Bitcoin Forum
December 27, 2024, 02:54:32 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
Author Topic: Possible false alarm: MtGox break in  (Read 15391 times)
DiabloD3 (OP)
Legendary
*
Offline Offline

Activity: 1162
Merit: 1000


DiabloMiner author


View Profile WWW
September 12, 2011, 06:05:03 PM
Last edit: September 13, 2011, 04:49:32 AM by DiabloD3
 #1

It seems Mt Gox has been broken into again. My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. I assume I was targeted because I'm a Bitcoin developer.

Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.

Everyone: Clear out your accounts if you have anything in them.

1.21gigawatts
Member
**
Offline Offline

Activity: 98
Merit: 10


View Profile
September 12, 2011, 06:12:37 PM
 #2

let me guess, you used the same password at mtgox and at bitcointalk.org?
phantomcircuit
Sr. Member
****
Offline Offline

Activity: 463
Merit: 252


View Profile
September 12, 2011, 06:14:24 PM
 #3

I would like to add some information.  The IP address is 46.250.12.63.  It appears to be an endpoint for a p2p pptp based VPN.

So this looks like a reasonably sophisticated attacker.

I would also like to add that I have confidence in Diablo-D3's personal computer security practices. (ie he is most certainly not sharing passwords between the forums and mtgox).

Code:
# nmap -sS -sV -O -PN -n -p 1-65535 -vvvv -T5 46.250.12.63
Starting Nmap 5.00 ( http://nmap.org ) at 2011-09-12 18:52 BST
NSE: Loaded 3 scripts for scanning.
Initiating SYN Stealth Scan at 18:52
Scanning 46.250.12.63 [65535 ports]
Discovered open port 1723/tcp on 46.250.12.63
Warning: Giving up on port early because retransmission cap hit.
SYN Stealth Scan Timing: About 10.81% done; ETC: 18:57 (0:04:16 remaining)
SYN Stealth Scan Timing: About 51.13% done; ETC: 18:54 (0:00:58 remaining)
Discovered open port 14891/tcp on 46.250.12.63
Completed SYN Stealth Scan at 18:54, 90.67s elapsed (65535 total ports)
Initiating Service scan at 18:54
Scanning 2 services on 46.250.12.63
Service scan Timing: About 50.00% done; ETC: 18:58 (0:01:57 remaining)
Completed Service scan at 18:56, 117.08s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 46.250.12.63
Retrying OS detection (try #2) against 46.250.12.63
NSE: Script scanning 46.250.12.63.
NSE: Starting runlevel 1 scan
Initiating NSE at 18:56
Completed NSE at 18:56, 29.76s elapsed
NSE: Script Scanning completed.
Host 46.250.12.63 is up (0.034s latency).
Scanned at 2011-09-12 18:52:51 BST for 241s
Interesting ports on 46.250.12.63:
Not shown: 65528 closed ports
PORT      STATE    SERVICE      VERSION
135/tcp   filtered msrpc
137/tcp   filtered netbios-ns
138/tcp   filtered netbios-dgm
139/tcp   filtered netbios-ssn
445/tcp   filtered microsoft-ds
1723/tcp  open     pptp         Microsoft Windows NT (Firmware: 2600)
14891/tcp open     unknown
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port14891-TCP:V=5.00%I=7%D=9/12%Time=4E6E4789%P=x86_64-unknown-linux-gnu%r(SMBProgNeg,F0,"\x1aPm\xc4\xb8\.\xd0\xee1\x93\x82\x9f\xcb\xb8s\x9bB\xf9\
SF:x95\x17{\x13\xecm\]\xad\xc8\xa2\x19\x08w\xee\xed}:2GuJ-\xc8'\xb3\x0e\x8
SF:btH<\xbb%N\0\]\xba\x12q\xfe\xffy1~\xb1\\Lv\x10;T\x12c\xda\xda\x18\x16\x
SF:91j\xa4#g\xa8\x9cv\x8d\*\xe4\x9fq>I~\t\+qB\x11\xad\x9ee#\x13\x08\xe5D\x
SF:1d&\xdd\[\x14\xad\xd9@W\xdaA\xb41t\xbb\x08b\x08\xfe\x82\xc9gs7#\xe6C\xa
SF:6\nW\xfc\xd2\x8a\x9e\xdc}\.\x12\xb8\xbc\xc7\xb9\xcf\x8dj\xf5z\x98\t7Xw\
SF:xb0\xd3\x1f\xfe\x97\xe9eq\x8a~\xec5\^L&\x88I\xce\x95\xd5\xb7\xe6\xec\xa
SF:0C#V=\xde\xe4\xb2\x870U\xe4\x9b\xf6\x0fRp\x0fnU\xe4N\xb6\xca\xc0X\xfc\x
SF:a52/dY\x11{D\xe7M\xeem\x98\xb8\xb0\xe0\x92\xef\x13u\xa7\*\xf2\?\xc7\x80
SF:\xeb\xae\x9b37\xa3\xac{k")%r(FourOhFourRequest,6C,"HTTP/1\.1\x20400\x20
SF:ERROR\r\nConnection:\x20keep-alive\r\nContent-Length:\x2017\r\nContent-
SF:Type:\x20text/html\r\n\r\n\r\ninvalid\x20request")%r(SIPOptions,7C,"!K\
SF:x10\xa0K\|\xf0\xd6\xed8\x05\x9f\x9c\xf8\x9b\x89\xbe\xa7\x96\x9d\xb7_=\^
SF:\xb7\xc5\xa8Q\x13\x0e\]\xdf\xfa\xc6\xb8\x8e\xd9~y\xc2\xe2\x10s\x14\xf2o
SF:\x92\0yH\x16\xeaV\xbam\xa5\xe2\x9c\x1d}A9\x8aVW\x94\x95\xf1\xbe\x88Y\xe
SF:56\xdcp\xd6\xca\xf7\xd3<\xea\x861\xd4\x8c\xeb\x8e\x95\xb9\xf8\x10\x0e\x
SF:d7M&\xbf\xf1\xaaf\xbc\x82NH\xb9p61\xf6\xfc\xcc\n\)\xe1c\xd2j\?\x01o<\x9
SF:cN\t#")%r(WMSRequest,144,"\xd8kk\x17e\xb7\x91\xa8C\x83\xae\xd6\x0ciO\x9
SF:8\xf3cVZE\x05\xe6\.T\xed\xb2<\xb3\xa4\x17\xcb\xd7\xecM\^wl\x1e\x9e\xbd\
SF:x89\xe2\xaf3\x19~i\xea\x92\x1d\x08\+\x95V\xae\x95\)\xd4\xf8\xa3\xab\xae
SF:c\xef\xe0\xaa\xd55\xe5\xb2\xa1\x16\$G\xe33\xb5\xe0\xf9\xdc\xe4\xa7\+sqB
SF:\x8f\xc2\xf2\xe9\xfd\xf2\x0ey\x1f\xbd\xaf}i\x0c\?}\xf5\(\xad\$\xd8\xcar
SF:\xc0\x9b\x17d\xbb3\xae;\xe5WX\x9e\x1b\xac\xb1\xba\xd6f\xe8\x9c\xb2`\xca
SF:\x8dH\xde{\x9e\x14\xf0\)~\xf8\r\xd6L\xecx\x17\xc5\x962\x13\x0cN\xda/\x9
SF:1\(\x1a\x88\xb8fU\xd5\xccf\xbaD\+\xcb\.8\xd3U\(\xd7\x91@\x19\xf7\x894\x
SF:ac`\x08\xb3\x88w\x8e\x7f\x15n\xe4\x8c/\xf3Y\nK=x\x1a\xa0\xd8\"\x20\x94\
SF:x9c\x8a\x82P\xf0h\xfapv\x0f\x15Q\xc0\xc9\xd0\x8c\xde3\x10\x90\x8a\xb9\x
SF:84y\xd4rB\x0f\xff\x7f\*R\xc2k\xd3~z\xa8\x89@\x93\"3\xa1x\xc5\xb7\xb3H\x
SF:d9\xb8\xfd\x9a\x1f\x12\xd2\xae\xd9\xdb\x1e>>#lD\xd6q\x92\xd6\x82\xfd\xb
SF:4F!\x89\xd2#\]%U\x08RSj\x15\x7f\xcb\xe1\x8c\xd8\xbf\xd3\x0f\xed\xfb\x88
SF:=I=\xc2D&\x16\x1c\x02\x88\xcb_\x92\xf5\xff\xc4\xe2\x18\x20H");
Device type: general purpose|PDA|terminal|media device|phone
Running (JUST GUESSING) : Microsoft Windows XP|2000|2003|PocketPC/CE|Me (96%), Fujitsu Siemens Windows PocketPC/CE (91%), HP Windows PocketPC/CE (91%), Microsoft embedded (91%), AT&T Windows PocketPC/CE (89%)
OS fingerprint not ideal because: Timing level 5 (Insane) used
Aggressive OS guesses: Microsoft Windows XP Professional SP2 (96%), Microsoft Windows XP SP2 (95%), Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2 (94%), Microsoft Windows 2000 SP4 or Windows XP SP2 (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows Server 2003 SP2 (x64) (93%), Microsoft Windows XP SP3 (93%), Microsoft Windows XP Professional SP2 or Windows Server 2003 (92%), Microsoft Windows XP SP2 or SP3 (92%), Microsoft Windows XP SP2 or SP3, or Windows Server 2003 (92%)
No exact OS matches for host (test conditions non-ideal).
TCP/IP fingerprint:
SCAN(V=5.00%D=9/12%OT=1723%CT=1%CU=38423%PV=N%DS=7%G=N%TM=4E6E47E4%P=x86_64-unknown-linux-gnu)
SEQ(SP=102%GCD=1%ISR=10E%TI=I%CI=I%II=I%SS=S%TS=0)
OPS(O1=M550NW0NNT00NNS%O2=M550NW0NNT00NNS%O3=M550NW0NNT00%O4=M550NW0NNT00NNS%O5=M550NW0NNT00NNS%O6=M550NNT00NNS)
WIN(W1=4510%W2=4510%W3=4100%W4=40E8%W5=40E8%W6=402E)
ECN(R=Y%DF=Y%T=81%W=4510%O=M550NW0NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=81%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=81%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=81%W=402E%S=O%A=S+%F=AS%O=M550NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=81%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=81%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T7(R=Y%DF=N%T=81%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(R=Y%DF=N%T=81%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)
IE(R=Y%DFI=S%T=81%CD=Z)

Network Distance: 7 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 241.35 seconds
           Raw packets sent: 68143 (3.000MB) | Rcvd: 67683 (2.708MB)

apetersson
Hero Member
*****
Offline Offline

Activity: 668
Merit: 501



View Profile
September 12, 2011, 06:18:01 PM
 #4

were you using a yubikey?
i recently activated mine and i would like to think that my funds are now safe..
JeffK
Sr. Member
****
Offline Offline

Activity: 350
Merit: 250

I never hashed for this...


View Profile
September 12, 2011, 06:20:16 PM
 #5

let me guess, you used the same password at mtgox and at bitcointalk.org?

Quote
I use Linux and use unique high entropy passwords,

Quote
unique

The two events aren't related
tvbcof
Legendary
*
Offline Offline

Activity: 4788
Merit: 1283


View Profile
September 12, 2011, 06:29:14 PM
 #6

It seems Mt Gox has been broken into again. My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine. I assume I was targeted because I'm a Bitcoin developer.

Since I use Linux and use unique high entropy passwords, I am ruling out any nonsense like local trojans.

Everyone: Clear out your accounts if you have anything in them.

Actually I would find it rather odd that an attacker would target a developer (unless said happened to have a boatload of BTC available for appropriation.)  The ability to do significant development would likely be correlated with both a relatively high ability to understand and investigate the theft, and the ability to solicit a high degree of assistance in doing so.

If I were an attacker with a simple goal of enriching myself, I would certainly not be nailing a Bitcoin developer.  Or at least not on purpose.

Best of luck recovering your BTC, and thanks for the heads-up.

sig spam anywhere and self-moderated threads on the pol&soc board are for losers.
AssemblY
Full Member
***
Offline Offline

Activity: 392
Merit: 100



View Profile
September 12, 2011, 06:30:33 PM
 #7

Is official? Someone else had the same problem?  Embarrassed
hightax
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
September 12, 2011, 06:59:58 PM
 #8

Looks like MagicalTux was lying about the wacky trades then.  When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones.  Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen.

  • Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software.  So far nobody's posting accounts have been compromised or hijacked apparently.
  • Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.

Yeah, those two attacks aren't related.

Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.  

So... Who said paypal's worse than Bitcoin?  
jed
Full Member
***
Offline Offline

Activity: 182
Merit: 107

Jed McCaleb


View Profile WWW
September 12, 2011, 07:03:11 PM
 #9

Quote
My account was just liquidated and send to a foreign address, the IP of which seems to be in the Ukraine.

Hmm how can you tell his IP?

stellar.org   |    twitter
fastandfurious
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
September 12, 2011, 07:04:03 PM
 #10

Please answer this important question. Do you have a Yubikey??
BitcoinPorn
Hero Member
*****
Offline Offline

Activity: 630
Merit: 500


Posts: 69


View Profile WWW
September 12, 2011, 07:05:48 PM
 #11

Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.  

So... Who said paypal's worse than Bitcoin?  

Amazingly, I am awaiting for MagicalTux to just whip out his penis and insert it in my anus over and over again (yes, in and out, not just full motions, he has to pull it out and stuff it in).

Still, Bitcoin wins over Paypal nearly every time.      Sadly this is only because when they stuff my ass, it is more consistent and surprisingly more annoying.  I wish they would just do it in one swoop.


Obviously sorry to read about this DiabloD3, I await to see more details and am sorry that no doubt this will cause others to 'give up' on this particular digital currency.   It is looking like NameCoin might have it's hey day as long as they keep things so technologically wound up where only a Linux user would touch it, thus making it the safest and most valueless digital currency next to SolidCoin.

BlockHash
Full Member
***
Offline Offline

Activity: 406
Merit: 100



View Profile
September 12, 2011, 07:08:06 PM
 #12

Looks like MagicalTux was lying about the wacky trades then.  When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones.  Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen.

  • Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software.  So far nobody's posting accounts have been compromised or hijacked apparently.
  • Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.

Yeah, those two attacks aren't related.

Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.  

So... Who said paypal's worse than Bitcoin?  

Agreed. I took all of my BTC out of MTGox and moved them elsewhere. I'm not supporting a potential monopoly or their business practices. The fact that they still support Bruce Wagner is enough for me to sour on them.
wee baby seamus
Newbie
*
Offline Offline

Activity: 15
Merit: 0


View Profile
September 12, 2011, 07:10:05 PM
 #13

thats all i needed to hear. i just withdrew all my USD. i'll leave 1 BTC out of curriosity sake, but i'm not trusting this.

frankly, if you have any of your money left in mtgox you're simply asking for it to be stolen.

get your fucking money out of there now
c_k
Donator
Full Member
*
Offline Offline

Activity: 242
Merit: 100



View Profile
September 12, 2011, 07:23:19 PM
 #14

There are plenty of other exchanges to use: https://en.bitcoin.it/wiki/Category:Exchanges

bitdragon
Hero Member
*****
Offline Offline

Activity: 609
Merit: 501


peace


View Profile WWW
September 12, 2011, 07:27:35 PM
 #15

thats all i needed to hear. i just withdrew all my USD. i'll leave 1 BTC out of curriosity sake, but i'm not trusting this.

frankly, if you have any of your money left in mtgox you're simply asking for it to be stolen.

get your fucking money out of there now

Why were you even there in the first place? Why are you even in this forum, telling others to get their money out now? Let them be and learn. 
You didn't like them from the start so it's a bit odd that this is all you needed to hear.

I guess it is a very well rounded argument; it finally makes sense. Bravo

gusti
Legendary
*
Offline Offline

Activity: 1099
Merit: 1000


View Profile
September 12, 2011, 07:30:22 PM
 #16

Looks like MagicalTux was lying about the wacky trades then.  When Mtgox got rooted the first time, everyone was forced to change their passwords to new, more complex ones.  Here we've got a prime example of somebody who's got both complex and DIFFERENT passwords on each site, and he still had his mtgox wallet stolen.

  • Bitcointalk had a comedy javascript added to the bottom of the page via unsanitized input because the forums admins refused to use current-versions (SMF 2.x) of their forums software.  So far nobody's posting accounts have been compromised or hijacked apparently.
  • Mtgox had some clearly chaotic trading activity on Sunday 9/11/2011, which was sourced from a ton of accounts that had different/more complex password requirements than bitcointalk forum accounts.

Yeah, those two attacks aren't related.

Magicaltux is lying to you, and he now controls both Bitcointalk and Mtgox.  

So... Who said paypal's worse than Bitcoin?  


repeat with me, mtgox is not bitcoin

If you don't own the private keys, you don't own the coins.
hightax
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile
September 12, 2011, 07:31:22 PM
 #17

la la la la I can't hear you my fingers are in my ears

Is your own self affirmation so strong that you can't smell the shit piling up in front of you?

repeat with me, mtgox is not bitcoin

I didn't say it was.  I said MagicalTux is lying to you.
ElectricMucus
Legendary
*
Offline Offline

Activity: 1666
Merit: 1057


Marketing manager - GO MP


View Profile WWW
September 12, 2011, 07:32:44 PM
 #18

Damn I have a little money on the way to gox, so I should assume it's gone...

Or is there anything I can do about it? Recalling the wire transfer wouldn't be possible until tomorrow..   Undecided
JonHind
Full Member
***
Offline Offline

Activity: 154
Merit: 100



View Profile
September 12, 2011, 07:35:34 PM
 #19

I took out my $USD and BTC out of MtGox a week or two ago after they were white-knighting for our beloved convicted fraudster Bruce. It looks as though I made the right decision,

A friend of mine was locked out of his MtGox account last night. I had assumed that his account was one of the 2000 accounts that Marc blocked due to volume trades (my friend was desperately trying to cash out), but it now looks as though his account was hijacked. He just told me that he had a unique secure password too.

gusti
Legendary
*
Offline Offline

Activity: 1099
Merit: 1000


View Profile
September 12, 2011, 07:38:48 PM
 #20

la la la la I can't hear you my fingers are in my ears

Is your own self affirmation so strong that you can't smell the shit piling up in front of you?

repeat with me, mtgox is not bitcoin

I didn't say it was.  I said MagicalTux is lying to you.


you miss the question then, correct one is : Who said paypal's worse than mtgox ?

If you don't own the private keys, you don't own the coins.
Pages: [1] 2 3 4 5 6 7 8 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!