Bitcoin Forum
November 16, 2018, 12:17:37 AM *
News: Latest Bitcoin Core release: 0.17.0 [Torrent].
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Dealing with Bitcoin hackers  (Read 97 times)
seekoin
Sr. Member
****
Offline Offline

Activity: 447
Merit: 260


View Profile WWW
January 26, 2018, 06:50:27 PM
Merited by vapourminer (1), achow101 (1), Welsh (1)
 #1

Hello mates !

As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.

See for instance those evidences I recorded:

2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip

But since I used to be a bad guy too long time ago, I had the following ideas:

  • Redirect them to an easy affiliate link, like Chaturbate for example
  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
  • Redirect them to the CIA or the NSA.

They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.

Be careful also as they are trying to access to those critical directories:

/backup/
/bitcoin/
/btc/

I would advise you not to use them anymore or simply reject the incoming traffic.

So to setup my tricky projects, I simply use those statments inside my .htaccess:

RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]

RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]

This is working pretty well, even better you could make some money with those villains Grin

Enjoy !

1542327457
Hero Member
*
Offline Offline

Posts: 1542327457

View Profile Personal Message (Offline)

Ignore
1542327457
Reply with quote  #2

1542327457
Report to moderator
1542327457
Hero Member
*
Offline Offline

Posts: 1542327457

View Profile Personal Message (Offline)

Ignore
1542327457
Reply with quote  #2

1542327457
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1542327457
Hero Member
*
Offline Offline

Posts: 1542327457

View Profile Personal Message (Offline)

Ignore
1542327457
Reply with quote  #2

1542327457
Report to moderator
1542327457
Hero Member
*
Offline Offline

Posts: 1542327457

View Profile Personal Message (Offline)

Ignore
1542327457
Reply with quote  #2

1542327457
Report to moderator
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1190
Merit: 1126


View Profile
January 26, 2018, 09:19:16 PM
 #2

Hello mates !

As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.

See for instance those evidences I recorded:

2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip

But since I used to be a bad guy too long time ago, I had the following ideas:

  • Redirect them to an easy affiliate link, like Chaturbate for example
  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
  • Redirect them to the CIA or the NSA.

They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.

Be careful also as they are trying to access to those critical directories:

/backup/
/bitcoin/
/btc/

I would advise you not to use them anymore or simply reject the incoming traffic.

So to setup my tricky projects, I simply use those statments inside my .htaccess:

RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]

RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]

This is working pretty well, even better you could make some money with those villains Grin

Enjoy !

If you fancy doing something good. Secure a connection from your server to them, search for their bitcoin config file and attempt to run their bitcoin daemon app to send all their coins to you and attempt to return them to the person who sent it.

Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that.

You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid...

seekoin
Sr. Member
****
Offline Offline

Activity: 447
Merit: 260


View Profile WWW
January 26, 2018, 09:44:13 PM
 #3

Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that.

Obviously several webmasters host their wallets online, considering the number of attacks I observed. I guess they are running a local bitcoind deamon to handle their payments. Having your financial transactions handled by a third party remains very risky for the meantime.

You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid...

Waste of time: most of those addresses are already blacklisted or come from zombie hosts.
And staying in a rural area, I know for sure our local cops do not even know what is Bitcoin  Grin

Cheers.

achow101
Moderator
Legendary
*
Offline Offline

Activity: 1582
Merit: 1739


bc1qshxkrpe4arppq89fpzm6c0tpdvx5cfkve2c8kl


View Profile WWW
January 29, 2018, 12:39:24 AM
 #4

  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
I would suggest that you not try these as those are things that can get you in trouble with the law. Well, having an insult is fine, but distributing malware is not.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!