Bitcoin Forum
October 05, 2024, 07:03:32 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 »  All
  Print  
Author Topic: Hacked Linode & coins stolen to 1NRy8GbX56MymBhDYM...  (Read 62136 times)
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
March 01, 2012, 07:37:35 PM
Last edit: March 02, 2012, 02:44:10 AM by theymos
Merited by vapourminer (1)
 #1

Short story:

Somebody hacked my backup machine with pool data hosted on Linode and steal 3094 BTC ("hot" coins ready for payouts). Cold backup was not affected in any way by this hack.

It looks that also user database has been compromised. Although passwords are stored in SHA1 with salt, I strongly recommend to change your password on the pool immediately.

Robery of Bitcoins has no impact to pool users, I'm covering the loss from my own income (although it means that many months of my work is wasted  Roll Eyes ).

Long story + evidence:

This morning I received SMS from pool monitoring that BTC balance went under expected amount, so I started investigating what happen. I saw that there was transaction moving 3094 BTC out of the pool wallet (http://blockexplorer.com/tx/34b84108a142ad7b6c36f0f3549a3e83dcdbb60e0ba0df96cd48f852da0b1acb) few minutes ago. I watched the logs and it didn't look like server has been compromised in any way.

Then I found that two of my Linode machines has been restarted half a hour ago, too, and root passwords has been changed. I changed passwords to new one and found that there was malicious activity on the machines. Then I discover that passwords were changed over Linode Manager (Linode web management), because there was record about password change in Host Job queue (last activity done over Manager). This also explains why attacker restarted machines, because it's necessary to apply this change from Manager.

I reported accident to Linode staff and asked for log of recent logins to Manager. To my surprise, there were only my own log attempts and last login before the attack was on 08/02/2012! I reported to Linode that something is going wrong, because I has been using strong password for my Linode Manager (because I know it's basically backdoor to my machines) and I didn't use this password on different places.

Full log of support ticket is here.

I'm still waiting what they'll find, but expect they'll try to hide any issue on their side and they will definitely reject to pay 3000 BTC for this attack :-/.

Plus
Few hours ago another guy contacted me that his Linode machine has been attacked and his coins was moved to the same wallet, asking me if I know what happen (because he found that 1Mining2 address is mine). We found that our issues are the same - changed password in Manager, stolen coins & Linode staff is telling they have no security issue on their side. Heh.

It looks like attackers found some vulnerability of Linode Manager and used it to infiltrate Linodes with running bitcoind (we both had bitcoind running on the machine), to gain maximum profit for the less rush (it does not look that so much machines has been hacked, at least I didn't find anything on twitter etc). It looks like attackers were interested only in Bitcoins, because they leave Namecoins untouched, although they have the same chance to steal them.

From the attacker's wallet it looks there were more people affected by this Linode hack, maybe they'll know anything more?

Conclusion

There's no reason to think that pool itself was hacked. I changed all passwords everywhere (mainly to database), moved coins to new wallet and everything is working fine. Backup machine didn't contain keys for accessing pool server, so there's no need to reinstall pool to another machine. I'm covering all financial loss from my own money, to keep pool users out of this stupid issue.

OgNasty
Donator
Legendary
*
Offline Offline

Activity: 4886
Merit: 4690


Leading Crypto Sports Betting & Casino Platform


View Profile WWW
March 01, 2012, 07:50:48 PM
 #2

Wow.  I'm sorry to read about this slush.  

I'm covering all financial loss from my own money, to keep pool users out of this stupid issue.

I applaud you for covering this out of pocket.  Another demonstration of why I'm glad to be mining in your pool.

..Stake.com..   ▄████████████████████████████████████▄
   ██ ▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄ ██  ▄████▄
   ██ ▀▀▀▀▀▀▀▀▀▀ ██████████ ▀▀▀▀▀▀▀▀▀▀ ██  ██████
   ██ ██████████ ██      ██ ██████████ ██   ▀██▀
   ██ ██      ██ ██████  ██ ██      ██ ██    ██
   ██ ██████  ██ █████  ███ ██████  ██ ████▄ ██
   ██ █████  ███ ████  ████ █████  ███ ████████
   ██ ████  ████ ██████████ ████  ████ ████▀
   ██ ██████████ ▄▄▄▄▄▄▄▄▄▄ ██████████ ██
   ██            ▀▀▀▀▀▀▀▀▀▀            ██ 
   ▀█████████▀ ▄████████████▄ ▀█████████▀
  ▄▄▄▄▄▄▄▄▄▄▄▄███  ██  ██  ███▄▄▄▄▄▄▄▄▄▄▄▄
 ██████████████████████████████████████████
▄▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▄
█  ▄▀▄             █▀▀█▀▄▄
█  █▀█             █  ▐  ▐▌
█       ▄██▄       █  ▌  █
█     ▄██████▄     █  ▌ ▐▌
█    ██████████    █ ▐  █
█   ▐██████████▌   █ ▐ ▐▌
█    ▀▀██████▀▀    █ ▌ █
█     ▄▄▄██▄▄▄     █ ▌▐▌
█                  █▐ █
█                  █▐▐▌
█                  █▐█
▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀█
▄▄█████████▄▄
▄██▀▀▀▀█████▀▀▀▀██▄
▄█▀       ▐█▌       ▀█▄
██         ▐█▌         ██
████▄     ▄█████▄     ▄████
████████▄███████████▄████████
███▀    █████████████    ▀███
██       ███████████       ██
▀█▄       █████████       ▄█▀
▀█▄    ▄██▀▀▀▀▀▀▀██▄  ▄▄▄█▀
▀███████         ███████▀
▀█████▄       ▄█████▀
▀▀▀███▄▄▄███▀▀▀
..PLAY NOW..
digital
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


View Profile
March 01, 2012, 07:51:56 PM
 #3

Hopefully Linode comes clean...

Man, that's a huge loss.  Thanks again Slush for everything you do, you have a donation coming your way from me.  It wont be much, but I'll do what I can at least to help out...

If I help you out: 17QatvSdciyv2zsdAbphDEUzST1S6x46c3
References (bitcointalk.org/index.php?topic=): 50051.20  50051.100  53668.0  53788.0  53571.0  53571.0  52212.0  50729.0  114804.0  115468  78106  69061  58572  54747
Revalin
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
March 01, 2012, 07:53:37 PM
 #4

Three things for everyone to learn from this:

#1, use cold storage as preemptive damage control.  Congratulations on being the first high-profile case to get this right.  Smiley

#2, don't store high value wallets on a public-facing server.  It's much better to keep your wallet on a machine in another secure location, poll for any required sends, sanity check them, and then send them to the network.

#3, Slush just earned 3094 honor points.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
bitcoinsarefun
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
March 01, 2012, 07:57:40 PM
 #5

Is it positively confirmed that it is a linode issue and not an exploit for bitcoind?
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
March 01, 2012, 07:58:50 PM
 #6

Is it positively confirmed that it is a linode issue and not an exploit for bitcoind?

There's no way how to "learn" linode's username and password to login into Linode Manager from machine itself. And attacker obviously used Linode Manager to change root password. So - yes, it isn't bitcoind issue.

The most interesting point of the whole hack is that Linode don't have any log about login to Manager by the attacker, which indicate that they used some vulnerability of Manager itself.

Gavin Andresen
Legendary
*
Offline Offline

Activity: 1652
Merit: 2301


Chief Scientist


View Profile WWW
March 01, 2012, 08:00:17 PM
 #7

FYI:

The Bitcoin Faucet bitcoind's are both running on a Linode VPS, which was mysteriously restarted 14 hours ago.  The 5 bitcoins in the main-net Faucet's wallet were stolen, also; I'll shutdown the Faucet website, do NOT donate any coins to the Faucet donation address, it is controlled by the thief.

Transaction ID:  14350f6f2bda8f4220f5b5e11022ab126a4b178e5c4fca38c6e0deb242c40c5f
... if you want to start watching where the coins end up.

How often do you get the chance to work on a potentially world-changing project?
Kluge
Donator
Legendary
*
Offline Offline

Activity: 1218
Merit: 1015



View Profile
March 01, 2012, 08:02:10 PM
 #8


Following the dendrogram on blockchain.info, it looks like the money went
to a pool of bitcoin worth around 25000 ... not the first malfeasance then.

Also, seems like the thief is in the process of laundering the whole thing.


FYI:

The Bitcoin Faucet bitcoind's are both running on a Linode VPS, which was mysteriously restarted 14 hours ago.  The ~4 bitcoins in the main-net Faucet's wallet were stolen, also; I'll shutdown the Faucet website, do NOT donate any coins to the Faucet donation address, it is controlled by the thief.

This is extremely disturbing. Wonder who else was stolen from. Sounds like it was well-planned.
bitcoinsarefun
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
March 01, 2012, 08:02:40 PM
 #9

Is it positively confirmed that it is a linode issue and not an exploit for bitcoind?

There's no way how to "learn" linode's username and password to login into Linode Manager from machine itself. And attacker obviously used Linode Manager to change root password. So - yes, it isn't bitcoind issue.

The most interesting point of the whole hack is that Linode don't have any log about login to Manager by the attacker, which indicate that they used some vulnerability of Manager itself.

Wow, thats going to be an interesting one to figure out ...
proudhon
Legendary
*
Offline Offline

Activity: 2198
Merit: 1311



View Profile
March 01, 2012, 08:02:49 PM
 #10

I can't remember, does MtGox block stolen coins from deposit?

Bitcoin Fact: the price of bitcoin will not be greater than $70k for more than 25 consecutive days at any point in the rest of recorded human history.
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
March 01, 2012, 08:03:26 PM
 #11

The Bitcoin Faucet bitcoind's are both running on a Linode VPS, which was mysteriously restarted 14 hours ago.

Gavin, thank you for info. It's the same time when my linodes were restarted (it was around 7 am UTC). Did you contacted Linode about this issue? Looks like they're still rejecting any problems on their side...

tritium
Member
**
Offline Offline

Activity: 81
Merit: 10


View Profile
March 01, 2012, 08:04:02 PM
 #12

just changed my password, thanks for the heads up.

do you have a donation address?

1FCzN34C1xCLsDaLxfY7yB5CQKN74ruGHV
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
March 01, 2012, 08:06:20 PM
 #13

just changed my password, thanks for the heads up.

do you have a donation address?

You can donate to 18pmHDP5fx4A9Tpo69V1KEXWUQyK7EvT9C . Thank you for your support!

digital: thank you, too :-)

digital
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


View Profile
March 01, 2012, 08:06:50 PM
 #14

His full address from the firstbits is:

Edit: nevermind, see above post

I've already sent along what I could spare...

If I help you out: 17QatvSdciyv2zsdAbphDEUzST1S6x46c3
References (bitcointalk.org/index.php?topic=): 50051.20  50051.100  53668.0  53788.0  53571.0  53571.0  52212.0  50729.0  114804.0  115468  78106  69061  58572  54747
digital
Hero Member
*****
Offline Offline

Activity: 490
Merit: 500


View Profile
March 01, 2012, 08:07:58 PM
 #15

Woops, guess I was a little late on that one...

If I help you out: 17QatvSdciyv2zsdAbphDEUzST1S6x46c3
References (bitcointalk.org/index.php?topic=): 50051.20  50051.100  53668.0  53788.0  53571.0  53571.0  52212.0  50729.0  114804.0  115468  78106  69061  58572  54747
slush (OP)
Legendary
*
Offline Offline

Activity: 1386
Merit: 1097



View Profile WWW
March 01, 2012, 08:09:43 PM
 #16

digital, you're correct, it's my general "donation" address, but I created the new one to track donations to pool funds...

Revalin
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
March 01, 2012, 08:14:02 PM
 #17

It exists now at an informal level, but I expect the "tainted coins" stigma will decrease over time.  Right now we have a high percentage of relatively fresh coins, but just like fiat, after they've been in circulation for some time it will be taken for granted that some percentage of it has been involved in some kind of scam.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
Cryptoman
Hero Member
*****
Offline Offline

Activity: 726
Merit: 500



View Profile
March 01, 2012, 08:21:32 PM
 #18

If you trace the coins forward, it looks like they are going through some sort of laundering/mixing process as we speak.

"A small body of determined spirits fired by an unquenchable faith in their mission can alter the course of history." --Gandhi
Revalin
Hero Member
*****
Offline Offline

Activity: 728
Merit: 500


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
March 01, 2012, 08:22:09 PM
 #19

The downside is this would destroy fungibility.  I'm not eager to see that happen.

The idea of reputation is intriguing, but realistically that will just mean people will pay for premium laundry services that can provide freshly-mined coins.  Mining could become unusually profitable for a while.  Smiley


      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
bitcoinsarefun
Member
**
Offline Offline

Activity: 98
Merit: 10



View Profile
March 01, 2012, 08:22:56 PM
 #20

I am against anything that could potentially put coins into limbo and add even a hint of centralization to the mix.

plus, there is no way I would trust any organization to decide how "tainted" my coins were ... it sounds like it could be ripe for abuse


Pages: [1] 2 3 4 5 6 7 8 9 10 11 12 13 14 15 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!