Bitcoin Forum
December 10, 2016, 01:05:30 PM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 3  All
  Print  
Author Topic: How bad firewall settings can make you lose 75 BTCs  (Read 7081 times)
m3ta
Sr. Member
****
Offline Offline

Activity: 427



View Profile WWW
January 26, 2012, 03:53:19 AM
 #1

The topic of this post could also be "How my carelessness cost me 75 BTC".
As some of you will (obviously - i'm expecting it) retort - "carelessness" can also be "foolishness", "stupidity", or some even harsher words.
But the fact is:
You only think you're invulnerable to mistakes until you make one.

TLDR version:
I left my firewall vulnerable to the bitcoin daemon RPC with severely unsafe settings, and 75 BTCs vanished.

I will not dwell on a big whining - the simple fact is, mistakes cost me my wallet.
Or, as someone who I shall not quote just told me:
Quote
"It is 90% the attacker's fault for not being a nice person. 8% your fault for being careless, and 2% the system's fault for making it easy for you to be careless."
I was even raising my % a bit higher, but like I said, this is a quote. Smiley

With that said, regardless of fault %s, i hope this just serves as a big warning - do you know exactly if your settings are as safe as they can/should be? If you didn't say "yes" in less than half a second, then i urge you to revise your settings.

The facts:
There are no excuses, really. There is a plethora of facts that lead me to this, YES, but that does not serve as justification.
"spill your guts anyway!" i hear in the back.
Ok, then, the loss of 75 BTCs is surely worse than the shame, so if you insist..:

I opened my firewall ports during lunch to show a friend some node.js things I have been working on - a realtime dashboard for P2Pool stats.
This wouldn't be too severe, if my RPCport settings were not too permissive. Which they were since I was abroad last month, and forgot to revert to secure settings.

Working 18 hours a day is not an excuse. Forgetting the RPCport settings is not an excuse. Leaving the firewall open when I got home and only wanted to sleep is also not an excuse.
Just a big sum of recklessness, that had a bitter taste in the end.

The attacker easily accessed my open RPC, brute-forced my user and pass (yes yes, which could also be more complex) and emptied my wallet.

The result:

Code:
Date: 1/25/12 08:07
To: 18GQdbRCF1f7fjkx3rMdWbuqqR8XFxhQgM
Debit: -75.00 BTC
Transaction fee: -0.0235 BTC

http://blockexplorer.com/address/18GQdbRCF1f7fjkx3rMdWbuqqR8XFxhQgM

http://blockexplorer.com/tx/1cbcb30e26a00b81dfd03f3cf4b1d8ded8005a19493050b588d3f752a982b913#i4155767

The only thing i will whine about, is.. "on my birthday? really? that was harsh."

Also, there is a clear need for more security measures in place.
To defend the (dumb/reckless/whatever) miner. Yeah because in the whole BTC universe, even dumb miners... mine.
The whole BTC universe, as a whole, is a sum of its parts. Even the dumb ones.
And today, i was "just another dumb miner". Which was, and still is, a part of the whole.

Maybe bitcoind should log ip addresses.
Maybe the RPC port should have some anti-bruteforcing logic attached to it. A real, effective one, not just telling the attacker the password is short, like it happens now.
Maybe. Just sayin'.

Troll away. But only after you double-checked all your settings. Smiley

Why the frell so many retards spell "ect" as an abbreviation of "Et Cetera"? "ETC", DAMMIT! http://en.wikipedia.org/wiki/Et_cetera

Host:/# rm -rf /var/forum/trolls
1481375130
Hero Member
*
Offline Offline

Posts: 1481375130

View Profile Personal Message (Offline)

Ignore
1481375130
Reply with quote  #2

1481375130
Report to moderator
1481375130
Hero Member
*
Offline Offline

Posts: 1481375130

View Profile Personal Message (Offline)

Ignore
1481375130
Reply with quote  #2

1481375130
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481375130
Hero Member
*
Offline Offline

Posts: 1481375130

View Profile Personal Message (Offline)

Ignore
1481375130
Reply with quote  #2

1481375130
Report to moderator
LightRider
Legendary
*
Offline Offline

Activity: 1488


I advocate the Zeitgeist Movement & Venus Project.


View Profile WWW
January 26, 2012, 03:57:08 AM
 #2

I want to know more about "a realtime dashboard for P2Pool stats."

Bitcoin combines money, the wrongest thing in the world, with software, the easiest thing in the world to get wrong.
Visit www.thevenusproject.com and www.theZeitgeistMovement.com.
ineededausername
Hero Member
*****
Offline Offline

Activity: 784


bitcoin hundred-aire


View Profile
January 26, 2012, 04:05:45 AM
 #3

Wow, it looks like there are now bots that are always looking for open bitcoin rpc ports.  It took about 4 hours for you to lose 75 BTC.

Sad

(BFL)^2 < 0
m3ta
Sr. Member
****
Offline Offline

Activity: 427



View Profile WWW
January 26, 2012, 04:06:37 AM
 #4

I want to know more about "a realtime dashboard for P2Pool stats."

Not finished, but my idea was to put it on Github when it got to a stage where it could be developed further by other people - at this moment, it has a lot of "hardcoded local settings".
node.js, with some smoothiecharts, updating in realtime  (of course, thus node.js) being fed by the p2pool log.

http://imageshack.us/photo/my-images/32/screenshot20120126at404.png/

Or I might just give it away as it is, at this time I lost the mood or will to do anything regarding this.

Why the frell so many retards spell "ect" as an abbreviation of "Et Cetera"? "ETC", DAMMIT! http://en.wikipedia.org/wiki/Et_cetera

Host:/# rm -rf /var/forum/trolls
m3ta
Sr. Member
****
Offline Offline

Activity: 427



View Profile WWW
January 26, 2012, 05:22:58 AM
 #5

I opened my firewall ports during lunch to show a friend some node.js things I have been working on - a realtime dashboard for P2Pool stats.
This wouldn't be too severe, if my RPCport settings were not too permissive. Which they were since I was abroad last month, and forgot to revert to secure settings.

A bit random that your Bitcoins were stolen after opening your port to show your friend some stuff. How close is this friend?

I just find it strange that it worked out how it did. You think you were the target of a random attack exactly when it could do the most damage?


Known him for 15 years,  and he doesn't know what bitcoins are.... He liked the realtime data,  but didn't know what data it was.
I find it strange, too. Just a few hours after my flaw this happens... 
After hitting the wall (with my head of course) my first thought was a crawler script just doing portscans based on peer IPs coming from a tail of the logs.
Hmm... I see this as SO doable, it's really freaky...

Why the frell so many retards spell "ect" as an abbreviation of "Et Cetera"? "ETC", DAMMIT! http://en.wikipedia.org/wiki/Et_cetera

Host:/# rm -rf /var/forum/trolls
vuce
Sr. Member
****
Offline Offline

Activity: 476


View Profile
January 26, 2012, 05:40:58 AM
 #6

unencrypted wallet, I take it?
BTC_Bear
B4 Foundation
VIP
Sr. Member
*
Offline Offline

Activity: 364


Best Offense is a Good Defense


View Profile WWW
January 26, 2012, 05:46:46 AM
 #7

Quote
The attacker easily accessed my open RPC, brute-forced my user and pass (yes yes, which could also be more complex) and emptied my wallet.

I've read about this attack recently. Your other quote is probably dead on on the %.

Username:Password should force a certain level of entropy before being accepted. I can only imagine how many 12345678 pw there are out there.

Corporations have been enthroned, An era of corruption in high places will follow and the money power will endeavor to prolong its reign by working on the prejudices of the people until wealth is aggregated in a few hands and the Republic is destroyed. ~Abe Lincoln 1ApJdWUdSWYw8n8HEATYhHXA9EYoRTy7c4
Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
January 26, 2012, 07:05:51 AM
 #8

the reason i'm not on IRC anymore and the reason why my bitcoin node is not exposed there with bitcoin client 'noirc' flag enabled.
to me it's just being an easy target as anyone can get IP lists from IRC and start probing different ports, default router l/p's and what not.
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
January 26, 2012, 08:11:59 AM
 #9

unencrypted wallet, I take it?

No, he said on OP, open RPC (well, maybe the wallet was unencrypted too, but it doesn't matter, that's not how it was stolen). Summarizing, it is as if his bitcoind node was accessible by anyone on the internet that happened to know his password, and apparently the password wasn't that strong since it was bruteforced. The attacker just requested the victim's bitcoind to send him money, and it sent.

The interesting part is for such a theft to happen, the thief needed to know that there was an accessible bitcoind on that IP. So, either it is someone close to OP who's stealing him, or there are hackers with crawlers searching for such vulnerable nodes. The latter sounds quite possible, what would mean people using bitcoind RPC should really pay attention to their access rules.

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
Serge
Legendary
*
Offline Offline

Activity: 1050


View Profile
January 26, 2012, 08:14:29 AM
 #10

the reason i'm not on IRC anymore and the reason why my bitcoin node is not exposed there with bitcoin client 'noirc' flag enabled.
to me it's just being an easy target as anyone can get IP lists from IRC and start probing different ports, default router l/p's and what not.

Wouldn't it be easier just to implement a savings wallet and keep a functional, yet minimal, amount of Bitcoins in the wallet on your daily PC?

don't want my local network and my system compromised in any way regardless of bitcoin wallet
vuce
Sr. Member
****
Offline Offline

Activity: 476


View Profile
January 26, 2012, 08:16:51 AM
 #11

unencrypted wallet, I take it?

No, he said on OP, open RPC (well, maybe the wallet was unencrypted too, but it doesn't matter, that's not how it was stolen). Summarizing, it is as if his bitcoind node was accessible by anyone on the internet that happened to know his password, and apparently the password wasn't that strong since it was bruteforced. The attacker just requested the victim's bitcoind to send him money, and it sent.
aren't private keys encrypted, therefore even with open RPC one would still have to decrypt them before a transaction could be made? In other words, an attacker would have to know rpc username/password and the wallet password?
caveden
Legendary
*
Offline Offline

Activity: 1106



View Profile
January 26, 2012, 08:22:44 AM
 #12

aren't private keys encrypted, therefore even with open RPC one would still have to decrypt them before a transaction could be made?

No, RPC is there to allow control of bitcoind by other programs. Like, imagine you have a website that needs to perform payments automatically. Your web server contacts bitcoind and requests the payment. If authorized, bitcoind performs the payment. It doesn't matter if the keys are encrypted or not, as it is the bitcoin software itself that's signing and sending the transaction. It can decrypt the keys if needed.
The hacker did not steal a private key. It managed to access bitcoind and control it, requesting the payment thought the RPC interface. Bitcoind treated it as a legitimate request.
Normally this control interface should not be publicly accessible, but in this particular case it was.

Do you see the difference?

18rZYyWcafwD86xvLrfuxWG5xEMMWUtVkL
vuce
Sr. Member
****
Offline Offline

Activity: 476


View Profile
January 26, 2012, 08:26:32 AM
 #13

aren't private keys encrypted, therefore even with open RPC one would still have to decrypt them before a transaction could be made?

No, RPC is there to allow control of bitcoind by other programs. Like, imagine you have a website that needs to perform payments automatically. Your web server contacts bitcoind and requests the payment. If authorized, bitcoind performs the payment. It doesn't matter if the keys are encrypted or not, as it is the bitcoin software itself that's signing and sending the transaction. It can decrypt the keys if needed.
The hacker did not steal a private key. It managed to access bitcoind and control it, requesting the payment thought the RPC interface. Bitcoind treated it as a legitimate request.
Normally this control interface should not be publicly accessible, but in this particular case it was.

Do you see the difference?

OK I get it. I assumed one would still have to input the wallet password, but it wouldn't make much sense using RPC if it couldn't do anything by itself, thus making wallet password moot.
Costia
Newbie
*
Offline Offline

Activity: 28



View Profile
January 26, 2012, 08:31:56 AM
 #14

if the wallet is encrypted you have to enter the wallet password at least once - otherwise the software shouldn't be able to get the private keys
AFAIK once you do enter the password there is an option to set a time out - after that time you will have to re-enter the wallet password to access the keys
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
January 26, 2012, 12:23:10 PM
 #15

The interesting part is for such a theft to happen, the thief needed to know that there was an accessible bitcoind on that IP. So, either it is someone close to OP who's stealing him, or there are hackers with crawlers searching for such vulnerable nodes. The latter sounds quite possible, what would mean people using bitcoind RPC should really pay attention to their access rules.

Every node on the network knows the IP addresses of every other node.  More or less.  And the port is well known.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
jjiimm_64
Legendary
*
Offline Offline

Activity: 1680


View Profile
January 26, 2012, 02:33:09 PM
 #16


wasn't there 2 passwords here? 

the RPC bitcoind user:pass
the wallet encrypted pass


1jimbitm6hAKTjKX4qurCNQubbnk2YsFw
m3ta
Sr. Member
****
Offline Offline

Activity: 427



View Profile WWW
January 26, 2012, 02:35:12 PM
 #17

Well, it certainly doesn't sound like he had anything to do with it then. It sucks to hear when anyone has their property stolen. I wouldn't let it sour Bitcoin on you though, honestly just about anything could be stolen from you, no reason to quit using it. Take it as a very difficult lesson learned and move forward.

Indeed. Wise words. I slept 2 times what i normally do, and after letting all this "settle in", i feel exactly as you said.
Just take a punch, raise chin and keep fighting, so to speak.

Securing my bitcoins has always been a priority for me. It surprises me when someone like yourself, clearly having much more computer know-how than I, allows large amounts of bitcoins just sitting there for the taking. You don't leave stacks of cash sitting on your nightstand, do you?

I don't. As ridiculous as this might be (not "might", it IS) - part of my professional life is spent securing other people's systems. Telling them how their security is flawed. Shouting at users who have weak passwords. I totally slacked on my own.

How does this make you feel about the P2SH debate that has been raging lately? If you do continue to use Bitcoin, is this something you would hope to be implemented ASAP so you could take simple precautions to prevent what happened to you?

I've been reading... BIP16/17, P2SH... honestly, i feel that, for the enduser, despite some divergences in opinion between Gavin/Luke and others, they ultimately want to do something that is good for everyone, so, eventually, the decision that will be made shall be positive.
What REALLY bothers me is a pool (DeepBit, *cof*) having the power it has right now. THAT is a problem for everyone.

Why the frell so many retards spell "ect" as an abbreviation of "Et Cetera"? "ETC", DAMMIT! http://en.wikipedia.org/wiki/Et_cetera

Host:/# rm -rf /var/forum/trolls
[Tycho]
Hero Member
*****
Offline Offline

Activity: 742



View Profile WWW
January 26, 2012, 03:26:49 PM
 #18

How does this make you feel about the P2SH debate that has been raging lately? If you do continue to use Bitcoin, is this something you would hope to be implemented ASAP so you could take simple precautions to prevent what happened to you?
I've been reading... BIP16/17, P2SH... honestly, i feel that, for the enduser, despite some divergences in opinion between Gavin/Luke and others, they ultimately want to do something that is good for everyone, so, eventually, the decision that will be made shall be positive.
All those BIP16/BIP17 (types of pay-to-script) and BIP11 are doing the same thing, which can allow you to require confirming your TXes from your mobile phone or some other separate device.
(It's already possible technically, but no client currently exist with appropriate functions, and this TX would be "strange"(non-standard))

The point of voting is to a) select the most suitable implementation, b) deploy it safely.

Welcome to my bitcoin mining pool: https://deepbit.net - Both payment schemes (including PPS), instant payout, no invalid blocks !
ICBIT Trading platform : USD/BTC futures trading, Bitcoin difficulty futures (NEW!). Third year in bitcoin business.
mrx
Member
**
Offline Offline

Activity: 83


aka ff19


View Profile
January 26, 2012, 03:32:22 PM
 #19

The interesting part is for such a theft to happen, the thief needed to know that there was an accessible bitcoind on that IP. So, either it is someone close to OP who's stealing him, or there are hackers with crawlers searching for such vulnerable nodes. The latter sounds quite possible, what would mean people using bitcoind RPC should really pay attention to their access rules.

Every node on the network knows the IP addresses of every other node.  More or less.  And the port is well known.

except rpc port which could be changed freely. -rpcport=<port>

I'm changing my RPC ports to a higher area (10000+) to keep my wallets safe. It's set to allow *.*.*.* with very simple username and password.


This incident(accident) is not the first in cryptocurrency area. several weeks ago somebody lost all(2850) his fairbrix. Also because of open RPC.

Successfully traded with:
bulanula
m3ta
Sr. Member
****
Offline Offline

Activity: 427



View Profile WWW
January 26, 2012, 03:35:59 PM
 #20

After setting up a small script to tail the log and do a portscan of 8332 on peers, it took me as much as 6 minutes to find someone with an open RPC port.
No, I did not check if the user:pass was weak or not, i'm not out for revenge.
But, still... 6 minutes only.

Why the frell so many retards spell "ect" as an abbreviation of "Et Cetera"? "ETC", DAMMIT! http://en.wikipedia.org/wiki/Et_cetera

Host:/# rm -rf /var/forum/trolls
Pages: [1] 2 3  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!