|
BkkCoins
|
 |
February 11, 2012, 11:38:59 PM |
|
Added Dendrogram links on transaction pages. Useful for visualising how bitcoins moved to different addresses after being spent, more specifically for tracking stolen coins.
This looks pretty nifty. I noticed on that BTCServ hack that the small part gets spent twice to merge into a 40 BTC address. It would be useful to know what addresses payments get combined with as that may give clues about wallet (like a "back-link" on an address). I have no idea how it could be fit in a diagram because it would get "hairy" fast. |
|
|
|
|
BkkCoins
|
|
February 11, 2012, 11:42:45 PM |
|
The majority of "hacked" coins (419 BTC) got sent to 1E3PdhC1ARtxkDmq8LmYQeXqXNp2pSfQu3 which hasn't been spent. However the small amount sent to 1CrDpobPFbLvNtB2hnBtThu9qHJ2hpbwPz has been spent. The odd thing is both transactions got relayed by the ip 81.169.165.107 - which is BTCServe's ip. So, that means the hacker either is close topologically by default or has added manually BTCServ IP as a peer? If the hacker is manually relaying thru BTCServ that's a bit like rubbing salt in a wound! Or another interpretation is that it's still controlled by BTCServ, though obviously not provably. Funny, when I saw the 1Cr... address it tweaked my memory and I thought it was the current BitLotto address but I was wrong - that's similar but different. |
|
|
|
|
piuk (OP)
|
|
February 12, 2012, 03:30:44 PM |
|
This looks pretty nifty. I noticed on that BTCServ hack that the small part gets spent twice to merge into a 40 BTC address. It would be useful to know what addresses payments get combined with as that may give clues about wallet (like a "back-link" on an address). I have no idea how it could be fit in a diagram because it would get "hairy" fast.
My hypothesis is that the coins change hands at the 40 BTC merge as the ip addresses switch from Germany to U.S. Maybe you could hover over a node to show any new inputs. Also the "Purity" of the coins (i.e. how much they have been mixed with the other transactions) could be represented by the thickness of the line. So, that means the hacker either is close topologically by default or has added manually BTCServ IP as a peer? If the hacker is manually relaying thru BTCServ that's a bit like rubbing salt in a wound! Or another interpretation is that it's still controlled by BTCServ, though obviously not provably.
Or maybe the attacker sent some change back to BTCServe for some reason. I guess no matter how good future tools like this get it will still be almost impossible to prove anything. |
|
|
|
|
piuk (OP)
|
|
February 14, 2012, 09:45:16 AM
Last edit: February 14, 2012, 04:33:35 PM by piuk |
|
Having a few problems with the Site this morning. In light of the recent hackings I was changing all passwords and closing any none essential ports - In doing so I've managed to lock myself out one of the servers. I'm waiting for someone at the colo to restart it now, should be back up in an hour or so.
Edit: Engineer has confirmed he is on his way, should be approx ~20 mins.
Edit 2: The engineer at the datacenter said machine 3 wouldn't boot after being reset. I drove down to pick it up and am having a look at it now. Appears to boot fine, disk repair says everything is ok. However when i enable the firewall everything locks up.
|
|
|
|
|
realnowhereman
|
|
February 14, 2012, 11:47:58 AM |
|
Having a few problems with the Site this morning. In light of the recent hackings I was changing all passwords and closing any none essential ports - In doing so I've managed to lock myself out one of the servers.
Now that's what I call proactive security. ;-) |
1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
|
|
|
eleuthria
Legendary
 Offline
Activity: 1750
Merit: 1007
|
|
February 14, 2012, 01:59:27 PM |
|
Having a few problems with the Site this morning. In light of the recent hackings I was changing all passwords and closing any none essential ports - In doing so I've managed to lock myself out one of the servers. I'm waiting for someone at the colo to restart it now, should be back up in an hour or so.
Edit: Engineer has confirmed he is on his way, should be approx ~20 mins.
Ah, the goold ole' 'iptables -A INPUT -p tcp --dport 22 -j DROP' going in before allowing your own IP full access ;p |
RIP BTC Guild, April 2011 - June 2015
|
|
|
|
MORA
|
|
February 14, 2012, 02:44:03 PM |
|
or iptables -F in order to rebuild the rulelist... without resetting the default DROP policy  |
|
|
|
|
|
finway
|
|
February 14, 2012, 04:13:57 PM |
|
Be careful.
Be safe.
|
|
|
|
|
D.H.
|
|
February 14, 2012, 04:37:49 PM |
|
How's it going with the site, piuk?
|
www.bitcoin.se - Forum, nyheter och information på svenska! (Forum, news and information in Swedish)
|
|
|
|
piuk (OP)
|
|
February 14, 2012, 04:44:05 PM
Last edit: February 14, 2012, 04:56:40 PM by piuk |
|
The engineer told me that machine 3 wouldn't boot after being reset so I drove down to pick it up. I've got it at home now and it boots fine but there is something not quite right with it. When I enable the firewall it locks up, even though the rules are fine. I am going to reinstall the OS then take it back down.
Just to be clear there is no data loss, but this server acts as the "Management node" for the MySQL cluster and it site won't start without it.
|
|
|
|
|
warweed
|
|
February 14, 2012, 05:25:17 PM |
|
that sucks bro ..
well god speed
|
|
|
|
|
|
piuk (OP)
|
|
February 14, 2012, 06:47:32 PM |
|
The server is ready to go again, but unfortunately i'm not going to make it back to the datacenter tonight. I could probably get the site online again with two servers, but then I'd just have to undo the changes in the morning + It's valentines night and i've got none optional dinner plans.
9:00 AM GMT tomorrow it will be back up. Really sorry for any My Wallet users who cannot access their account, if you are in dire need to make a transaction and don't have a backup let me know your wallet identifier and i'll send you a backup and instructions on how to get your keys into bitcoind.
|
|
|
|
|
piuk (OP)
|
|
February 15, 2012, 11:37:40 AM |
|
Ok were back. It started as what I thought was a bad firewall rule, but was actually a more serious failure of one machine. But everything is back online now and there has been absolutely no dataloss.
Again apologies for the downtime. Pool stats will be screwed up for a while.
Google authenticator support coming later today.
|
|
|
|
Technomage
Legendary
Offline
Activity: 2184
Merit: 1056
Affordable Physical Bitcoins - Denarium.com
|
|
February 15, 2012, 12:00:32 PM |
|
Ok were back. It started as what I thought was a bad firewall rule, but was actually a more serious failure of one machine. But everything is back online now and there has been absolutely no dataloss.
Again apologies for the downtime. Pool stats will be screwed up for a while.
Google authenticator support coming later today. +1 Google auth support sounds really good! I use it with my Lastpass and I love it. |
Denarium closing sale discounts now up to 43%! Check out our products from here! |
|
|
|
ThePok
|
|
February 15, 2012, 12:25:35 PM |
|
Transactions per Day is going high - thats fine - or do you count all that payouts from p2pool-blocks to the users as one Transaction pro Reciver?
|
|
|
|
|
|
piuk (OP)
|
|
February 15, 2012, 12:45:51 PM |
|
Transactions per Day is going high - thats fine - or do you count all that payouts from p2pool-blocks to the users as one Transaction pro Reciver?
P2Pool payouts are counted as one transactions. I'm pleased to see it increasingly a lot lately, if it carries on this rate we will soon back at June levels. Good indicator imo. |
|
|
|
|
|
|
|
|
realnowhereman
|
|
February 15, 2012, 06:25:20 PM |
|
Looks good.. except... No problem, simply contact us with wallet identifier, secret phrase and any other information you can provide and we will disable two factor authentication.
It seems to me that this makes two factor authentication pointless. Let's remember that it is there to prevent someone who has your password gaining access. But if they have the password you'll disable two factor anyway. |
1AAZ4xBHbiCr96nsZJ8jtPkSzsg1CqhwDa
|
|
|
|
D.H.
|
|
February 15, 2012, 06:53:27 PM |
|
Let's remember that it is there to prevent someone who has your password gaining access. But if they have the password you'll disable two factor anyway.
The secret phrase is not the same thing as the password. It is a separate phrase that you can optionally set under Account Details. |
www.bitcoin.se - Forum, nyheter och information på svenska! (Forum, news and information in Swedish)
|
|
|
|
