Bitcoin Forum
October 20, 2017, 05:47:21 AM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 [3]  All
  Print  
Author Topic: [XPM] 7800 STOLEN - Please read / help  (Read 3116 times)
Lyddite
Member
**
Offline Offline

Activity: 92



View Profile
August 19, 2013, 10:55:11 PM
 #41

I'm very sorry to hear about this.

I guess the time span and amount of instances you have been running, you probably have not kept any or may disk images or logfiles.
It would be interesting to find out how your wallet or hosts have been compromised. My guesses would be via a disk image or via ssh and weak credentials.

Some suggestions to miners about what can you do with ssh to improve security.

  • Open up ssh only to what is necessary. 0.0.0.0 is alot of addresses, not to mention IPv6 addresses. If you are using ec2, you can update the firewall from the web interface when your IP when you need to log in from elsewhere. If you are on DHCP (your ip address changes), you can use a subnet (eg, x.x.x.x/24) which will still greatly reduce your exposure to attack
  • use ssh keys, not passwords
  • keep your ssh private key secure (keep it only on the machines you need use to connect to instances, a backup on USB )
  • you can encrypt your key with a passphrase, look into this and also ssh-agent
  • If you must use windows, use anti virus software, scan regularly, keep it up to date. MacOS and Linux are not immune either
  • If you muse use a password, use a strong one. http://en.wikipedia.org/wiki/Strong_password
  • Check the documentation for sshd, and edit your ssh_config file, especially these options
  • AllowUsers - use this option in sshd_config to whitelist the usernames you need to access your system
  • PermitRootLogin - set this to no or without-password, use sudo to become root if you need to
  • Don't run a sshd on the machine you use to connect to your instances if you don't need to. If you must, then secure that too.

ssh ports are being probed for weak passwords all the time. If you run sshd without a firewall, just look at the logs.
By running the primecoind daemon (or any coin for that matter) you publicize your IP number to others (and the fact that you probably have a wallet that might even cointain some coins in it) 

Regarding wallets, I won't go into protecting your wallet or the best way to move your funds around but leaving copies of wallets lying around is not a good idea. Ideally a provider zeroes the disk when a customer stops using it but it may not always be the case, deleting a physical disk takes time.

When you are done using a machine and no longer need it's wallet file should can delete your wallet or even better,  "wipe" (apt-get install wipe,  wipe FILENAME) or write zeroes over it (dd if=/dev/zero of=PATHTOYOURWALLET bs=1024 count=100). WIth SSDs, you can't be sure that everything is ever deleted, but if the file is wiped or zeroed, you can be fairly sure that the file cannot be recovered without special tools and physical access to the disk, or without administrative access to the disk system in a larger provider. When you "rm" a file, usually, it is just the directory entry and list of block a file is using that is deleted. If not wiped or written over, it is possible for a file to be reconstructed.

Treat your wallet backups as you would treat your wallet, if someone finds your backup, it's almost as good as your wallet.dat

Ideally the ssh settings and user accounts are set on your first miner which you then clone.
Wiping the wallet could be made part of the shutdown script, make your you have a safe backup.

- Lyddite -
1508478441
Hero Member
*
Offline Offline

Posts: 1508478441

View Profile Personal Message (Offline)

Ignore
1508478441
Reply with quote  #2

1508478441
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508478441
Hero Member
*
Offline Offline

Posts: 1508478441

View Profile Personal Message (Offline)

Ignore
1508478441
Reply with quote  #2

1508478441
Report to moderator
amosmc
Newbie
*
Offline Offline

Activity: 18


View Profile
August 19, 2013, 11:17:15 PM
 #42

just my 2 cents but most vps will keep a log of ip addresses for incomeing connections if you could get this list it would help narrow it down you could then do a trace route/whois and backtrace to general area and isp from there you could contact the isp with the info and go from there i have to do this form time to time on ppl who jump bail when i can make contact with them online it might be a longshot but worth a try im recently new to mining so im afrain i cant donate coins but i have years of experience in tracking people and things down so will donate my time ive never tracked down a wallet addy before but theres a first time for everything Smiley
amosmc
Newbie
*
Offline Offline

Activity: 18


View Profile
August 19, 2013, 11:27:59 PM
 #43

for someone who knows more about it than me heeres the transaction details

Array
(
    [hex] => 0100000001bf21d2bf33ad48cb59ef160ae204dda5d7bbf5e6be9d8f75d5fb95d620098edd00000 0004a4930460221008e1c6aa6c28c10456a608fbc1c77e6fd8816a3499a942cb71135669fdd9a5c 7d022100fc7ef05f56270f91a59da7ec421c28eb1966bb050daf275491ffc235bc4d569f01fffff fff0240aeeb02000000001976a914c9bd871c1b681e43aec2bba71ec46ac9dc82713788ac00ca9a 3b000000001976a914e41c51584730272c896b6ddd15af7f6a14dcea2c88ac00000000
    [txid] => c0bcfde4fa1ac44d96edeb448bd5d7fa3ecf73f525e69058d69a01cf695c0400
    [version] => 1
    [locktime] => 0
    [vin] => Array
        (
           
  • => Array
                (
                    [txid] => dd8e0920d695fbd5758f9dbee6f5bbd7a5dd04e20a16ef59cb48ad33bfd221bf
                    [vout] => 0
                    [scriptSig] => Array
                        (
                            [asm] => 30460221008e1c6aa6c28c10456a608fbc1c77e6fd8816a3499a942cb71135669fdd9a5c7d02210 0fc7ef05f56270f91a59da7ec421c28eb1966bb050daf275491ffc235bc4d569f01
                            [hex] => 4930460221008e1c6aa6c28c10456a608fbc1c77e6fd8816a3499a942cb71135669fdd9a5c7d022 100fc7ef05f56270f91a59da7ec421c28eb1966bb050daf275491ffc235bc4d569f01
                        )

                    [sequence] => 4294967295
                )

        )

    [vout] => Array
        (
           
  • => Array
                (
                    [value] => 0.49
                    [n] => 0
                    [scriptPubKey] => Array
                        (
                            [asm] => OP_DUP OP_HASH160 c9bd871c1b681e43aec2bba71ec46ac9dc827137 OP_EQUALVERIFY OP_CHECKSIG
                            [hex] => 76a914c9bd871c1b681e43aec2bba71ec46ac9dc82713788ac
                            [reqSigs] => 1
                            [type] => pubkeyhash
                            [addresses] => Array
                                (
                                   
  • => AaAaWgCpqebejux1wyw1H8yQvuPCizy6yy
                                )

                        )

                )

            [1] => Array
                (
                    [value] => 10
                    [n] => 1
                    [scriptPubKey] => Array
                        (
                            [asm] => OP_DUP OP_HASH160 e41c51584730272c896b6ddd15af7f6a14dcea2c OP_EQUALVERIFY OP_CHECKSIG
                            [hex] => 76a914e41c51584730272c896b6ddd15af7f6a14dcea2c88ac
                            [reqSigs] => 1
                            [type] => pubkeyhash
                            [addresses] => Array
                                (
                                   
  • => Aca1dndvLHK1BLWEGsJE2Ci35Wg4azZy2F
                                )

                        )

                )

        )

    [blockhash] => 7db340b42e39e14554b4ac7ee831a646df1dbbcb547cd4ebba2aa413a0de3858
    [confirmations] => 1830
    [time] => 1376860711
    [blocktime] => 1376860711
)
   
paulthetafy
Hero Member
*****
Offline Offline

Activity: 805


View Profile
August 20, 2013, 02:00:45 PM
 #44

Thanks everyone for all your help and suggestions.  I still haven't gotten to the bottom of this but, thanks to the posts here, I do realise how easily I could have been compromised.  All of the VPS images I had used have been deleted already so I'm not able to check those for signs of malicious access.  But my best guess is that one of the early ones I used was compromised, before I started using an encrypted version of the wallet. 

Once I find some time I will try to collate all of the security-improving suggestions and post them into a new thread for everyone to benefit from.

Thanks
Paul


Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!