Bitcoin Forum
December 07, 2016, 10:37:58 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: SECURITY ISSUES - anyone interested in a manhunt?  (Read 2259 times)
Snowpea
Member
**
Offline Offline

Activity: 96



View Profile
May 09, 2012, 02:00:43 PM
 #1

So i wake up this morning, and shortly after, i start receiving multiple emails from my gmail account from suspicious attempted sign ins.  Then i start seeing password recovery messages from my GLBSE and MtGox accounts.
My account uses a strong password that i only use in one other place(a pool).  

I'm not going to say what until i'm a bit more clear as to where the security issue is for the sake of the pool.  

Anyway, gmail tells me that the IP is: 68.230.94.23 based in Tucson, Arizona.  The ISP is Cox Communications.  

Obviously, this attack was aimed at my BTC related accounts.  Does anyone have any ideas how i can track down this person? or perhaps whatever malicious site/software is attacking the BTC community?

http://www.heatware.com/eval.php?id=77255
My tipjar - 1GNFau2dJFGWMVYsLAguQo2Psg8rUTWBjc
1481107078
Hero Member
*
Offline Offline

Posts: 1481107078

View Profile Personal Message (Offline)

Ignore
1481107078
Reply with quote  #2

1481107078
Report to moderator
1481107078
Hero Member
*
Offline Offline

Posts: 1481107078

View Profile Personal Message (Offline)

Ignore
1481107078
Reply with quote  #2

1481107078
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1481107078
Hero Member
*
Offline Offline

Posts: 1481107078

View Profile Personal Message (Offline)

Ignore
1481107078
Reply with quote  #2

1481107078
Report to moderator
1481107078
Hero Member
*
Offline Offline

Posts: 1481107078

View Profile Personal Message (Offline)

Ignore
1481107078
Reply with quote  #2

1481107078
Report to moderator
bulanula
Hero Member
*****
Offline Offline

Activity: 518



View Profile
May 09, 2012, 02:04:14 PM
 #2

Same here.

187.113.24.162 from Brazil Huh

WTF !

bulanula
Hero Member
*****
Offline Offline

Activity: 518



View Profile
May 09, 2012, 02:37:22 PM
 #3

You probably won't be able to get the attacker from the IP address alone, it's most likely a TOR exit node, public proxy, botnet or a hacked server.

The IP that the biggest scammer on the forums posted is running a mail server that is sending spam, and has tried to dictionary attack something before:
http://www.projecthoneypot.org/ip_187.113.24.162

Yeah. Looks like the Russians are doing it from looking at that site above and the content of the spam messages :

187.113.24.162.static.host.gvt.net.br

http://webcache.googleusercontent.com/search?q=cache:E9qKWrLYArgJ:kadastr.perm.ru:8080/pflogsumm/current/13-11-2011+&cd=3&hl=en&ct=clnk

BTC-E exchange anything to do with this Huh
Snowpea
Member
**
Offline Offline

Activity: 96



View Profile
May 09, 2012, 02:42:01 PM
 #4

dictionary attack wouldn't be able to guess my strong password, it's 10 characters long with symbols and no dictionary words

http://www.heatware.com/eval.php?id=77255
My tipjar - 1GNFau2dJFGWMVYsLAguQo2Psg8rUTWBjc
REF
Hero Member
*****
Offline Offline

Activity: 526


View Profile
May 09, 2012, 02:54:09 PM
 #5

Your password was definitely phished, caught by spyware, or taken from the database of another site (by site owner or hackers). Most mail providers have strong captchas & usually stop allowing attempts after 3-5 failed ones.

Try entering your passwrod into Google and see if anything comes up, I once done that when my email address got hacked and found a hacker forum where a hacker had posted a list of email addresses + md5 hashes of passwords that were used to signup to a site, and people were trying to crack them and posting the passwords they cracked.

interesting. If that ever happens to I will be trying that in the future.
Maged
Legendary
*
Offline Offline

Activity: 1260


View Profile
May 09, 2012, 05:01:48 PM
 #6

Passwords at mining pools seem to get leaked on a daily basis. Few of these guys are any good at security.

Stephen Gornick
Legendary
*
Offline Offline

Activity: 2002



View Profile
May 09, 2012, 08:00:39 PM
 #7

So i wake up this morning, and shortly after, i start receiving multiple emails from my gmail account from suspicious attempted sign ins.  Then i start seeing password recovery messages from my GLBSE and MtGox accounts.

Out of curiosity, was your e-mail address in the list of leaked passwords from the June 2011 hack at Mt. Gox (or similar list from one of the many breaches since)

Do you use the same username as is in your e-mail? 
  e.g.  snowpea@gmail.com    and then the same username at Mt. Gox / GLBSE of "snowpea"?

Andrew Bitcoiner
Sr. Member
****
Offline Offline

Activity: 397


Send correspondance to GPG key A372E7C6


View Profile WWW
May 09, 2012, 08:03:23 PM
 #8

dictionary attack wouldn't be able to guess my strong password, it's 10 characters long with symbols and no dictionary words

10 characters is not enough.  Brute forcing that is easy on todays hardware, you need to be 15 characters or longer.  I know some people who choose 30 characters in length.

MAKE MONEY! ADVERTISE FOR BITCOINS http://www.bitcoinadvertising.com
Bitcoin News Site http://coinbits.com
Bitcoin Blackjack http://bitjack21.com
Bitcoin, Darknet, IT consulting http://cryptophene.com
Uncurlhalo
Full Member
***
Offline Offline

Activity: 140


Look it up.


View Profile
May 09, 2012, 08:04:47 PM
 #9

Yeah I had an attempted login from somewhere in Sweden on my gmail.

1JacobTM32mCqTD6NWRsBwtxbT7z7fUGWE
I love building things.
EuSouBitcoin
Sr. Member
****
Offline Offline

Activity: 463


View Profile
May 09, 2012, 08:15:58 PM
 #10

dictionary attack wouldn't be able to guess my strong password, it's 10 characters long with symbols and no dictionary words

10 characters is not long enough. According to
https://www.grc.com/haystack.htm
such a password can be cracked in less than 2 hours with a Massive Cracking Array Scenario. Personally, I like DiceWare for making long passwords that are easy to remember. See
http://world.std.com/~reinhold/diceware.html
Snowpea
Member
**
Offline Offline

Activity: 96



View Profile
May 10, 2012, 03:09:05 AM
 #11

i tested my password, and with the online scenario it's: 1.20 thousand centuries... i really doubt anyone with the ability to do 1 trillion a second would be targeting BTC.

http://www.heatware.com/eval.php?id=77255
My tipjar - 1GNFau2dJFGWMVYsLAguQo2Psg8rUTWBjc
arby
Donator
Member
*
Offline Offline

Activity: 112


keybase.io/arblarg


View Profile
May 11, 2012, 06:16:40 AM
 #12

As the other posters said, it is almost impossible to track down the person, law enforcement could track it down, but if it was just a proxy used by the attacker, it will be again harder, anyway I do not think anyone will bother to track anyone down because of a cracked password or what happened.

About the password, well a bit hard to crack a password that is 10 random characters, including digits, etc. There are a lot of protection mechanisms in place at reputable websites.

The most common way to steal passwords nowadays is using trojans that hook into browser functions.

But also in some cases, the websites that you use the same passwords at, small websites such as this pool, are vulnerable and attackers may phish the passwords from there, so it is better to use a different
password for each account, and well maybe keep them in an encrypted txt or something on your computer, but that depends on your situation.

Jabber/XMPP: arby@darkness.su
check_status
Full Member
***
Offline Offline

Activity: 196


Web Dev, Db Admin, Computer Technician


View Profile
May 13, 2012, 05:29:00 PM
 #13

such a password can be cracked in less than 2 hours with a Massive Cracking Array Scenario.

Do pools count as 'Massive Cracking Arrays'? Maybe blocks aren't being found as often as they could be because some pools are cracking juicy passwords and then statistically attributing the artificial BTC drought to "Luck". Wink

If you only used a duplicate password on Google and the Pool then either you or the pool is suspect. Does your pool keep IP address sign in logs that you can view? If any BTC is missing you can trace it via the blockchain. Someone has done this for a few high profile thefts.
http://anonymity-in-bitcoin.blogspot.com/2011/07/bitcoin-is-not-anonymous.html
Figure 2 shows how the thief used the blockchain for command and control during the theft by monitoring a LulSec BTC address.

For Bitcoin to be a true global currency the value of BTC needs always to rise.
If BTC became the global currency & money supply = 100 Trillion then ⊅1.00 BTC = $4,761,904.76.
P2Pool Server List | How To's and Guides Mega List |  1EndfedSryGUZK9sPrdvxHntYzv2EBexGA
flaxceed
Sr. Member
****
Offline Offline

Activity: 389


>>Note new email flaxceed@tormail.org<<


View Profile
May 17, 2012, 11:30:12 AM
 #14

As the other posters said, it is almost impossible to track down the person, law enforcement could track it down

how?

//////////////////////////////////////////////
>>>>>>flaxceed@tormail.org<<<<<<
\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\


>>>  NOTE:  This is a new email address.  It is now tormail.org, and no longer tormail.net!  <<<

Blazr
Hero Member
*****
Offline Offline

Activity: 882



View Profile
May 17, 2012, 02:16:45 PM
 #15

As the other posters said, it is almost impossible to track down the person, law enforcement could track it down

how?

LE can contact the ISP of the IP where the attack originally came from and get details on that person, however, it'll likely be a TOR exit node or a proxy, and if the owner hasn't kept proper logs it can be very difficult/impossible to trace it back to the actual hackers IP. Even then, when there are TOR + proxies involved, getting a conviction in court can be quite difficult as it can be hard to prove that it wasn't just the exit node owner who initiated the attack, or somebody else along the chain.

Busy ATM.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!