coins to my USB wallet on Saturday and only update on the Friday. Will they always show up?

Sorry to OP for slightly derailing the thread but I'm sure others will find this info useful or at least make them think about their own security.

[hendo420]

I think Ive got it.

Im gonna do something else which I hope is just as good.

Create a bootable USB with Ubuntu or similar on it and have a wllaet on there and keep my saving on it.

I just plug it in every now and again to update the wallet with coins Ive sent.

Is there a expiry time for transfere?

e.g.

I send coins to my USB wallet on Saturday and only update on the Friday. Will they always show up?

Sorry to OP for slightly derailing the thread but I'm sure others will find this info useful or at least make them think about their own security.

Your wallet could be offline for 10 years and still get the transaction when you bring it online.

If you go with the bootable linux. Make sure you make a copy, usb flash drives dont fail often but THEY DO FAIL so be careful.

Another option is to print out a paper wallet and send coins to it. Just don't lose it. 

[r3wt]

are you the guy who accused me of stealing 7000 xpms on mcxnow chat? i'm sorry for your loss man but i kinda take offense to being accused of it out of the blue. i understand you were running j-coin on the same server iirc, hence your suspicions since i made j-coin. if someone could strip j-coin down and look it over for signs of a wallet stealer i'd really appreciate it. I don't need this bad publicity with everone already accusing me of being a scammer over the Gascoin debacle

[paulthetafy]

are you the guy who accused me of stealing 7000 xpms on mcxnow chat? i'm sorry for your loss man but i kinda take offense to being accused of it out of the blue. i understand you were running j-coin on the same server iirc, hence your suspicions since i made j-coin. if someone could strip j-coin down and look it over for signs of a wallet stealer i'd really appreciate it. I don't need this bad publicity with everone already accusing me of being a scammer over the Gascoin debacle

Oh I absolutely didn't accuse - I think there was a misunderstanding there.  Someone asked what else I had installed on that machine and I said that the only thing was the j-coin wallet.  No implication there and I didn't for a minute suggest that you/it were to blame.  I've said all along I thought the wallet was probably copied weeks ago.  Sorry if it came across wrongly. 

[r3wt]

are you the guy who accused me of stealing 7000 xpms on mcxnow chat? i'm sorry for your loss man but i kinda take offense to being accused of it out of the blue. i understand you were running j-coin on the same server iirc, hence your suspicions since i made j-coin. if someone could strip j-coin down and look it over for signs of a wallet stealer i'd really appreciate it. I don't need this bad publicity with everone already accusing me of being a scammer over the Gascoin debacle

Oh I absolutely didn't accuse - I think there was a misunderstanding there.  Someone asked what else I had installed on that machine and I said that the only thing was the j-coin wallet.  No implication there and I didn't for a minute suggest that you/it were to blame.  I've said all along I thought the wallet was probably copied weeks ago.  Sorry if it came across wrongly. 

ah okay, i just wanted to clear that up since i caught the tail end of the conversation. you had already moved on from the conversation and the trolls were all over me giving me the what for. again, i'm sorry for your loss. i hope they catch the guy. all scammers must pay

[CryptoBullion]

for future use of vpn i urge everyone to do this

Code:

apt-get update && apt-get --yes upgrade

useradd -m -G sudo,adm -s /bin/bash yournewusername

passwd root

start a text file one your home pc and start beating up your keyboard , use the shift key and numbers to get special chars.  about 20-50 chars long should do.

it should like like

!W45ygbw4%BN56j8u46m7mki578,o0,5mrn6Uw4b5vy1q34tv13%By2n456@$5y2v#$%t1cf34Tg2v345t24%BY@$YH#%6unh5&U#bv45c@#$!#!#RE$T!#$VQ#$

save your text file!!!! and don't lose it.

make two of these passwords, so you can add a secure password to your new user u added.

Code:

passwd yournewusername

next you should also disable root access

Code:

nano /etc/ssh/sshd_config

change the permit root login option to no , save the file.

Code:

exit

log out as root, and log back in using your new username and password in your text file. Obviously you will just copy / paste the password, right click on your ssh console to paste it in.

This should prevent anyone from getting into your vps.

[Duetschpire]

Incidents like this make me wonder how long it's gonna be before crypto gets a proper organization to avoid and resolve such activities. With so many coins losses from theft, scams and password/wallet loss, even guys like us who have dedicated a lot of their time, effort and money into crypto are going to give up on it one day. A $5,000 loss and a huge Amazon bill would be quite depressing and should it happen again it WILL kill the trust in crypto for both Paul and those close to him.

I'm really sorry this happened to you mate, I don't understand why bad things happen to good people, this universe sucks!

I will be sending few coins across today, and I urge everyone who can to do the same. I know Paul quite well and I know that he'd do the same should this happen to me or anyone in the community.

Hope you'll catch him mate...

[shazbits]

So without rpcallowip=127.0.0.1, could someone bruteforce the rpc password and do a sendtoaddress? But he said he ony had port 22 open.
And how about upnp?

[Lyddite]

I'm very sorry to hear about this.

I guess the time span and amount of instances you have been running, you probably have not kept any or may disk images or logfiles.
It would be interesting to find out how your wallet or hosts have been compromised. My guesses would be via a disk image or via ssh and weak credentials.

Some suggestions to miners about what can you do with ssh to improve security.

• Open up ssh only to what is necessary. 0.0.0.0 is alot of addresses, not to mention IPv6 addresses. If you are using ec2, you can update the firewall from the web interface when your IP when you need to log in from elsewhere. If you are on DHCP (your ip address changes), you can use a subnet (eg, x.x.x.x/24) which will still greatly reduce your exposure to attack
• use ssh keys, not passwords
• keep your ssh private key secure (keep it only on the machines you need use to connect to instances, a backup on USB )
• you can encrypt your key with a passphrase, look into this and also ssh-agent
• If you must use windows, use anti virus software, scan regularly, keep it up to date. MacOS and Linux are not immune either
• If you muse use a password, use a strong one. http://en.wikipedia.org/wiki/Strong_password
• Check the documentation for sshd, and edit your ssh_config file, especially these options
• AllowUsers - use this option in sshd_config to whitelist the usernames you need to access your system
• PermitRootLogin - set this to no or without-password, use sudo to become root if you need to
• Don't run a sshd on the machine you use to connect to your instances if you don't need to. If you must, then secure that too.

ssh ports are being probed for weak passwords all the time. If you run sshd without a firewall, just look at the logs.
By running the primecoind daemon (or any coin for that matter) you publicize your IP number to others (and the fact that you probably have a wallet that might even cointain some coins in it) 

Regarding wallets, I won't go into protecting your wallet or the best way to move your funds around but leaving copies of wallets lying around is not a good idea. Ideally a provider zeroes the disk when a customer stops using it but it may not always be the case, deleting a physical disk takes time.

When you are done using a machine and no longer need it's wallet file should can delete your wallet or even better,  "wipe" (apt-get install wipe,  wipe FILENAME) or write zeroes over it (dd if=/dev/zero of=PATHTOYOURWALLET bs=1024 count=100). WIth SSDs, you can't be sure that everything is ever deleted, but if the file is wiped or zeroed, you can be fairly sure that the file cannot be recovered without special tools and physical access to the disk, or without administrative access to the disk system in a larger provider. When you "rm" a file, usually, it is just the directory entry and list of block a file is using that is deleted. If not wiped or written over, it is possible for a file to be reconstructed.

Treat your wallet backups as you would treat your wallet, if someone finds your backup, it's almost as good as your wallet.dat

Ideally the ssh settings and user accounts are set on your first miner which you then clone.
Wiping the wallet could be made part of the shutdown script, make your you have a safe backup.