Hello mates !
As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.
See for instance those evidences I recorded:
2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip
But since I used to be a bad guy too long time ago, I had the following ideas:
- Redirect them to an easy affiliate link, like Chaturbate for example
- Redirect them to a file which contain a malware, a virus or an insult
- Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
- Redirect them to the CIA or the NSA.
They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.
Be careful also as they are trying to access to those critical directories:
/backup/
/bitcoin/
/btc/
I would advise you not to use them anymore or simply reject the incoming traffic.
So to setup my tricky projects, I simply use those statments inside my .htaccess:
RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]
RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]
This is working pretty well, even better you could make some money with those villains
Enjoy !