Bitcoin Forum
September 21, 2018, 06:57:03 AM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Dealing with Bitcoin hackers  (Read 92 times)
seekoin
Sr. Member
****
Offline Offline

Activity: 411
Merit: 256


View Profile WWW
January 26, 2018, 06:50:27 PM
Merited by vapourminer (1), achow101 (1), Welsh (1)
 #1

Hello mates !

As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.

See for instance those evidences I recorded:

2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip

But since I used to be a bad guy too long time ago, I had the following ideas:

  • Redirect them to an easy affiliate link, like Chaturbate for example
  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
  • Redirect them to the CIA or the NSA.

They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.

Be careful also as they are trying to access to those critical directories:

/backup/
/bitcoin/
/btc/

I would advise you not to use them anymore or simply reject the incoming traffic.

So to setup my tricky projects, I simply use those statments inside my .htaccess:

RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]

RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]

This is working pretty well, even better you could make some money with those villains Grin

Enjoy !

1537513023
Hero Member
*
Offline Offline

Posts: 1537513023

View Profile Personal Message (Offline)

Ignore
1537513023
Reply with quote  #2

1537513023
Report to moderator
Make a difference with your Ether.
Donate Ether for the greater good.
SPRING.WETRUST.IO
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1537513023
Hero Member
*
Offline Offline

Posts: 1537513023

View Profile Personal Message (Offline)

Ignore
1537513023
Reply with quote  #2

1537513023
Report to moderator
1537513023
Hero Member
*
Offline Offline

Posts: 1537513023

View Profile Personal Message (Offline)

Ignore
1537513023
Reply with quote  #2

1537513023
Report to moderator
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1134
Merit: 1102


View Profile
January 26, 2018, 09:19:16 PM
 #2

Hello mates !

As an owner of a Bitcoin business, I can see a huge raise of the intrusion attempts on one of my server.
Most of those lamers are trying to check if ever I would host an online wallet and try to download it.

See for instance those evidences I recorded:

2018-01-16 21:13:39 [54.36.222.37] 404(): wallet.dat
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.backup
2018-01-16 21:13:41 [54.36.222.37] 404(): wallet.dat.bak
2018-01-16 21:13:42 [54.36.222.37] 404(): wallet.dat.gz
2018-01-16 21:13:43 [54.36.222.37] 404(): wallet.dat.zip
2018-01-16 21:13:44 [51.15.80.148] 404(): wallet.zip
2018-01-16 21:13:46 [163.172.143.186] 404(): wallet.gz
2018-01-16 21:13:47 [185.26.197.212] 404(): wallet.dat.rar
2018-01-16 21:13:49 [185.26.197.212] 404(): wallet.rar
2018-01-16 21:13:51 [185.26.197.212] 404(): backupwallet.dat
2018-01-16 21:13:53 [185.26.197.212] 404(): backupwallet.dat.backup
2018-01-16 21:13:54 [192.42.116.16] 404(): backupwallet.dat.bak
2018-01-16 21:13:58 [93.174.93.133] 404(): backupwallet.dat.gz
2018-01-16 21:14:02 [197.231.221.211] 404(): backupwallet.dat.zip

But since I used to be a bad guy too long time ago, I had the following ideas:

  • Redirect them to an easy affiliate link, like Chaturbate for example
  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
  • Redirect them to the CIA or the NSA.

They are easy to detect as they keep on using the same file name, ie wallet, backupwallet, etc.

Be careful also as they are trying to access to those critical directories:

/backup/
/bitcoin/
/btc/

I would advise you not to use them anymore or simply reject the incoming traffic.

So to setup my tricky projects, I simply use those statments inside my .htaccess:

RewriteRule ^bitcoinwallet\.(.)+ hxxp://your-honeypot.com/malware.txt [L]
RewriteRule ^btcwallet\.(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^wallet\.(.)+ hxxp://your-honeypot.com/verybad.php [L]
RewriteRule ^backupwallet\.(.)+ hxxps://www.cia.gov/ [L]

RewriteRule ^/?backup/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?bitcoin/(.)+ hxxp://your-honeypot.com/affiliate [L]
RewriteRule ^/?btc/(.)+ hxxp://your-honeypot.com/affiliate [L]

This is working pretty well, even better you could make some money with those villains Grin

Enjoy !

If you fancy doing something good. Secure a connection from your server to them, search for their bitcoin config file and attempt to run their bitcoin daemon app to send all their coins to you and attempt to return them to the person who sent it.

Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that.

You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid...

seekoin
Sr. Member
****
Offline Offline

Activity: 411
Merit: 256


View Profile WWW
January 26, 2018, 09:44:13 PM
 #3

Honestly, I don't know who would ever run a webserver with a bitcoin wallet on it. At most, a master public key can be used but even then someone can fiddle with that.

Obviously several webmasters host their wallets online, considering the number of attacks I observed. I guess they are running a local bitcoind deamon to handle their payments. Having your financial transactions handled by a third party remains very risky for the meantime.

You could also try to make evidence from this and report it to your local crime investigation agency, or publish a list somewhere like here, although I doubt their using their own IPs to do this. Unless they are actually that stupid...

Waste of time: most of those addresses are already blacklisted or come from zombie hosts.
And staying in a rural area, I know for sure our local cops do not even know what is Bitcoin  Grin

Cheers.

achow101
Moderator
Legendary
*
Offline Offline

Activity: 1526
Merit: 1638


3F1Y9yquzvY6RWvKbw2n2zeo9V5mvBhADU


View Profile WWW
January 29, 2018, 12:39:24 AM
 #4

  • Redirect them to a file which contain a malware, a virus or an insult
  • Redirect them to a file which contain a script that will mess them (wait forever, hang their PC, etc.)
I would suggest that you not try these as those are things that can get you in trouble with the law. Well, having an insult is fine, but distributing malware is not.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!