Bitcoin Forum
November 17, 2024, 01:10:18 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 »  All
  Print  
Author Topic: Openex hacked but coins recovered  (Read 14317 times)
r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
January 14, 2014, 04:57:46 AM
Last edit: January 14, 2014, 01:48:13 PM by r3wt
 #1

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing

Update
the coins were recovered a short time later. we are paying out withdrawals and asking all coins to be withdrawn from the exchange so that we can start from scratch.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
wontonforevuh
Member
**
Offline Offline

Activity: 266
Merit: 10


View Profile
January 14, 2014, 05:00:55 AM
 #2

nice security...
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?

Crackmacs
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
January 14, 2014, 05:02:02 AM
 #3

Quote
We'll find you eventually you little cock sucker. return our shit or ******************

Edit: Good idea removing that part.

Wow that sucks.

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
January 14, 2014, 05:02:33 AM
 #4

nice security...
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?

i could have swore i installed fail2ban

My negative trust rating is reflective of a personal vendetta by someone on default trust.
peterlustig
Sr. Member
****
Offline Offline

Activity: 812
Merit: 250


The Fourth Generation of Blockchain in DeFi


View Profile
January 14, 2014, 05:03:05 AM
 #5

http://www.fail2ban.org/wiki/index.php/Main_Page
Oops yeah you know that already. @ every server owner: install that.




`````````▄▄▄▄▄▄▄
`````▄█████████████▄
```███████▀▀█▀▀███████
``████████``█``████████
`██████``````````▀██████
█████████```████```██████
█████████`````````███████
█████████```████▄``▀█████
█████████```████▀```█████
`██████```````````▄█████
``████████``█``████████
```███████▄▄█▄▄███████
`````▀█████████████▀
`````````▀▀▀▀▀▀▀

```````▄▄▄▄▄▄▄▄▄▄▄
```███████████████████
```````▀▀▀▀▀▀▀▀▀▀▀
DRK Defi






The Fourth Generation Of Blockchain
                             In Decentralized Finance






Draken Exchange
     DrakenX






Facebook
     Twitter








`````````▄▄▄▄▄▄▄
`````▄█████████████▄
```███████████████████
``█████████████████████
`████████████▀▀▀`````███
████████▀▀▀````▄█````████
████▀▀``````▄██▀````▄████
███▄▄`````███▀``````█████
███████``██`````````█████
`███████`▐`````````█████
``███████▐`████▄▄`▄████
```███████▄███████████
`````▀█████████████▀
`````````▀▀▀▀▀▀▀

```````▄▄▄▄▄▄▄▄▄▄▄
```███████████████████
```````▀▀▀▀▀▀▀▀▀▀▀

.Telegram.
Channel
The_Catman
Full Member
***
Offline Offline

Activity: 168
Merit: 100


Captain Jack Fenderson


View Profile WWW
January 14, 2014, 05:05:32 AM
 #6

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.

r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
January 14, 2014, 05:11:25 AM
 #7

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.

worth a shot. its all i have.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
tk808
Legendary
*
Offline Offline

Activity: 1512
Merit: 1124


Invest in your knowledge


View Profile
January 14, 2014, 05:16:20 AM
 #8

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.

worth a shot. its all i have.

I hope you get them back dude, even a partial refund. Mr. Grey Fox may be reading this, with a conscious.
peterlustig
Sr. Member
****
Offline Offline

Activity: 812
Merit: 250


The Fourth Generation of Blockchain in DeFi


View Profile
January 14, 2014, 05:17:03 AM
 #9

Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2

First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2

left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)

exact time of theft would be useful.




`````````▄▄▄▄▄▄▄
`````▄█████████████▄
```███████▀▀█▀▀███████
``████████``█``████████
`██████``````````▀██████
█████████```████```██████
█████████`````````███████
█████████```████▄``▀█████
█████████```████▀```█████
`██████```````````▄█████
``████████``█``████████
```███████▄▄█▄▄███████
`````▀█████████████▀
`````````▀▀▀▀▀▀▀

```````▄▄▄▄▄▄▄▄▄▄▄
```███████████████████
```````▀▀▀▀▀▀▀▀▀▀▀
DRK Defi






The Fourth Generation Of Blockchain
                             In Decentralized Finance






Draken Exchange
     DrakenX






Facebook
     Twitter








`````````▄▄▄▄▄▄▄
`````▄█████████████▄
```███████████████████
``█████████████████████
`████████████▀▀▀`````███
████████▀▀▀````▄█````████
████▀▀``````▄██▀````▄████
███▄▄`````███▀``````█████
███████``██`````````█████
`███████`▐`````````█████
``███████▐`████▄▄`▄████
```███████▄███████████
`````▀█████████████▀
`````````▀▀▀▀▀▀▀

```````▄▄▄▄▄▄▄▄▄▄▄
```███████████████████
```````▀▀▀▀▀▀▀▀▀▀▀

.Telegram.
Channel
Crackmacs
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
January 14, 2014, 05:19:54 AM
 #10

I think it only hurts the community and *coin in general when large scale theft happens. S'all we need is a bunch of articles telling people to invest in gold instead because of the wild wild west theft that occurs etc. I understand it though. Anything worth anything gets stolen.

The most I hold to my name is 1 Litecoin and almost 4 RonPauls. Not much, but after mining them myself (even though it's not worth much), I would feel devastated. People suck.

r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
January 14, 2014, 05:21:40 AM
 #11

Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2

First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2

left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)

I think that's justin's ip(http://www.geoiptool.com/en/?IP=66.87.94.161) he has the server pass, i have the server pass. funny thing is justin's supposedly from oklahoma.


he started the crons last night so i'm pretty sure it wasn't him atleast that is consistent with what i know.

the attacker was probably not stupid enough to leave the log unchanged. if you will notice there is no activity for 6 minutes in between the last failed attempt and where i logged in (173.216.136.127)

My negative trust rating is reflective of a personal vendetta by someone on default trust.
surfer43
Sr. Member
****
Offline Offline

Activity: 560
Merit: 250


"Trading Platform of The Future!"


View Profile
January 14, 2014, 05:41:22 AM
 #12

What is the address of the wallet?
r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
January 14, 2014, 05:45:30 AM
 #13

What is the address of the wallet?

i don't know. he took the wallet.dat

i can provide what my account address was and the account address of others who mentioned it in support emails, and anyone else who deposited to the exchange can provide theirs if they can find it in transactions of their personal wallet, but other than that i have no idea what the "main" address was.

and yes, i will repay this somehow. i have no other choice but to repay it. i'm sorry

My negative trust rating is reflective of a personal vendetta by someone on default trust.
phazon307
Full Member
***
Offline Offline

Activity: 140
Merit: 100

Don't fear Crypto Exchanges go with honest well kn


View Profile
January 14, 2014, 05:45:59 AM
 #14

absolutely degusting degenerate people can't earn shyt for themselves so they have to steal it from the people who can.

Win up $200.00 usd in bitcoins every hour.
phazon307
Full Member
***
Offline Offline

Activity: 140
Merit: 100

Don't fear Crypto Exchanges go with honest well kn


View Profile
January 14, 2014, 05:47:13 AM
 #15

let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.

Win up $200.00 usd in bitcoins every hour.
r3wt (OP)
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
January 14, 2014, 05:56:04 AM
 #16

let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.

yes unfortunately it was. i thought about cold storaging the majority of the coins but alot of people complain about slow withdrawal times. it was an honest mistake, one i will pay dearly for i'm sure.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
Millicent
Member
**
Offline Offline

Activity: 84
Merit: 10


View Profile
January 14, 2014, 06:05:22 AM
 #17

I'm astounded.  root login, password ugh!

1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction

OMGOMGOMG Spend the $400.00 on someone to secure your server.

I am sorry for your loss, but holy $h1t dude.

BTC ~ 1CX9TMGCv73XLcvckz5RsnHgsHA5fJrL2q
stevenlam
Full Member
***
Offline Offline

Activity: 196
Merit: 100



View Profile WWW
January 14, 2014, 06:09:01 AM
 #18

r3wt is a trusted man, so, dont blame anything before he repay to all of your lost, so in this time, we must patient

hostmaster
Sr. Member
****
Offline Offline

Activity: 266
Merit: 250


View Profile WWW
January 14, 2014, 06:09:42 AM
Last edit: January 14, 2014, 06:20:59 AM by hostmaster
 #19


attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing


i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.


here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing


Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.
use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons!
Zombie123
Legendary
*
Offline Offline

Activity: 868
Merit: 1000


View Profile
January 14, 2014, 06:15:15 AM
 #20

1CxwZYMmprkY6Dx4crFCXVBFBjXRit7oDg

1) Withdrawal: 0.20402197 BTC

Destination: 1PafQJLSQSjV5AYVHzBRyjTFScGCJknoT9

TXID: 6603ea056688752ab9bf9c3b4c7bc2a7f4fd2dc53347ca2630ef93c3bdba3c6c


So I Guess it was my account you were looking into and you found out the issue
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!