Bitcoin Forum
April 23, 2014, 01:06:53 PM *
News: Due to the OpenSSL heartbleed bug, changing your forum password is recommended.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3 4 5 6 7 8  All
  Print  
Author Topic: Possible false alarm: MtGox break in  (Read 9367 times)
DiabloD3
Hero Member
*****
Offline Offline

Activity: 1134


DiabloMiner author


View Profile WWW

Ignore
September 12, 2011, 06:05:03 PM
 #1

It seems Mt Gox has been broken into again. My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. I assume I was targeted because I'm a Bitcoin developer.

Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.

Everyone: Clear out your accounts if you have anything in them.

1398258413
Hero Member
*
Offline Offline

Posts: 1398258413

View Profile Personal Message (Offline)

Ignore
1398258413
Reply with quote  #2

1398258413
Report to moderator
1398258413
Hero Member
*
Offline Offline

Posts: 1398258413

View Profile Personal Message (Offline)

Ignore
1398258413
Reply with quote  #2

1398258413
Report to moderator
Unbeatable Service & Product Support
Grab Your Miners at GAWMiners.com
Order Before April 25th to receive
Double your Hashing Power for 1 week!

Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1398258413
Hero Member
*
Offline Offline

Posts: 1398258413

View Profile Personal Message (Offline)

Ignore
1398258413
Reply with quote  #2

1398258413
Report to moderator
1398258413
Hero Member
*
Offline Offline

Posts: 1398258413

View Profile Personal Message (Offline)

Ignore
1398258413
Reply with quote  #2

1398258413
Report to moderator
1.21gigawatts
Member
**
Offline Offline

Activity: 98


View Profile

Ignore
September 12, 2011, 06:12:37 PM
 #2

let me guess, you used the same password at mtgox and at bitcointalk.org?
phantomcircuit
Sr. Member
****
Offline Offline

Activity: 443


View Profile

Ignore
September 12, 2011, 06:14:24 PM
 #3

I would like to add some information.  The IP address is 46.250.12.63.  It appears to be an endpoint for a p2p pptp based VPN.

So this looks like a reasonably sophisticated attacker.

I would also like to add that I have confidence in Diablo-D3's personal computer security practices. (ie he is most certainly not sharing passwords between the forums and mtgox).

Code:
# nmap -sS -sV -O -PN -n -p 1-65535 -vvvv -T5 46.250.12.63
Starting Nmap 5.00 ( http://nmap.org ) at 2011-09-12 18:52 BST
NSE: Loaded 3 scripts for scanning.
Initiating SYN Stealth Scan at 18:52
Scanning 46.250.12.63 [65535 ports]
Discovered open port 1723/tcp on 46.250.12.63
Warning: Giving up on port early because retransmission cap hit.
SYN Stealth Scan Timing: About 10.81% done; ETC: 18:57 (0:04:16 remaining)
SYN Stealth Scan Timing: About 51.13% done; ETC: 18:54 (0:00:58 remaining)
Discovered open port 14891/tcp on 46.250.12.63
Completed SYN Stealth Scan at 18:54, 90.67s elapsed (65535 total ports)
Initiating Service scan at 18:54
Scanning 2 services on 46.250.12.63
Service scan Timing: About 50.00% done; ETC: 18:58 (0:01:57 remaining)
Completed Service scan at 18:56, 117.08s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 46.250.12.63
Retrying OS detection (try #2) against 46.250.12.63
NSE: Script scanning 46.250.12.63.
NSE: Starting runlevel 1 scan
Initiating NSE at 18:56
Completed NSE at 18:56, 29.76s elapsed
NSE: Script Scanning completed.
Host 46.250.12.63 is up (0.034s latency).
Scanned at 2011-09-12 18:52:51 BST for 241s
Interesting ports on 46.250.12.63:
Not shown: 65528 closed ports
PORT      STATE    SERVICE      VERSION
135/tcp   filtered msrpc
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
1723/tcp  open     pptp         Microsoft Windows NT (Firmware: 2600)
14891/tcp open     unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port14891-TCP:V=5.00%I=7%D=9/12%Time=4E6E4789%P=x86_64-unknown-linux-gnu%r(SMBProgNeg,F0,"\x1aPm\xc4\xb8\.\xd0\xee1\x93\x82\x9f\xcb\xb8s\x9bB\xf9\
SF:x95\x17{\x13\xecm\]\xad\xc8\xa2\x19\x08w\xee\xed}:2GuJ-\xc8'\xb3\x0e\x8
SF:btH<\xbb%N\0\]\xba\x12q\xfe\xffy1~\xb1\\Lv\x10;T\x12c\xda\xda\x18\x16\x
SF:91j\xa4#g\xa8\x9cv\x8d\*\xe4\x9fq>I~\t\+qB\x11\xad\x9ee#\x13\x08\xe5D\x
SF:1d&\xdd\[\x14\xad\xd9@W\xdaA\xb41t\xbb\x08b\x08\xfe\x82\xc9gs7#\xe6C\xa
SF:6\nW\xfc\xd2\x8a\x9e\xdc}\.\x12\xb8\xbc\xc7\xb9\xcf\x8dj\xf5z\x98\t7Xw\
SF:xb0\xd3\x1f\xfe\x97\xe9eq\x8a~\xec5\^L&\x88I\xce\x95\xd5\xb7\xe6\xec\xa
SF:0C#V=\xde\xe4\xb2\x870U\xe4\x9b\xf6\x0fRp\x0fnU\xe4N\xb6\xca\xc0X\xfc\x
SF:a52/dY\x11{D\xe7M\xeem\x98\xb8\xb0\xe0\x92\xef\x13u\xa7\*\xf2\?\xc7\x80
SF:\xeb\xae\x9b37\xa3\xac{k")%r(FourOhFourRequest,6C,"HTTP/1\.1\x20400\x20
SF:ERROR\r\nConnection:\x20keep-alive\r\nContent-Length:\x2017\r\nContent-
SF:Type:\x20text/html\r\n\r\n\r\ninvalid\x20request")%r(SIPOptions,7C,"!K\
SF:x10\xa0K\|\xf0\xd6\xed8\x05\x9f\x9c\xf8\x9b\x89\xbe\xa7\x96\x9d\xb7_=\^
SF:\xb7\xc5\xa8Q\x13\x0e\]\xdf\xfa\xc6\xb8\x8e\xd9~y\xc2\xe2\x10s\x14\xf2o
SF:\x92\0yH\x16\xeaV\xbam\xa5\xe2\x9c\x1d}A9\x8aVW\x94\x95\xf1\xbe\x88Y\xe
SF:56\xdcp\xd6\xca\xf7\xd3<\xea\x861\xd4\x8c\xeb\x8e\x95\xb9\xf8\x10\x0e\x
SF:d7M&\xbf\xf1\xaaf\xbc\x82NH\xb9p61\xf6\xfc\xcc\n\)\xe1c\xd2j\?\x01o<\x9
SF:cN\t#")%r(WMSRequest,144,"\xd8kk\x17e\xb7\x91\xa8C\x83\xae\xd6\x0ciO\x9
SF:8\xf3cVZE\x05\xe6\.T\xed\xb2<\xb3\xa4\x17\xcb\xd7\xecM\^wl\x1e\x9e\xbd\
SF:x89\xe2\xaf3\x19~i\xea\x92\x1d\x08\+\x95V\xae\x95\)\xd4\xf8\xa3\xab\xae
SF:c\xef\xe0\xaa\xd55\xe5\xb2\xa1\x16\$G\xe33\xb5\xe0\xf9\xdc\xe4\xa7\+sqB
SF:\x8f\xc2\xf2\xe9\xfd\xf2\x0ey\x1f\xbd\xaf}i\x0c\?}\xf5\(\xad\$\xd8\xcar
SF:\xc0\x9b\x17d\xbb3\xae;\xe5WX\x9e\x1b\xac\xb1\xba\xd6f\xe8\x9c\xb2`\xca
SF:\x8dH\xde{\x9e\x14\xf0\)~\xf8\r\xd6L\xecx\x17\xc5\x962\x13\x0cN\xda/\x9
SF:1\(\x1a\x88\xb8fU\xd5\xccf\xbaD\+\xcb\.8\xd3U\(\xd7\x91@\x19\xf7\x894\x
SF:ac`\x08\xb3\x88w\x8e\x7f\x15n\xe4\x8c/\xf3Y\nK=x\x1a\xa0\xd8\"\x20\x94\
SF:x9c\x8a\x82P\xf0h\xfapv\x0f\x15Q\xc0\xc9\xd0\x8c\xde3\x10\x90\x8a\xb9\x
SF:84y\xd4rB\x0f\xff\x7f\*R\xc2k\xd3~z\xa8\x89@\x93\"3\xa1x\xc5\xb7\xb3H\x
SF:d9\xb8\xfd\x9a\x1f\x12\xd2\xae\xd9\xdb\x1e>>#lD\xd6q\x92\xd6\x82\xfd\xb
SF:4F!\x89\xd2#\]%U\x08RSj\x15\x7f\xcb\xe1\x8c\xd8\xbf\xd3\x0f\xed\xfb\x88
SF:=I=\xc2D&\x16\x1c\x02\x88\xcb_\x92\xf5\xff\xc4\xe2\x18\x20H");
Device type: general purpose|PDA|terminal|media device|phone
Running (JUST GUESSING) : Microsoft Windows XP|2000|2003|PocketPC/CE|Me (96%), Fujitsu Siemens Windows PocketPC/CE (91%), HP Windows PocketPC/CE (91%), Microsoft embedded (91%), AT&T Windows PocketPC/CE (89%)
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Microsoft Windows XP Professional SP2 (96%), Microsoft Windows XP SP2 (95%), Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows Server 2003 SP2 (x64) (93%), Microsoft Windows XP SP3 (93%), Microsoft Windows XP Professional SP2 or Windows Server 2003 (92%), Microsoft Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 or SP3, or Windows Server 2003 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=5.00%D=9/12%OT=1723%CT=1%CU=38423%PV=N%DS=7%G=N%TM=4E6E47E4%P=x86_64-unknown-linux-gnu)
SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=0)
OPS(O1=M550NW0NNT00NNS%O2=M550NW0NNT00NNS%O3=M550NW0NNT00%O4=M550NW0NNT00NNS%O5=M550NW0NNT00NNS%O6=M550NNT00NNS)
WIN(W1=4510%W2=4510%W3=4100%W4=40E8%W5=40E8%W6=402E)
ECN(R=Y%DF=Y%T=81%W=4510%O=M550NW0NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=81%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=81%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=81%W=402E%S=O%A=S+%F=AS%O=M550NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=81%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=81%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=81%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=S%T=81%CD=Z)

Network Distance: 7 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 241.35 seconds
           Raw packets sent: 68143 (3.000MB) | Rcvd: 67683 (2.708MB)

apetersson
Hero Member
*****
Online Online

Activity: 633


mycelium.com


View Profile WWW

Ignore
September 12, 2011, 06:18:01 PM
 #4

were you using a yubikey?
i recently activated mine and i would like to think that my funds are now safe..
JeffK
Sr. Member
****
Offline Offline

Activity: 252


I never hashed for this...


View Profile

Ignore
September 12, 2011, 06:20:16 PM
 #5

let me guess, you used the same password at mtgox and at bitcointalk.org?

Quote
I use Linux and use unique high entropy passwords,

Quote
unique

The two events aren't related

"mumble mumble...GOLD!!...mumble mumble...END THE FED!!!" --Dr. Ron "RonPaul2012" Paul
"Eat the Rich" --Carl Marks
tvbcof
Hero Member
*****
Offline Offline

Activity: 1022


View Profile

Ignore
September 12, 2011, 06:29:14 PM
 #6

It seems Mt Gox has been broken into again. My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. I assume I was targeted because I'm a Bitcoin developer.

Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.

Everyone: Clear out your accounts if you have anything in them.

Actually I would find it rather odd that an attacker would target a developer (unless said happened to have a boatload of BTC available for appropriation.)  The ability to do significant development would likely be correlated with both a relatively high ability to understand and investigate the theft, and the ability to solicit a high degree of assistance in doing so.

If I were an attacker with a simple goal of enriching myself, I would certainly not be nailing a Bitcoin developer.  Or at least not on purpose.

Best of luck recovering your BTC, and thanks for the heads-up.

AssemblY
Full Member
***
Offline Offline

Activity: 182


www.corecenter.com.br


View Profile WWW

Ignore
September 12, 2011, 06:30:33 PM
 #7

Is official? Someone else had the same problem?  Embarrassed

hightax
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
September 12, 2011, 06:59:58 PM
 #8

Looks like MagicalTux was lying about the wacky trades then.  When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones.  Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen.

  • Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software.  So far nobody's posting accounts have been compromised or hijacked apparently.
  • Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.

Yeah, those two attacks aren't related.

Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.  

So... Who said paypal's worse than Bitcoin?  
jed
Member
**
Offline Offline

Activity: 112


View Profile

Ignore
September 12, 2011, 07:03:11 PM
 #9

Quote
My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine.

Hmm how can you tell his IP?
fastandfurious
Full Member
***
Offline Offline

Activity: 224


View Profile

Ignore
September 12, 2011, 07:04:03 PM
 #10

Please answer this important question. Do you have a Yubikey??
BitcoinPorn
Sr. Member
****
Offline Offline

Activity: 266


Posts: 69


View Profile WWW

Ignore
September 12, 2011, 07:05:48 PM
 #11

Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.  

So... Who said paypal's worse than Bitcoin?  

Amazingly, I am awaiting for MagicalTux to just whip out his penis and insert it in my anus over and over again (yes, in and out, not just full motions, he has to pull it out and stuff it in).

Still, Bitcoin wins over Paypal nearly every time.      Sadly this is only because when they stuff my ass, it is more consistent and surprisingly more annoying.  I wish they would just do it in one swoop.


Obviously sorry to read about this DiabloD3, I await to see more details and am sorry that no doubt this will cause others to 'give up' on this particular digital currency.   It is looking like NameCoin might have it's hey day as long as they keep things so technologically wound up where only a Linux user would touch it, thus making it the safest and most valueless digital currency next to SolidCoin.

Dogecoin Porn
BlockHash
Member
**
Offline Offline

Activity: 84


RON PAUL & LIBERTY 2012! FREE MARKET ONCE AGAIN!


View Profile

Ignore
September 12, 2011, 07:08:06 PM
 #12

Looks like MagicalTux was lying about the wacky trades then.  When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones.  Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen.

  • Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software.  So far nobody's posting accounts have been compromised or hijacked apparently.
  • Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.

Yeah, those two attacks aren't related.

Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.  

So... Who said paypal's worse than Bitcoin?  

Agreed. I took all of my BTC out of MTGox and moved them elsewhere. I'm not supporting a potential monopoly or their business practices. The fact that they still support Bruce Wagner is enough for me to sour on them.

1K5b6v1QHd4A1PF58LSvb3oafPyy3kL1m1 FOR LIBERTY AND GREAT JUSTICE! RON PAUL 2012!

https://ip.bitcointalk.org/?u=http%3A%2F%2Fi.imgur.com%2FzztDC.png%26quot%3B&t=539&c=3TOoFPsJlvNXvA

cosbycoin.com
wee baby seamus
Newbie
*
Offline Offline

Activity: 15


View Profile

Ignore
September 12, 2011, 07:10:05 PM
 #13

thats all i needed to hear. i just withdrew all my USD. i'll leave 1 BTC out of curriosity sake, but i'm not trusting this.

frankly, if you have any of your money left in mtgox you're simply asking for it to be stolen.

get your fucking money out of there now
c_k
Donator
Sr. Member
*
Offline Offline

Activity: 242



View Profile

Ignore
September 12, 2011, 07:23:19 PM
 #14

There are plenty of other exchanges to use: https://en.bitcoin.it/wiki/Category:Exchanges

bitdragon
Hero Member
*****
Offline Offline

Activity: 603


peace


View Profile WWW

Ignore
September 12, 2011, 07:27:35 PM
 #15

thats all i needed to hear. i just withdrew all my USD. i'll leave 1 BTC out of curriosity sake, but i'm not trusting this.

frankly, if you have any of your money left in mtgox you're simply asking for it to be stolen.

get your fucking money out of there now

Why were you even there in the first place? Why are you even in this forum, telling others to get their money out now? Let them be and learn. 
You didn't like them from the start so it's a bit odd that this is all you needed to hear.

I guess it is a very well rounded argument; it finally makes sense. Bravo

gusti
Hero Member
*****
Offline Offline

Activity: 1050


View Profile

Ignore
September 12, 2011, 07:30:22 PM
 #16

Looks like MagicalTux was lying about the wacky trades then.  When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones.  Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen.

  • Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software.  So far nobody's posting accounts have been compromised or hijacked apparently.
  • Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.

Yeah, those two attacks aren't related.

Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.  

So... Who said paypal's worse than Bitcoin?  


repeat with me, mtgox is not bitcoin

hightax
Jr. Member
*
Offline Offline

Activity: 42


View Profile

Ignore
September 12, 2011, 07:31:22 PM
 #17

la la la la I can't hear you my fingers are in my ears

Is your own self affirmation so strong that you can't smell the shit piling up in front of you?

repeat with me, mtgox is not bitcoin

I didn't say it was.  I said MagicalTux is lying to you.
ElectricMucus
Hero Member
*****
Offline Offline

Activity: 924

Drama Junkie


View Profile

Ignore
September 12, 2011, 07:32:44 PM
 #18

Damn I have a little money on the way to gox, so I should assume it's gone...

Or is there anything I can do about it? Recalling the wire transfer wouldn't be possible until tomorrow..   Undecided

From the immortal Dumb and Dumber "Were in a hole... We just gotta dig ourselves out"
JonHind
Full Member
***
Offline Offline

Activity: 126


View Profile

Ignore
September 12, 2011, 07:35:34 PM
 #19

I took out my $USD and BTC out of MtGox a week or two ago after they were white-knighting for our beloved convicted fraudster Bruce. It looks as though I made the right decision,

A friend of mine was locked out of his MtGox account last night. I had assumed that his account was one of the 2000 accounts that Marc blocked due to volume trades (my friend was desperately trying to cash out), but it now looks as though his account was hijacked. He just told me that he had a unique secure password too.

gusti
Hero Member
*****
Offline Offline

Activity: 1050


View Profile

Ignore
September 12, 2011, 07:38:48 PM
 #20

la la la la I can't hear you my fingers are in my ears

Is your own self affirmation so strong that you can't smell the shit piling up in front of you?

repeat with me, mtgox is not bitcoin

I didn't say it was.  I said MagicalTux is lying to you.


you miss the question then, correct one is : Who said paypal's worse than mtgox ?

Pages: [1] 2 3 4 5 6 7 8  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!