Bitcoin Forum
December 06, 2016, 04:07:03 PM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 [40] 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
Author Topic: BitMarket.Eu has closed down  (Read 182445 times)
BrainGame
Newbie
*
Offline Offline

Activity: 8


View Profile
February 14, 2013, 02:55:26 PM
 #781

I also like to see this restart of bitmarket.eu as a chance to a) win the community back and b) get the users money back step by step, but of course as fast as possible. What I actually don't want, even if it might have sounded from my post before, is someone going to jail. Maver is surely a clever man and did a lot of programming / server maintainence and implementing new features demanded by us, so he on this side doesn't deserve the "scammer" tag. On the other side he did take monetary values which he didn't own and which were trusted to him. What is even with one blind eye, criminal. So now he's still a normal man with (hopefully) no entries in his certificate of conduct at the police, but as soon someone gets the lawyers moving he surely will be judged. The entry will be in his papers for lifetime, so he is marked as a bad guy for his whole life. No one can really be interested in making another persons life hell or play god in this matter. As I stated I don't know him, so I also don't know if he has a family, kids whatever. Any judicial meddling would have a heavy impact on himself and the people around him.

I don't know if many users comming back to bitmarket after the events happening, also no one can say how long the site will work out for everyone. Mr Albi, if you're sure about your work - go on please. The site was very usefull to a lot of people and will be more usefull still with more features. But the users need a sign that they've not lost everything. A debt to a bank of 200.000 or 300.000 Euro is insane to repay, it happens that someone's children are called to duty for their parents debts. But say 1/3 of all the needed money should come from Maver, some money from the investors if they wish and in the end all users will be repaid with say 40%/50% in the first month and the remains step by step. This is a much better deal for everyone than now 10% and 90% lost. So the users see they're not forgotten and there IS a businesplan to resolve over one or two years. And Maver sees he's also not forgotten and can receive help when he shows some risky initiative.

Send me some Bitcent, if you like my comments!
14d6eS3md9Kvx1LRGSoTZ2vK5V47kRGGaU

;-)
1481040423
Hero Member
*
Offline Offline

Posts: 1481040423

View Profile Personal Message (Offline)

Ignore
1481040423
Reply with quote  #2

1481040423
Report to moderator
1481040423
Hero Member
*
Offline Offline

Posts: 1481040423

View Profile Personal Message (Offline)

Ignore
1481040423
Reply with quote  #2

1481040423
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
GsR
Jr. Member
*
Offline Offline

Activity: 34


View Profile
February 14, 2013, 04:02:34 PM
 #782

I also like to see this restart of bitmarket.eu as a chance to a) win the community back and b) get the users money back step by step, but of course as fast as possible. What I actually don't want, even if it might have sounded from my post before, is someone going to jail. Maver is surely a clever man and did a lot of programming / server maintainence and implementing new features demanded by us, so he on this side doesn't deserve the "scammer" tag. On the other side he did take monetary values which he didn't own and which were trusted to him. What is even with one blind eye, criminal. So now he's still a normal man with (hopefully) no entries in his certificate of conduct at the police, but as soon someone gets the lawyers moving he surely will be judged. The entry will be in his papers for lifetime, so he is marked as a bad guy for his whole life. No one can really be interested in making another persons life hell or play god in this matter. As I stated I don't know him, so I also don't know if he has a family, kids whatever. Any judicial meddling would have a heavy impact on himself and the people around him.

I don't know if many users comming back to bitmarket after the events happening, also no one can say how long the site will work out for everyone. Mr Albi, if you're sure about your work - go on please. The site was very usefull to a lot of people and will be more usefull still with more features. But the users need a sign that they've not lost everything. A debt to a bank of 200.000 or 300.000 Euro is insane to repay, it happens that someone's children are called to duty for their parents debts. But say 1/3 of all the needed money should come from Maver, some money from the investors if they wish and in the end all users will be repaid with say 40%/50% in the first month and the remains step by step. This is a much better deal for everyone than now 10% and 90% lost. So the users see they're not forgotten and there IS a businesplan to resolve over one or two years. And Maver sees he's also not forgotten and can receive help when he shows some risky initiative.

I think that a business plan can be done with a longer dead line of about 5 years and with the contribution of the comunity that it is essential at this point. Also it must be clear that any business plan has some possibility to fail ...
BCB
CTG
VIP
Legendary
*
Offline Offline

Activity: 966


BCJ


View Profile
February 14, 2013, 04:56:07 PM
 #783

sounds like this maver was a talented programmer but not a very smart businessman.

Judging from his photo he seems VERY young so he is probably shitting in his pants right now.



Many of your comments suggest that this was a good and valuable exchange.

Maybe a responsible party or party or parties should step up to take financial responsibility for the site and keep m4v3r on as an UNPAID sys admin to pay off some of his debit.

I have no idea how you could recover the lost sole with exchange fees.

If you got a legal route.

1. you would have to convince a govent that your bitconz had real world value.
2. Get a civil court to file a judgement against him to recover the loss from future earnings.  (again that could take years.)
manfred
Hero Member
*****
Offline Offline

Activity: 924


Energy is Wealth


View Profile
February 14, 2013, 06:21:09 PM
 #784

Oh what a mess.
Jail is a loss loss situation. If we “win” he (or both) get(s) locked up for what ever long and there (his) life is ruined.  If one of us lives in the same country (may understanding Maciej Trębacz the programmer alias “m4v3r” lives in Poland and Mahkul the boss in Ireland) we go to work, pay tax, so we can feed him and lose the coins as well.

Bitcoin itself is rock solid, but as we all can see there are still weak spots which is a treat to the coin itself. Who is not to say that another exchange shuts up shop tomorrow and the owner(s), say lives in Barbados. Thats why as a community if there is any way forward with this large existing user base its an opportunity which should be used and build upon if in any way possible.
The unique difference to any other new or existing exchange is its large respectable new owners base contrary to some shady characters in a garage who close down at any given day. The current trouble should give the user the confidence that that wont happen ever again.  The volume and number of trades, in say two years time should be many times more than it has been last year on the side simply because many people promoting it in there respected region either verbally, with web-links or on forums......

How about current owner(s) pay 50% immediately taking out a bank loan (far better than have a criminal conviction and jail time) and the other half we find a business plan depending on the outcome of the questionnaire. 4-5 years is a reasonable time-frame for the business.

The donate option in the questionnaire is obvious mend for someone with a very small amount or a fraction of a coin.

Class action law suit yes, he (them) would pay for the rest of his (there) life.

The worst part is the silence of the two.
BCB
CTG
VIP
Legendary
*
Offline Offline

Activity: 966


BCJ


View Profile
February 14, 2013, 09:35:12 PM
 #785

This would probably be a civil matter not a criminal matter so no one will be going to jail.
defxor
Hero Member
*****
Offline Offline

Activity: 530


View Profile
February 15, 2013, 01:20:51 PM
 #786

If you got a legal route.

1. you would have to convince a govent that your bitconz had real world value.
2. Get a civil court to file a judgement against him to recover the loss from future earnings.  (again that could take years.)

This is most likely not an issue at all. Within the EU you can assume it's criminal case and the courts will convict. Please read the following:

http://www.virtualpolicy.net/runescape-theft-dutch-supreme-court-decision.html

There is no plausible "investment" scenario that will ever pay anyone back their bitcoins. The only way to make sure scammers stop scamming is to start convicting some - and this is probably the best case to start with of all available.

unixdude
Jr. Member
*
Offline Offline

Activity: 46


Bitcoin .. and the INTERNET!


View Profile
February 15, 2013, 07:59:28 PM
 #787

Site seems to be down at the moment - if anyone can get hold of the admin it would be appreciated as I was going to start using the site again  Smiley

 *Image Removed*
globos
Newbie
*
Offline Offline

Activity: 8


View Profile
February 15, 2013, 09:48:16 PM
 #788

And he's not been posting here for some time... worrying.
unixdude
Jr. Member
*
Offline Offline

Activity: 46


Bitcoin .. and the INTERNET!


View Profile
February 15, 2013, 10:15:01 PM
 #789

And he's not been posting here for some time... worrying.

Yup I had 57 coins on sale as well :p

 *Image Removed*
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
February 16, 2013, 07:10:51 AM
 #790

I'm sorry about that, I wasn't available at the moment and the bitcoind daemon crashed.
I've restarted it and the site should be up again in a minute.

Also, over the weekend we'll prepare an update about the situation.

Edit: Still "loading wallet...". The wallet.dat is already over 200 MB, so it's very time consuming for bitcoind to start up.

Edit 2: It's up!

[Added at 14:33 CET]
There is another problem with the site which I'm now investigating, that's because it was put up temporarily closed. Please stay tuned for more information.
mralbi
Sr. Member
****
Offline Offline

Activity: 254



View Profile WWW
February 16, 2013, 03:16:58 PM
 #791

Dear all,
this bullshitting around and lack of intransparency is inacceptable for me! Earlier today I received the following email from the admin which i decided to share here now, since the admin ignored my ultimatum to inform everybody on this on his own initiative:

"Hello,

I wanted  to share a very bad news with you. Yesterday, in the middle of the night, someone hacked in to Bitmarket database and managed to modify his account. Then, he withdrew ~610 BTC from the site. He left about 100 BTC in the wallets.

Right now I'm investigating what happened. It seems that he managed to somehow find my administration console for the database, which wasn't under any gueassable name. This console was password protected (a very long, random password) but he still managed to overcome this somehow. I'm still investigating how this could happen. Right now I've removed this console entirely to prevent any further damage, but I'm devastated Sad. I wrote a message to the email he registered with (chinabig01@gmail.com) literally begging him to return the stolen BTC. If he has any conscience, maybe he'll give it back. But at the moment we are 600 BTC short, and if this sees the light of day (ie. people want to withdraw more than 92 BTC that's currently in the wallets), we're totally screwed.

I know it's much to ask, but do you have any Bitcoins available right now to fill this gap temporarily? There is a small chance that the thief will give this back, but until then… I really don't know what to do now. I didn't have the luxury to screw up again, and when things started to go on the right track, this happens. All this makes me wanting to kill myself. My hands are shaking right now. I won't do this, because I have people to repay. I hope this turns out good… Sorry, I don't have any other idea right now, I just wanted to be 100% honest with you and inform you on this as soon as I saw what happened.
"

I requested from him to close down the site immediately and inform everybody, but he refused to do so and also ignored my ultimatum for this. Now the site is at least closed so no one can make pay-ins anymore, but without any information, which is still inacceptable.

I dont even want to know what is behind this story, but fact is: the site is obviously insecure and everyone should be informed about incidents like this immediately! I am totally upset that i was asked for basically my whole planned investment capital to help out to "hide" the further loss of bitcoins! The idea that I would fill in "gaps" temporarily is just ridiculous.

If it is true that further coins were lost the site should close down immediately and even when i did not like the idea of liquidation earlier i do not see any other way out anymore.

Lets see if we would now get an "official" update on the situation!




manfred
Hero Member
*****
Offline Offline

Activity: 924


Energy is Wealth


View Profile
February 16, 2013, 03:45:30 PM
 #792

was about to post draft solution to get everyone 100% of the on hold bitcoins back.
well "mralbi" last post but a hold to that idea. thanks for the info.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
February 16, 2013, 03:53:32 PM
 #793

I've closed down the site earlier and basically I'm all day in front of computer right now trying to figure how the hell this happened. I didn't want to share any information until I know exactly what was the cause of this hack. What I do now is that the server was compromised in a way that let attacker know how to access the MySQL database remotely. No hole in scripts were used from what I can tell right now. I don't have any other information to share, though. I hoped to post here some relevant information after I know something, but if that's the case...

I don't know what to say now, really. I really, really wanted this to work. The questionaire ended yesterday and the results were really promising. And now this hack.

The site is not insecure by itself, at least that's the conclusion after my analysis from today. It's true that it was probably me screwed up by leaving a security hole somewhere in the server setup. Maybe it was in PHP, maybe in Apache, or maybe someone sniffed my password to SFTP. That's what I'm trying to solve now. I also wanted to cover this from my own assets gradually, do a security audit on the site, and then go on with the restoration plan. I really hope that, despite this is another sad event for Bitmarket, some people will agree with me on this, that it's better to move on with it than just give up.

Edit: This is the address the Bitcoin were withdrawn to:

http://blockchain.info/pl/address/1Lbcfpaw3uHs3iarBqZ12FYeD5vFwNvY49

Edit 2: The hacker didn't withdraw all that was there, there was ~120 BTC left. I don't know why he withdrawed precisely 620.00 BTC.

The current balance on the site is 54 BTC, and user account balances is exactly 659.13716811 BTC. So there's about 600 BTC missing...
xyz
Sr. Member
****
Offline Offline

Activity: 435


View Profile
February 16, 2013, 04:35:04 PM
 #794



...
Edit 2: The hacker didn't withdraw all that was there, there was ~120 BTC left. I don't know why he withdrawed precisely 620.00 BTC.
...


Perhaps somebody saw no possibility to get back his bitcoins from the owner of bitmarket - so he took the coins himself! Maybe hes amount at the site was about 620 bitcoins and therefore he took not all - only HIS coins!?
Maybe a good idea...
BCB
CTG
VIP
Legendary
*
Offline Offline

Activity: 966


BCJ


View Profile
February 16, 2013, 04:47:56 PM
 #795

Sorry guys. This has stunk of fraud from the beginning.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
February 16, 2013, 06:31:31 PM
 #796

Sorry guys. This has stunk of fraud from the beginning.

From exactly what beginning? What your opinion is based on? Did I run, regardless of what happened? Did I hide the fact that the Bitcoins were stolen from my investors, or even users? (as I said, I only wanted to wait until evening to post the announcement, because I had to investigate what happened exactly). I was working hard to fix this and everything was right on the track. If this incident didn't happen, soon Bitmarket would reborn as a new, more better site, with new management and features. There would be a chance for many people to take profit from it. And here, if the investors decide to abandon the project (which I still hope they won't), everybody loses. That includes me, really hard.

Anyway, no matter what happens, I want to push this thing forward. I will spend time and funds necessary to audit the site, change all credentials, probably move it to another server, and then reopen it with the proper security. I'm open to all suggestions. This hit was a big one, but I won't give up on this. I made a promise to my users and I will fulfill it.
crazy573
Full Member
***
Offline Offline

Activity: 171


View Profile
February 16, 2013, 06:45:50 PM
 #797

Why was there 600 in a hot wallet? Without cold storage you always take a big risk.
M4v3R
Hero Member
*****
Offline Offline

Activity: 607



View Profile
February 16, 2013, 07:17:02 PM
 #798

Why was there 600 in a hot wallet? Without cold storage you always take a big risk.

It went up to 600 very quickly. And I didn't want to move any coins offline because at this stage, if people couldn't withdraw for any reason, they would be very nervous (it already happened once).

After the transition it would be the case - ~90% in cold storage and 10% for daily operations. I'm even considering encrypting the private keys with user password, so the attacker can't just use them without user's credentials.

[Added on 17.02.2013, 08:10]

Details about the hack follows:

On February 14th, 01:17:21 GMT+1, the attacker approached website's MySQL administration console, which can be seen on the log below:

Code:
178.177.206.245 - - [14/Feb/2013:04:17:21 +0400] "GET /adminer-iuqgs124.php HTTP/1.1" 200 2325 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

The IP address 178.177.206.245 was used throughout the hack, and wasn't used on the site before. It does not look like a proxy server, and the address comes from Moscow, Russia. The script, which is a well known MySQL administration toolkit was located at a randomly chosen (by me) filename (adminer-[eight random chars].php). The logs doesn't show any signs of guessing, he knew this filename somehow (more on this later).

Knowing the script's filename is not enough, because you still have to know the MySQL credentials. They are stored only in one place, in a config.php file, accessible only to website scripts. The password was 16 characters long and random: cVPzBh54N6bfdbmb (I've already changed it). Yet, the attacker somehow, again, without guessing, logged in to the console without a problem.

Having writeable access to the whole database he could do whatever he wanted really. He adjusted his account's record with new 'bitcoins' figure, and then even made a fictional transaction to point at his account (this was sloppy though, because he changed an existing one from last year, which was standing out, because this transaction seemed to be made before he even registered).

Then, he proceeded to the site itself. According to my logs, this is how it went:
- First, he tried to login to mralbi's account with a password that was supposedly leaked a year ago from other site. He failed at this.
- Then, he tried to access sonba's account (another high-profile user of Bitmarket, also known on the forums). He succeeded, but for some reason he didn't do anything there (just logged in, and two minutes later, logged out).
- Finally, he went to create a new account. The details are as follows:
Code:
   [username] => chinabig01
    [email] => chinabig01@gmail.com
    [password] => c....1
    [country] => fi
- If you google this email address, you will notice that it's not a disposable address. It was used as early as 2009 on various sites (even one Bitcoin site - forbitcoin.com). Also, the username he chose is the same as on those sites. And the password seems to be his username (I don't store sent passwords in server logs, but for critical situations like this I leave first and last letter to prove that someone used a legitimate password for the owner. I know it lowers the password entropy, but if you use long password that you should use, it doesn't matter).
- He then activated his account using his email
- In account settings he set the withdrawal address to 1Lbcfpaw3uHs3iarBqZ12FYeD5vFwNvY49. Again, he confirmed this change by his email.
- Then he proceeded to withdraw the funds. He first withdrew 1 BTC (to test if it worked, I think), then 9 BTC. Finally, he withdrew 55.4561581 and 554.5438419 BTC, which all totals to 620 BTC you can see in the blockchain.
- After that, he went to transactions page to see if the transaction he made up is there, and logged out. I didn't saw this IP on the site since then.

Now, after reading this, there are some legitimate questions that one could ask himself: How in the earth this person could know filename of the script that wasn't posted ANYWHERE? How he knew the MySQL password? I don't know yet. I've asked those questions to my hosting provider and hope to get some answers. There are few possibilities, but at this point it's only guessing:
- there was a flaw in server software. Most critical parts are: Bitcoin client, Apache, PHP, MySQL. Bitcoin client at that time was at version 0.6.1 I believe. The reason for that was, when 0.7 came out, it didn't wanted to work with my wallet for some reason. I didn't want to risk any corruption, so I reverted to 0.6.x. The other bits were using fairly up-to-date software (not the latest point releases, but judging from the changelogs for these, there weren't any flaws in them fixed that could cause this).
- it was an inside job. Possible candidates are: someone from hosting company (which is hard to believe and literally can't be proven) or my old partner (which I don't believe, because he also had some Bitcoins on site when this happened and they were lost as well. He also didn't knew that this MySQL admin tool existed, I've installed this later).

- someone hijacked my SSH details. I've looked at the auth.log and that doesn't seem the case.
- a flaw in website's code. I believe it's not the case, because remote code execution (and that's what was needed for this) is fairly easy to spot, and I looked again at the code yesterday and didn't find anything. The codebase is pretty small and straightforward. Also, I was looking through the apache access logs and didn't find any trace of this.
- something else that I didn't think of


Steps, that I've taken so far:
- gathered all necessary information and passed it to hosting company
- changed my SSH password and bitmarket's MySQL password (root password is totally separate, never used anywhere and not stored anywhere)
- removed all remote access to MySQL
- downloaded site logs for futher analysis.

[Added on 17.02.2013, 22:26]

Sadly, it turned out that it was my SSH account that was hacked. I don't want to disclose any other information at the moment, because I'm still doing an investigation, that could lead me to the hacker. I will provide more information very soon.
unixdude
Jr. Member
*
Offline Offline

Activity: 46


Bitcoin .. and the INTERNET!


View Profile
February 17, 2013, 08:13:33 AM
 #799

Why was there 600 in a hot wallet? Without cold storage you always take a big risk.

It went up to 600 very quickly. And I didn't want to move any coins offline because at this stage, if people couldn't withdraw for any reason, they would be very nervous (it already happened once).

After the transition it would be the case - ~90% in cold storage and 10% for daily operations. I'm even considering encrypting the private keys with user password, so the attacker can't just use them without user's credentials.

[Added on 17.02.2013, 08:10]

Details about the hack follows:

On February 14th, 01:17:21 GMT+1, the attacker approached website's MySQL administration console, which can be seen on the log below:

Code:
178.177.206.245 - - [14/Feb/2013:04:17:21 +0400] "GET /adminer-iuqgs124.php HTTP/1.1" 200 2325 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

The IP address 178.177.206.245 was used throughout the hack, and wasn't used on the site before. It does not look like a proxy server, and the address comes from Moscow, Russia. The script, which is a well known MySQL administration toolkit was located at a randomly chosen (by me) filename (adminer-[eight random chars].php). The logs doesn't show any signs of guessing, he knew this filename somehow (more on this later).

Knowing the script's filename is not enough, because you still have to know the MySQL credentials. They are stored only in one place, in a config.php file, accessible only to website scripts. The password was 16 characters long and random: cVPzBh54N6bfdbmb (I've already changed it). Yet, the attacker somehow, again, without guessing, logged in to the console without a problem.

Having writeable access to the whole database he could do whatever he wanted really. He adjusted his account's record with new 'bitcoins' figure, and then even made a fictional transaction to point at his account (this was sloppy though, because he changed an existing one from last year, which was standing out, because this transaction seemed to be made before he even registered).

Then, he proceeded to the site itself. According to my logs, this is how it went:
- First, he tried to login to mralbi's account with a password that was supposedly leaked a year ago from other site. He failed at this.
- Then, he tried to access sonba's account (another high-profile user of Bitmarket, also known on the forums). He succeeded, but for some reason he didn't do anything there (just logged in, and two minutes later, logged out).
- Finally, he went to create a new account. The details are as follows:
Code:
   [username] => chinabig01
    [email] => chinabig01@gmail.com
    [password] => c....1
    [country] => fi
- If you google this email address, you will notice that it's not a disposable address. It was used as early as 2009 on various sites (even one Bitcoin site - forbitcoin.com). Also, the username he chose is the same as on those sites. And the password seems to be his username (I don't store sent passwords in server logs, but for critical situations like this I leave first and last letter to prove that someone used a legitimate password for the owner. I know it lowers the password entropy, but if you use long password that you should use, it doesn't matter).
- He then activated his account using his email
- In account settings he set the withdrawal address to 1Lbcfpaw3uHs3iarBqZ12FYeD5vFwNvY49. Again, he confirmed this change by his email.
- Then he proceeded to withdraw the funds. He first withdrew 1 BTC (to test if it worked, I think), then 9 BTC. Finally, he withdrew 55.4561581 and 554.5438419 BTC, which all totals to 620 BTC you can see in the blockchain.
- After that, he went to transactions page to see if the transaction he made up is there, and logged out. I didn't saw this IP on the site since then.

Now, after reading this, there are some legitimate questions that one could ask himself: How in the earth this person could know filename of the script that wasn't posted ANYWHERE? How he knew the MySQL password? I don't know yet. I've asked those questions to my hosting provider and hope to get some answers. There are few possibilities, but at this point it's only guessing:
- there was a flaw in server software. Most critical parts are: Bitcoin client, Apache, PHP, MySQL. Bitcoin client at that time was at version 0.6.1 I believe. The reason for that was, when 0.7 came out, it didn't wanted to work with my wallet for some reason. I didn't want to risk any corruption, so I reverted to 0.6.x. The other bits were using fairly up-to-date software (not the latest point releases, but judging from the changelogs for these, there weren't any flaws in them fixed that could cause this).
- it was an inside job. Possible candidates are: someone from hosting company (which is hard to believe and literally can't be proven) or my old partner (which I don't believe, because he also had some Bitcoins on site when this happened and they were lost as well. He also didn't knew that this MySQL admin tool existed, I've installed this later).
- someone hijacked my SSH details. I've looked at the auth.log and that doesn't seem the case.
- a flaw in website's code. I believe it's not the case, because remote code execution (and that's what was needed for this) is fairly easy to spot, and I looked again at the code yesterday and didn't find anything. The codebase is pretty small and straightforward. Also, I was looking through the apache access logs and didn't find any trace of this.
- something else that I didn't think of

Steps, that I've taken so far:
- gathered all necessary information and passed it to hosting company
- changed my SSH password and bitmarket's MySQL password (root password is totally separate, never used anywhere and not stored anywhere)
- removed all remote access to MySQL
- downloaded site logs for futher analysis.

Right ...... just hope you have enough to refund my coins I had on sale there as I really don't have time for this shit to put it plainly.

 *Image Removed*
unixdude
Jr. Member
*
Offline Offline

Activity: 46


Bitcoin .. and the INTERNET!


View Profile
February 17, 2013, 08:17:40 AM
 #800

Why was there 600 in a hot wallet? Without cold storage you always take a big risk.

It went up to 600 very quickly. And I didn't want to move any coins offline because at this stage, if people couldn't withdraw for any reason, they would be very nervous (it already happened once).

After the transition it would be the case - ~90% in cold storage and 10% for daily operations. I'm even considering encrypting the private keys with user password, so the attacker can't just use them without user's credentials.

[Added on 17.02.2013, 08:10]

Details about the hack follows:

On February 14th, 01:17:21 GMT+1, the attacker approached website's MySQL administration console, which can be seen on the log below:

Code:
178.177.206.245 - - [14/Feb/2013:04:17:21 +0400] "GET /adminer-iuqgs124.php HTTP/1.1" 200 2325 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0"

The IP address 178.177.206.245 was used throughout the hack, and wasn't used on the site before. It does not look like a proxy server, and the address comes from Moscow, Russia. The script, which is a well known MySQL administration toolkit was located at a randomly chosen (by me) filename (adminer-[eight random chars].php). The logs doesn't show any signs of guessing, he knew this filename somehow (more on this later).

Knowing the script's filename is not enough, because you still have to know the MySQL credentials. They are stored only in one place, in a config.php file, accessible only to website scripts. The password was 16 characters long and random: cVPzBh54N6bfdbmb (I've already changed it). Yet, the attacker somehow, again, without guessing, logged in to the console without a problem.

Having writeable access to the whole database he could do whatever he wanted really. He adjusted his account's record with new 'bitcoins' figure, and then even made a fictional transaction to point at his account (this was sloppy though, because he changed an existing one from last year, which was standing out, because this transaction seemed to be made before he even registered).

Then, he proceeded to the site itself. According to my logs, this is how it went:
- First, he tried to login to mralbi's account with a password that was supposedly leaked a year ago from other site. He failed at this.
- Then, he tried to access sonba's account (another high-profile user of Bitmarket, also known on the forums). He succeeded, but for some reason he didn't do anything there (just logged in, and two minutes later, logged out).
- Finally, he went to create a new account. The details are as follows:
Code:
   [username] => chinabig01
    [email] => chinabig01@gmail.com
    [password] => c....1
    [country] => fi
- If you google this email address, you will notice that it's not a disposable address. It was used as early as 2009 on various sites (even one Bitcoin site - forbitcoin.com). Also, the username he chose is the same as on those sites. And the password seems to be his username (I don't store sent passwords in server logs, but for critical situations like this I leave first and last letter to prove that someone used a legitimate password for the owner. I know it lowers the password entropy, but if you use long password that you should use, it doesn't matter).
- He then activated his account using his email
- In account settings he set the withdrawal address to 1Lbcfpaw3uHs3iarBqZ12FYeD5vFwNvY49. Again, he confirmed this change by his email.
- Then he proceeded to withdraw the funds. He first withdrew 1 BTC (to test if it worked, I think), then 9 BTC. Finally, he withdrew 55.4561581 and 554.5438419 BTC, which all totals to 620 BTC you can see in the blockchain.
- After that, he went to transactions page to see if the transaction he made up is there, and logged out. I didn't saw this IP on the site since then.

Now, after reading this, there are some legitimate questions that one could ask himself: How in the earth this person could know filename of the script that wasn't posted ANYWHERE? How he knew the MySQL password? I don't know yet. I've asked those questions to my hosting provider and hope to get some answers. There are few possibilities, but at this point it's only guessing:
- there was a flaw in server software. Most critical parts are: Bitcoin client, Apache, PHP, MySQL. Bitcoin client at that time was at version 0.6.1 I believe. The reason for that was, when 0.7 came out, it didn't wanted to work with my wallet for some reason. I didn't want to risk any corruption, so I reverted to 0.6.x. The other bits were using fairly up-to-date software (not the latest point releases, but judging from the changelogs for these, there weren't any flaws in them fixed that could cause this).
- it was an inside job. Possible candidates are: someone from hosting company (which is hard to believe and literally can't be proven) or my old partner (which I don't believe, because he also had some Bitcoins on site when this happened and they were lost as well. He also didn't knew that this MySQL admin tool existed, I've installed this later).
- someone hijacked my SSH details. I've looked at the auth.log and that doesn't seem the case.
- a flaw in website's code. I believe it's not the case, because remote code execution (and that's what was needed for this) is fairly easy to spot, and I looked again at the code yesterday and didn't find anything. The codebase is pretty small and straightforward. Also, I was looking through the apache access logs and didn't find any trace of this.
- something else that I didn't think of

Steps, that I've taken so far:
- gathered all necessary information and passed it to hosting company
- changed my SSH password and bitmarket's MySQL password (root password is totally separate, never used anywhere and not stored anywhere)
- removed all remote access to MySQL
- downloaded site logs for futher analysis.

Right ...... just hope you have enough to refund my coins I had on sale there as I really don't have time for this shit to put it plainly.

Any chance you can zip up your server logs and make them available here ? - no offence but you should understand no one believes a word you are saying without providing proof - I don't really want to go the liquidation route so there is another option available and one which probably isn't the best for you Smiley I don't want you walking away like you were wearing a Teflon suit.

 *Image Removed*
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 [40] 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 »
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!