intel
Member
 Offline
Activity: 98
Merit: 10
|
 |
January 02, 2014, 02:44:27 AM |
|
People, the malware is being hosted on 162.243.246.223, it is digital ocean, a lot of people here have VPS here.
Contact their support asap and notify that the IP 162.243.246.223 is running a listening backdoor / passlogger.
How does this work ? what type of activities are risky now ? ' It's still risky to use "patched" NXT Client downloaded from 3rd party dirty places like dextern topic who manipulated the download link to a patched (infected) NXT Client. |
|
|
|
|
EvilDave
|
|
January 02, 2014, 02:45:18 AM |
|
Er...wtf?
Am i missing something?
I think you turned him into a newt, but he got better. Hmmm...I'm mostly not that evil  And HappyCoins.nl actually are very good, low fees, fast delivery and u can pay using the Dutch iDeal system. I spit on PayPal..... Still curious why my name is up in lights all of a sudden I think its a case of mistaken identity as people are a bit excited and a little angry at the moment. You should go to the Winchester, have a nice cold pint, and wait for all of this to blow over. Good plan, tho' in my case i"d be better off going to bed. Which is where i"m going..... Checked my SHA256 hash, luckily I got the good client from the nextcoin thread, pays to update late sometimes. Quick check for the non-evil client is size: 7.173.063 bytes and u are good. |
|
|
|
|
EvilDave
|
|
January 02, 2014, 02:50:47 AM |
|
Er...wtf?
Am i missing something?
I think you turned him into a newt, but he got better. Hmmm...I'm mostly not that evil And HappyCoins.nl actually are very good, low fees, fast delivery and u can pay using the Dutch iDeal system. I spit on PayPal..... Still curious why my name is up in lights all of a sudden According to your posts, you also actively "helped" people to understand how they got their funds stolen. I would call you hacktroll! One of your messages: @PaulyC :
Have u scanned yr PC for malware? Trojan/key logger looks like a very good possiblility at this moment.
And how is yr off-line security ? Anyone else have acess to yr PC?
I don't see the problem, seems like a reasonable question. Me not hacktroll, anyway. I call u a silly person and wave my genitals in the face of your aunties.... |
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
January 02, 2014, 02:57:14 AM |
|
so what is the hash of the whole nxt-client-0.4.8.zip archive supposed to be? *edit* This is the output from online-convert.com hex: ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2
HEX: EC7C30A100717E60D8ABE50EEDB23641952847D91FF90B9B05A74FF98D8A4CF2
h:e:x: ec:7c:30:a1:00:71:7e:60:d8:ab:e5:0e:ed:b2:36:41:95:28:47:d9:1f:f9:0b:9b:05:a7:4f:f9:8d:8a:4c:f2
base64: 7HwwoQBxfmDYq+UO7bI2QZUoR9kf+QubBadP+Y2KTPI= |
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited? |
|
|
Zahlen
Member
Offline
Activity: 98
Merit: 10
|
|
January 02, 2014, 02:58:11 AM |
|
intel, when PaulyC reported the theft, lots of people besides EvilDave were suggesting possibilities. The most commonly suggested was keylogger. I remember someone posted something like 1) SHA256 and Elliptic Curve algo broken: 0.0001% 2) Keylogger: 80% 3) Bogus client: 10% 4) Rogue node: 10% Personally I suggested some nonsense about possible address collision from different passwords. So I guess that makes me a troll too  |
|
|
|
xyzzyx
Sr. Member
Offline
Activity: 490
Merit: 250
I don't really come from outer space.
|
|
January 02, 2014, 02:58:25 AM |
|
so what is the hash of the whole nxt-client-0.4.8.zip archive supposed to be?
ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 anything else is bogus. |
"An awful lot of code is being written ... in languages that aren't very good by people who don't know what they're doing." -- Barbara Liskov
|
|
|
Anon136
Legendary
Offline
Activity: 1722
Merit: 1217
|
|
January 02, 2014, 02:59:52 AM |
|
so what is the hash of the whole nxt-client-0.4.8.zip archive supposed to be?
ec7c30a100717e60d8abe50eedb23641952847d91ff90b9b05a74ff98d8a4cf2 anything else is bogus. thankyou sir. it looks like I'm in the clear. |
Rep Thread: https://bitcointalk.org/index.php?topic=381041If one can not confer upon another a right which he does not himself first possess, by what means does the state derive the right to engage in behaviors from which the public is prohibited? |
|
|
Damelon
Legendary
Offline
Activity: 1092
Merit: 1010
|
|
January 02, 2014, 03:00:41 AM |
|
Also clear.
Very big PHEW
Edit: blockchain explorer is back up, btw
|
|
|
|
|
Passion_ltc
|
|
January 02, 2014, 03:01:42 AM
Last edit: January 03, 2014, 01:57:55 AM by Passion_ltc |
|
I created a new account under 0.4.7e and transfered ALL NXT to the new ID. This should work out. Let's just wait for the Aliases Transfer. :p
Also: Is it just a NXT Keylogger or does it log the whole system? :s
Edit: Well, didn't worked THAT well. Lost my NXT also..
|
|
|
|
|
opticalcarrier
|
|
January 02, 2014, 03:04:41 AM |
|
I created a new account under 0.4.7e and transfered ALL NXT to the new ID. This should work out. Let's just wait for the Aliases Transfer. :p
Also: Is it just a NXT Keylogger or does it log the whole system? :s
from the code just a NXT logger |
|
|
|
|
|
newcn
|
|
January 02, 2014, 03:05:09 AM
Last edit: January 02, 2014, 03:19:08 AM by newcn |
|
In summary,what I found from Chrome history: from download history, the malware link was: http://162.243.246.223/nxt-client-0.4.8.zipsha256: 948ce760c379f13f4ea9def6babaa36b0d706bf91098f1d64945fdde3eac5f06 the creation time and modification time of the zip file on my local disk was: creation time:2013.12.31,20:31:14
modified time:2013.12.31,20:35:16 in that time period, I only accessed two pages: 20:29 https://bitcointalk.org/index.php?topic=345619.11740
20:30 https://bitcointalk.org/index.php?topic=345619.0 from the download history, I probably downloaded the malware from the first page,that is: http://info.nxtcrypto.org/nxt-client-0.4.8.zip(I found the new version and checked it on the first page, and it's true, there's an update there, but I don't like the mega site, its slow from my home, so I downloaded the link from the first page) the thief might changed the link directly,
or he might changed IP address of info.nxtcrypto.org
current IP of info.nxtcrypto.org is 46.28.204.121,
which is different from 162.243.246.223 |
BTC:1NzzfeHCgN8fF6mSG1UeBFCVd2cxKbGyHk
NXT:13187911577562526278
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 02, 2014, 03:08:19 AM |
|
Also clear.
Very big PHEW
Edit: blockchain explorer is back up, btw
Great Love the blockchain explorer and nexern's work. |
|
|
|
|
opticalcarrier
|
|
January 02, 2014, 03:09:50 AM |
|
Please edit your post, it looks like you are saying there is bogus software at info.nxtcrypto.org It looks like you got the bogus software directly from the thief. My guess is that is where paulyC got his as well. Some folks are claiming that dextern is involved and changed the link on nextcoin - i dont believe that is the case, Graviton removed his moderator access when that mess went down But as far as I know, dex has still not returned the donation NXT. |
|
|
|
|
|
rickyjames
|
|
January 02, 2014, 03:11:43 AM |
|
By the way, I just checked and Drexme was last online here two hours ago.
There is a good chance he will try to cash in tonight if he read this thread now that we are on, to him...
And just how many accounts is he gonna plunder, I wonder? This is gonna get really, really bad... I will be the first to ask the question "Do we wanna stop the blockchain and roll it back?" |
|
|
|
|
|
NWO
|
|
January 02, 2014, 03:12:37 AM |
|
Open source incoming! Rally has begun! Anything below .0001 is CHEAP |
|
|
|
|
intel
Member
Offline
Activity: 98
Merit: 10
|
|
January 02, 2014, 03:13:30 AM |
|
intel, when PaulyC reported the theft, lots of people besides EvilDave were suggesting possibilities. The most commonly suggested was keylogger. I remember someone posted something like 1) SHA256 and Elliptic Curve algo broken: 0.0001% 2) Keylogger: 80% 3) Bogus client: 10% 4) Rogue node: 10% Personally I suggested some nonsense about possible address collision from different passwords. So I guess that makes me a troll too If you still didnt understand, there was a patched NXT Client which logged all password to server of EvilDave! |
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 02, 2014, 03:13:55 AM |
|
By the way, I just checked and Drexme was last online here two hours ago.
There is a good chance he will try to cash in tonight if he read this thread now that we are on, to him...
And just how many accounts is he gonna plunder, I wonder? This is gonna get really, really bad... I will be the first to ask the question "Do we wanna stop the blockchain and roll it back?" At this point, I don't think there are more than a few cases. The thief will certainly take the fund right when he gets the pass. We have two reported cases so far. It is important to locate the source of the bogus link. |
|
|
|
|
newcn
|
|
January 02, 2014, 03:14:42 AM |
|
Please edit your post, it looks like you are saying there is bogus software at info.nxtcrypto.org It looks like you got the bogus software directly from the thief. My guess is that is where paulyC got his as well. Some folks are claiming that dextern is involved and changed the link on nextcoin - i dont believe that is the case, Graviton removed his moderator access when that mess went down But as far as I know, dex has still not returned the donation NXT. well, I didn't mean that, I didn't accussed anyone or any site. in fact, the current IP of info.nxtcrypto.org is 46.28.204.121, and it's different from 162.243.246.223, that's where I downloaded the malware |
BTC:1NzzfeHCgN8fF6mSG1UeBFCVd2cxKbGyHk
NXT:13187911577562526278
|
|
|
utopianfuture
Sr. Member
Offline
Activity: 602
Merit: 268
Internet of Value
|
|
January 02, 2014, 03:16:28 AM |
|
intel, when PaulyC reported the theft, lots of people besides EvilDave were suggesting possibilities. The most commonly suggested was keylogger. I remember someone posted something like 1) SHA256 and Elliptic Curve algo broken: 0.0001% 2) Keylogger: 80% 3) Bogus client: 10% 4) Rogue node: 10% Personally I suggested some nonsense about possible address collision from different passwords. So I guess that makes me a troll too If you still didnt understand, there was a patched NXT Client which logged all password to server of EvilDave! Is it the same or separate issue from PaulyC's hacked account ? |
|
|
|
Zahlen
Member
Offline
Activity: 98
Merit: 10
|
|
January 02, 2014, 03:17:22 AM |
|
I will be the first to ask the question "Do we wanna stop the blockchain and roll it back?"
Maybe see how much damage was done first? The account that PaulyC's 7808 NXT was sent to contains only ~1150 more NXT. newcn lost ~17k. Probably easier to reimburse lost NXT if it isn't too large. Is it possible to find out how long the fake link was up, and how many people downloaded from it? |
|
|
|
|
