|
r3wt (OP)
|
 |
January 14, 2014, 04:57:46 AM
Last edit: January 14, 2014, 01:48:13 PM by r3wt |
|
attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing
Update
the coins were recovered a short time later. we are paying out withdrawals and asking all coins to be withdrawn from the exchange so that we can start from scratch.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
wontonforevuh
Member
 Offline
Activity: 266
Merit: 10
|
|
January 14, 2014, 05:00:55 AM |
|
nice security...
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?
|
|
|
|
|
Crackmacs
|
|
January 14, 2014, 05:02:02 AM |
|
We'll find you eventually you little cock sucker. return our shit or ****************** Edit: Good idea removing that part. Wow that sucks. Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back). |
|
|
|
|
|
r3wt (OP)
|
|
January 14, 2014, 05:02:33 AM |
|
nice security...
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?
i could have swore i installed fail2ban |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
|
|
The_Catman
Full Member
Offline
Activity: 168
Merit: 100
Captain Jack Fenderson
|
|
January 14, 2014, 05:05:32 AM |
|
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
I think he's hoping the attacker feels guilty. He/she probably doesn't. |
|
|
|
|
r3wt (OP)
|
|
January 14, 2014, 05:11:25 AM |
|
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
I think he's hoping the attacker feels guilty. He/she probably doesn't. worth a shot. its all i have. |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
tk808
Legendary
Offline
Activity: 1512
Merit: 1124
Invest in your knowledge
|
|
January 14, 2014, 05:16:20 AM |
|
Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).
I think he's hoping the attacker feels guilty. He/she probably doesn't. worth a shot. its all i have. I hope you get them back dude, even a partial refund. Mr. Grey Fox may be reading this, with a conscious. |
|
|
|
|
peterlustig
Sr. Member
Offline
Activity: 812
Merit: 250
The Fourth Generation of Blockchain in DeFi
|
|
January 14, 2014, 05:17:03 AM |
|
Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2
First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2
left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)
exact time of theft would be useful.
|
|
|
|
|
Crackmacs
|
|
January 14, 2014, 05:19:54 AM |
|
I think it only hurts the community and *coin in general when large scale theft happens. S'all we need is a bunch of articles telling people to invest in gold instead because of the wild wild west theft that occurs etc. I understand it though. Anything worth anything gets stolen.
The most I hold to my name is 1 Litecoin and almost 4 RonPauls. Not much, but after mining them myself (even though it's not worth much), I would feel devastated. People suck.
|
|
|
|
|
|
r3wt (OP)
|
|
January 14, 2014, 05:21:40 AM |
|
Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2
First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2
left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)
I think that's justin's ip( http://www.geoiptool.com/en/?IP=66.87.94.161) he has the server pass, i have the server pass. funny thing is justin's supposedly from oklahoma. he started the crons last night so i'm pretty sure it wasn't him atleast that is consistent with what i know. the attacker was probably not stupid enough to leave the log unchanged. if you will notice there is no activity for 6 minutes in between the last failed attempt and where i logged in (173.216.136.127) |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
surfer43
Sr. Member
Offline
Activity: 560
Merit: 250
"Trading Platform of The Future!"
|
|
January 14, 2014, 05:41:22 AM |
|
What is the address of the wallet?
|
|
|
|
|
|
r3wt (OP)
|
|
January 14, 2014, 05:45:30 AM |
|
What is the address of the wallet?
i don't know. he took the wallet.dat i can provide what my account address was and the account address of others who mentioned it in support emails, and anyone else who deposited to the exchange can provide theirs if they can find it in transactions of their personal wallet, but other than that i have no idea what the "main" address was. and yes, i will repay this somehow. i have no other choice but to repay it. i'm sorry |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
phazon307
Full Member
Offline
Activity: 140
Merit: 100
Don't fear Crypto Exchanges go with honest well kn
|
|
January 14, 2014, 05:45:59 AM |
|
absolutely degusting degenerate people can't earn shyt for themselves so they have to steal it from the people who can.
|
Win up $200.00 usd in bitcoins every hour. |
|
|
phazon307
Full Member
Offline
Activity: 140
Merit: 100
Don't fear Crypto Exchanges go with honest well kn
|
|
January 14, 2014, 05:47:13 AM |
|
let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.
|
Win up $200.00 usd in bitcoins every hour. |
|
|
|
r3wt (OP)
|
|
January 14, 2014, 05:56:04 AM |
|
let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.
yes unfortunately it was. i thought about cold storaging the majority of the coins but alot of people complain about slow withdrawal times. it was an honest mistake, one i will pay dearly for i'm sure. |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
Millicent
Member
Offline
Activity: 84
Merit: 10
|
|
January 14, 2014, 06:05:22 AM |
|
I'm astounded. root login, password ugh!
1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction
OMGOMGOMG Spend the $400.00 on someone to secure your server.
I am sorry for your loss, but holy $h1t dude.
|
BTC ~ 1CX9TMGCv73XLcvckz5RsnHgsHA5fJrL2q
|
|
|
|
stevenlam
|
|
January 14, 2014, 06:09:01 AM |
|
r3wt is a trusted man, so, dont blame anything before he repay to all of your lost, so in this time, we must patient
|
|
|
|
|
hostmaster
|
|
January 14, 2014, 06:09:42 AM
Last edit: January 14, 2014, 06:20:59 AM by hostmaster |
|
attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice. here is the log https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharingEdit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry. use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons! |
|
|
|
|
Zombie123
Legendary
Offline
Activity: 868
Merit: 1000
|
|
January 14, 2014, 06:15:15 AM |
|
1CxwZYMmprkY6Dx4crFCXVBFBjXRit7oDg
1) Withdrawal: 0.20402197 BTC
Destination: 1PafQJLSQSjV5AYVHzBRyjTFScGCJknoT9
TXID: 6603ea056688752ab9bf9c3b4c7bc2a7f4fd2dc53347ca2630ef93c3bdba3c6c
So I Guess it was my account you were looking into and you found out the issue
|
|
|
|
|
|
