DiabloD3 (OP)
Legendary
Offline
Activity: 1162
Merit: 1000
DiabloMiner author
|
|
September 12, 2011, 06:05:03 PM Last edit: September 13, 2011, 04:49:32 AM by DiabloD3 |
|
It seems Mt Gox has been broken into again. My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. I assume I was targeted because I'm a Bitcoin developer.
Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.
Everyone: Clear out your accounts if you have anything in them.
|
|
|
|
1.21gigawatts
Member
Offline
Activity: 98
Merit: 10
|
|
September 12, 2011, 06:12:37 PM |
|
let me guess, you used the same password at mtgox and at bitcointalk.org?
|
|
|
|
phantomcircuit
|
|
September 12, 2011, 06:14:24 PM |
|
I would like to add some information. The IP address is 46.250.12.63. It appears to be an endpoint for a p2p pptp based VPN. So this looks like a reasonably sophisticated attacker. I would also like to add that I have confidence in Diablo-D3's personal computer security practices. (ie he is most certainly not sharing passwords between the forums and mtgox). # nmap -sS -sV -O -PN -n -p 1-65535 -vvvv -T5 46.250.12.63 Starting Nmap 5.00 ( http://nmap.org ) at 2011-09-12 18:52 BST NSE: Loaded 3 scripts for scanning. Initiating SYN Stealth Scan at 18:52 Scanning 46.250.12.63 [65535 ports] Discovered open port 1723/tcp on 46.250.12.63 Warning: Giving up on port early because retransmission cap hit. SYN Stealth Scan Timing: About 10.81% done; ETC: 18:57 (0:04:16 remaining) SYN Stealth Scan Timing: About 51.13% done; ETC: 18:54 (0:00:58 remaining) Discovered open port 14891/tcp on 46.250.12.63 Completed SYN Stealth Scan at 18:54, 90.67s elapsed (65535 total ports) Initiating Service scan at 18:54 Scanning 2 services on 46.250.12.63 Service scan Timing: About 50.00% done; ETC: 18:58 (0:01:57 remaining) Completed Service scan at 18:56, 117.08s elapsed (2 services on 1 host) Initiating OS detection (try #1) against 46.250.12.63 Retrying OS detection (try #2) against 46.250.12.63 NSE: Script scanning 46.250.12.63. NSE: Starting runlevel 1 scan Initiating NSE at 18:56 Completed NSE at 18:56, 29.76s elapsed NSE: Script Scanning completed. Host 46.250.12.63 is up (0.034s latency). Scanned at 2011-09-12 18:52:51 BST for 241s Interesting ports on 46.250.12.63: Not shown: 65528 closed ports PORT STATE SERVICE VERSION 135/tcp filtered msrpc 137/tcp filtered netbios-ns 138/tcp filtered netbios-dgm 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1723/tcp open pptp Microsoft Windows NT (Firmware: 2600) 14891/tcp open unknown 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port14891-TCP:V=5.00%I=7%D=9/12%Time=4E6E4789%P=x86_64-unknown-linux-gnu%r(SMBProgNeg,F0,"\x1aPm\xc4\xb8\.\xd0\xee1\x93\x82\x9f\xcb\xb8s\x9bB\xf9\ SF:x95\x17{\x13\xecm\]\xad\xc8\xa2\x19\x08w\xee\xed}:2GuJ-\xc8'\xb3\x0e\x8 SF:btH<\xbb%N\0\]\xba\x12q\xfe\xffy1~\xb1\\Lv\x10;T\x12c\xda\xda\x18\x16\x SF:91j\xa4#g\xa8\x9cv\x8d\*\xe4\x9fq>I~\t\+qB\x11\xad\x9ee#\x13\x08\xe5D\x SF:1d&\xdd\[\x14\xad\xd9@W\xdaA\xb41t\xbb\x08b\x08\xfe\x82\xc9gs7#\xe6C\xa SF:6\nW\xfc\xd2\x8a\x9e\xdc}\.\x12\xb8\xbc\xc7\xb9\xcf\x8dj\xf5z\x98\t7Xw\ SF:xb0\xd3\x1f\xfe\x97\xe9eq\x8a~\xec5\^L&\x88I\xce\x95\xd5\xb7\xe6\xec\xa SF:0C#V=\xde\xe4\xb2\x870U\xe4\x9b\xf6\x0fRp\x0fnU\xe4N\xb6\xca\xc0X\xfc\x SF:a52/dY\x11{D\xe7M\xeem\x98\xb8\xb0\xe0\x92\xef\x13u\xa7\*\xf2\?\xc7\x80 SF:\xeb\xae\x9b37\xa3\xac{k")%r(FourOhFourRequest,6C,"HTTP/1\.1\x20400\x20 SF:ERROR\r\nConnection:\x20keep-alive\r\nContent-Length:\x2017\r\nContent- SF:Type:\x20text/html\r\n\r\n\r\ninvalid\x20request")%r(SIPOptions,7C,"!K\ SF:x10\xa0K\|\xf0\xd6\xed8\x05\x9f\x9c\xf8\x9b\x89\xbe\xa7\x96\x9d\xb7_=\^ SF:\xb7\xc5\xa8Q\x13\x0e\]\xdf\xfa\xc6\xb8\x8e\xd9~y\xc2\xe2\x10s\x14\xf2o SF:\x92\0yH\x16\xeaV\xbam\xa5\xe2\x9c\x1d}A9\x8aVW\x94\x95\xf1\xbe\x88Y\xe SF:56\xdcp\xd6\xca\xf7\xd3<\xea\x861\xd4\x8c\xeb\x8e\x95\xb9\xf8\x10\x0e\x SF:d7M&\xbf\xf1\xaaf\xbc\x82NH\xb9p61\xf6\xfc\xcc\n\)\xe1c\xd2j\?\x01o<\x9 SF:cN\t#")%r(WMSRequest,144,"\xd8kk\x17e\xb7\x91\xa8C\x83\xae\xd6\x0ciO\x9 SF:8\xf3cVZE\x05\xe6\.T\xed\xb2<\xb3\xa4\x17\xcb\xd7\xecM\^wl\x1e\x9e\xbd\ SF:x89\xe2\xaf3\x19~i\xea\x92\x1d\x08\+\x95V\xae\x95\)\xd4\xf8\xa3\xab\xae SF:c\xef\xe0\xaa\xd55\xe5\xb2\xa1\x16\$G\xe33\xb5\xe0\xf9\xdc\xe4\xa7\+sqB SF:\x8f\xc2\xf2\xe9\xfd\xf2\x0ey\x1f\xbd\xaf}i\x0c\?}\xf5\(\xad\$\xd8\xcar SF:\xc0\x9b\x17d\xbb3\xae;\xe5WX\x9e\x1b\xac\xb1\xba\xd6f\xe8\x9c\xb2`\xca SF:\x8dH\xde{\x9e\x14\xf0\)~\xf8\r\xd6L\xecx\x17\xc5\x962\x13\x0cN\xda/\x9 SF:1\(\x1a\x88\xb8fU\xd5\xccf\xbaD\+\xcb\.8\xd3U\(\xd7\x91@\x19\xf7\x894\x SF:ac`\x08\xb3\x88w\x8e\x7f\x15n\xe4\x8c/\xf3Y\nK=x\x1a\xa0\xd8\"\x20\x94\ SF:x9c\x8a\x82P\xf0h\xfapv\x0f\x15Q\xc0\xc9\xd0\x8c\xde3\x10\x90\x8a\xb9\x SF:84y\xd4rB\x0f\xff\x7f\*R\xc2k\xd3~z\xa8\x89@\x93\"3\xa1x\xc5\xb7\xb3H\x SF:d9\xb8\xfd\x9a\x1f\x12\xd2\xae\xd9\xdb\x1e>>#lD\xd6q\x92\xd6\x82\xfd\xb SF:4F!\x89\xd2#\]%U\x08RSj\x15\x7f\xcb\xe1\x8c\xd8\xbf\xd3\x0f\xed\xfb\x88 SF:=I=\xc2D&\x16\x1c\x02\x88\xcb_\x92\xf5\xff\xc4\xe2\x18\x20H"); Device type: general purpose|PDA|terminal|media device|phone Running (JUST GUESSING) : Microsoft Windows XP|2000|2003|PocketPC/CE|Me (96%), Fujitsu Siemens Windows PocketPC/CE (91%), HP Windows PocketPC/CE (91%), Microsoft embedded (91%), AT&T Windows PocketPC/CE (89%) OS fingerprint not ideal because: Timing level 5 (Insane) used Aggressive OS guesses: Microsoft Windows XP Professional SP2 (96%), Microsoft Windows XP SP2 (95%), Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows Server 2003 SP2 (x64) (93%), Microsoft Windows XP SP3 (93%), Microsoft Windows XP Professional SP2 or Windows Server 2003 (92%), Microsoft Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 or SP3, or Windows Server 2003 (92%) No exact OS matches for host (test conditions non-ideal). TCP/IP fingerprint: SCAN(V=5.00%D=9/12%OT=1723%CT=1%CU=38423%PV=N%DS=7%G=N%TM=4E6E47E4%P=x86_64-unknown-linux-gnu) SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=0) OPS(O1=M550NW0NNT00NNS%O2=M550NW0NNT00NNS%O3=M550NW0NNT00%O4=M550NW0NNT00NNS%O5=M550NW0NNT00NNS%O6=M550NNT00NNS) WIN(W1=4510%W2=4510%W3=4100%W4=40E8%W5=40E8%W6=402E) ECN(R=Y%DF=Y%T=81%W=4510%O=M550NW0NNS%CC=N%Q=) T1(R=Y%DF=Y%T=81%S=O%A=S+%F=AS%RD=0%Q=) T2(R=Y%DF=N%T=81%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) T3(R=Y%DF=Y%T=81%W=402E%S=O%A=S+%F=AS%O=M550NW0NNT00NNS%RD=0%Q=) T4(R=Y%DF=N%T=81%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T5(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T6(R=Y%DF=N%T=81%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T7(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) U1(R=Y%DF=N%T=81%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G) IE(R=Y%DFI=S%T=81%CD=Z)
Network Distance: 7 hops TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: Incremental
Read data files from: /usr/share/nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 241.35 seconds Raw packets sent: 68143 (3.000MB) | Rcvd: 67683 (2.708MB)
|
|
|
|
apetersson
|
|
September 12, 2011, 06:18:01 PM |
|
were you using a yubikey? i recently activated mine and i would like to think that my funds are now safe..
|
|
|
|
JeffK
Sr. Member
Offline
Activity: 350
Merit: 250
I never hashed for this...
|
|
September 12, 2011, 06:20:16 PM |
|
let me guess, you used the same password at mtgox and at bitcointalk.org?
I use Linux and use unique high entropy passwords,
unique
The two events aren't related
|
|
|
|
tvbcof
Legendary
Offline
Activity: 4718
Merit: 1277
|
|
September 12, 2011, 06:29:14 PM |
|
It seems Mt Gox has been broken into again. My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. I assume I was targeted because I'm a Bitcoin developer.
Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.
Everyone: Clear out your accounts if you have anything in them.
Actually I would find it rather odd that an attacker would target a developer (unless said happened to have a boatload of BTC available for appropriation.) The ability to do significant development would likely be correlated with both a relatively high ability to understand and investigate the theft, and the ability to solicit a high degree of assistance in doing so. If I were an attacker with a simple goal of enriching myself, I would certainly not be nailing a Bitcoin developer. Or at least not on purpose. Best of luck recovering your BTC, and thanks for the heads-up.
|
sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
|
|
|
AssemblY
|
|
September 12, 2011, 06:30:33 PM |
|
Is official? Someone else had the same problem?
|
|
|
|
hightax
Newbie
Offline
Activity: 42
Merit: 0
|
|
September 12, 2011, 06:59:58 PM |
|
Looks like MagicalTux was lying about the wacky trades then. When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones. Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen. - Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software. So far nobody's posting accounts have been compromised or hijacked apparently.
- Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.
Yeah, those two attacks aren't related. Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.
So... Who said paypal's worse than Bitcoin?
|
|
|
|
jed
Full Member
Offline
Activity: 182
Merit: 107
Jed McCaleb
|
|
September 12, 2011, 07:03:11 PM |
|
My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. Hmm how can you tell his IP?
|
|
|
|
fastandfurious
|
|
September 12, 2011, 07:04:03 PM |
|
Please answer this important question. Do you have a Yubikey??
|
|
|
|
BitcoinPorn
|
|
September 12, 2011, 07:05:48 PM |
|
Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.
So... Who said paypal's worse than Bitcoin?
Amazingly, I am awaiting for MagicalTux to just whip out his penis and insert it in my anus over and over again (yes, in and out, not just full motions, he has to pull it out and stuff it in). Still, Bitcoin wins over Paypal nearly every time. Sadly this is only because when they stuff my ass, it is more consistent and surprisingly more annoying. I wish they would just do it in one swoop. Obviously sorry to read about this DiabloD3, I await to see more details and am sorry that no doubt this will cause others to 'give up' on this particular digital currency. It is looking like NameCoin might have it's hey day as long as they keep things so technologically wound up where only a Linux user would touch it, thus making it the safest and most valueless digital currency next to SolidCoin.
|
|
|
|
BlockHash
|
|
September 12, 2011, 07:08:06 PM |
|
Looks like MagicalTux was lying about the wacky trades then. When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones. Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen. - Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software. So far nobody's posting accounts have been compromised or hijacked apparently.
- Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.
Yeah, those two attacks aren't related. Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.
So... Who said paypal's worse than Bitcoin? Agreed. I took all of my BTC out of MTGox and moved them elsewhere. I'm not supporting a potential monopoly or their business practices. The fact that they still support Bruce Wagner is enough for me to sour on them.
|
|
|
|
wee baby seamus
Newbie
Offline
Activity: 15
Merit: 0
|
|
September 12, 2011, 07:10:05 PM |
|
thats all i needed to hear. i just withdrew all my USD. i'll leave 1 BTC out of curriosity sake, but i'm not trusting this.
frankly, if you have any of your money left in mtgox you're simply asking for it to be stolen.
get your fucking money out of there now
|
|
|
|
c_k
Donator
Full Member
Offline
Activity: 242
Merit: 100
|
|
September 12, 2011, 07:23:19 PM |
|
|
|
|
|
bitdragon
|
|
September 12, 2011, 07:27:35 PM |
|
thats all i needed to hear. i just withdrew all my USD. i'll leave 1 BTC out of curriosity sake, but i'm not trusting this.
frankly, if you have any of your money left in mtgox you're simply asking for it to be stolen.
get your fucking money out of there now
Why were you even there in the first place? Why are you even in this forum, telling others to get their money out now? Let them be and learn. You didn't like them from the start so it's a bit odd that this is all you needed to hear. I guess it is a very well rounded argument; it finally makes sense. Bravo
|
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
September 12, 2011, 07:30:22 PM |
|
Looks like MagicalTux was lying about the wacky trades then. When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones. Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen. - Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software. So far nobody's posting accounts have been compromised or hijacked apparently.
- Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.
Yeah, those two attacks aren't related. Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.
So... Who said paypal's worse than Bitcoin? repeat with me, mtgox is not bitcoin
|
If you don't own the private keys, you don't own the coins.
|
|
|
hightax
Newbie
Offline
Activity: 42
Merit: 0
|
|
September 12, 2011, 07:31:22 PM |
|
la la la la I can't hear you my fingers are in my ears Is your own self affirmation so strong that you can't smell the shit piling up in front of you? repeat with me, mtgox is not bitcoin
I didn't say it was. I said MagicalTux is lying to you.
|
|
|
|
ElectricMucus
Legendary
Offline
Activity: 1666
Merit: 1057
Marketing manager - GO MP
|
|
September 12, 2011, 07:32:44 PM |
|
Damn I have a little money on the way to gox, so I should assume it's gone... Or is there anything I can do about it? Recalling the wire transfer wouldn't be possible until tomorrow..
|
|
|
|
JonHind
|
|
September 12, 2011, 07:35:34 PM |
|
I took out my $USD and BTC out of MtGox a week or two ago after they were white-knighting for our beloved convicted fraudster Bruce. It looks as though I made the right decision,
A friend of mine was locked out of his MtGox account last night. I had assumed that his account was one of the 2000 accounts that Marc blocked due to volume trades (my friend was desperately trying to cash out), but it now looks as though his account was hijacked. He just told me that he had a unique secure password too.
|
|
|
|
gusti
Legendary
Offline
Activity: 1099
Merit: 1000
|
|
September 12, 2011, 07:38:48 PM |
|
la la la la I can't hear you my fingers are in my ears Is your own self affirmation so strong that you can't smell the shit piling up in front of you? repeat with me, mtgox is not bitcoin
I didn't say it was. I said MagicalTux is lying to you. you miss the question then, correct one is : Who said paypal's worse than mtgox ?
|
If you don't own the private keys, you don't own the coins.
|
|
|
|