Wallet just got emptied

[pirate1]

Hey psy, I checked my bitcoin.conf file and I do have a user id and password set.  The port is set to "*" which I believe is open to all.  However, when I set up my guiminer I did set it to 8332 for BitClockers pool.  Should I change the bitcoin.conf file to just use port 8332 instead of a *?  That seems like it would be a good idea.

Hey etotheipi, I am not sure about reinstalling everything but am thinking seriously about it.  I do like the idea of really being sure that nothing is there.  I am running two OS(Windows 7 Pro 64 and Windows XP Pro 32) and have three 300gb velociraptors.  I hardly ever use the XP anymore and think I would just have to reinstall my Windows 7.  I just have pretty much filled up all three hard drives and don't want to lose any of that.  The problem there is I will be afraid to save that stuff now as I wouldn't want to accidently save any virus hiding somewhere.  I am sure that most of it will already be on the backup I have but it is a few weeks old and I am not sure what will not be covered.  I know I should do backups more often but I always seem to put them off.  I believe the backups I do have would be clean.  It must be something new as the 10 bitcoins has been in there for a bit.  I have tried to not be selling until the price hits $6 so I was just waiting.  I will decide this weekend what to do.  Until then I've stopped mining and am keeping the guiminer and bitcoin wallet turned off except when I am looking at them to help get this figured out.
   I have an old computer sitting in our spare room that might be perfect for the Armory wallet.  I would just need to hook it up to get it all set up and then just turn it on when I need the digital signature.  It looks like the Armory site has pretty good instructions and it looks pretty straightforward.  I will let you know if I have any problems and need help if I decide to go that way.  I am thinking I will but I would like to hear from anyone else using the Armory wallet how it is working our for them.  I don't mind derailing the thread a little as I want it to cover how to stop things like this to prevent them from occurring.  I want to use this as an opportunity to tighten up my security and try to ensure that something like this doesn't happen again.  I think it would be useful to me and others to have this thread cover all that.  I know that whenever I restart everything I will set new passwords on all my accounts.  Thanks to all of you for your help and suggestions on this.

[1715654030]

1715654030

[1715654030]

1715654030

[1715654030]

1715654030

[1715654030]

1715654030

[Raoul Duke]

no rcpallowip line in there?
Also, is the password strong?
Because even if they just knew your username, brute forcing the password on a system that does nothing to block failed login attempts will be easy if the passowrd is a dictionary word or less than 8 chars.

Does the user ID in the bitcoin.conf matches the username you use in mining pools? Mining pools are always geting hacked it would be easy to get a list of targets with valuable info.
You may well be a victim of an hacker stealing your coins on the RPC interface and not malware. Happened before.

[pirate1]

The rcpallow line was set to "*" which I assume is open to all.  I have reset it to 8332.  The user id was two words, 11 letters, a number and a symbol.  The password was just a 5 letter word.  I am changing both.

[Raoul Duke]

The rcpallow line was set to "*" which I assume is open to all.  I have reset it to 8332.  The user id was two words, 11 letters, a number and a symbol.  The password was just a 5 letter word.  I am changing both.

rcpallowip sets the IP's allowed to access the RCP interface. 8332 is the port, not the IP. Having it set to * is an invitation to thieves.
Set rcpallowip=127.0.0.1 or to any other local IP you need to access the service.
Do you by any chance use that same username in pools? If you do, with only a 5 letter dictionary word as password, it would be easy to brute force if someone targeted you by taking your username and IP from some pool logs or database.

[cypherdoc]

Or use Armory Offline Wallets to keep your Bitcoins off the internet completely.  It's designed to protect against exactly this...

I just made an Armory-plus-all-dependencies bundle that will work out of the box on Ubuntu 10.04 without ever touching the internet.  Especially good if you have an old laptop laying around with 256 MB of RAM.  Disable the wifi & bluetooth & ethernet in the BIOS, install Ubuntu 10.04 32-bit with all defaults, and then copy this file on there and run the "Install_All_Armory.sh" script.  Create your wallet, and make a watching-only copy to put on your internet-connected computer.   Of course, you need Armory on the online computer, too, but it's not a problem if it is Windows, even if the offline system is Linux. 

For more information, there's an Offline Wallet Tutorial on my website.  
</spam>

i have this exact setup and it works well.

[Raoul Duke]

I just remembered... If the transaction was initiated from a RPC command shouldn't it be registered on the debug.log? Along with the IP that made the connection and some other useful info?

[pirate1]

Psy I don't use the same user name but it was a variation with added letters and symbol.  It is different now.  Thanks for letting me know about the ip address.  I have reset the rcpallow to my home IP address.  I went ahead and started my miner and checked my wallet would still update and they did.  I closed the wallet but for now I am leaving the miner running.
Cypherdoc thanks for the feedback about the Armory wallet.  It sounds like a great setup and I am really thinking I will download and use it this weekend.
Psy, I checked the debug file but I don't know what to look for.  I don't see anything that says sent coins but I don't imagine it would be that obvious.

[MoonShadow]

I have an idea that might prevent this. What about generating a paper wallet? I know a site that can do that and the wallets generated would basically be like paper money once loaded. When unloaded, the paper would be shredded.

The problem being that you can't trust a website to create a private key for you.  One needs to create a single address/private key set completely offline and print it out before destroying the wallet.dat that produced it.  I have exactly one address set up this way, but instead of paper it's on a couple of very well encrypted thumbdrives; one in my gunsafe and one in my safety deposit box.  That private key has never touched a computer that has had any Internet access since creation, either the thumbdrives nor the offline computer, and the offline computer has had it's ethernet card physically removed, and itself resides in my gunsafe.

I figure if you can get into my gunsafe, I'm already past screwed.

[organofcorti]

I am not sure about reinstalling everything but am thinking seriously about it.  I do like the idea of really being sure that nothing is there.  I am running two OS(Windows 7 Pro 64 and Windows XP Pro 32) and have three 300gb velociraptors.  I hardly ever use the XP anymore and think I would just have to reinstall my Windows 7.  I just have pretty much filled up all three hard drives and don't want to lose any of that.  The problem there is I will be afraid to save that stuff now as I wouldn't want to accidently save any virus hiding somewhere.

Use a linux live cd to do antivirus on the velociraptors, and look through recent files for anything suspicius. Delete anything you don't recognise. Then reinstall the base Win7 to a new hard drive - I use a smallish SSD (keep your system files physically separate so you don't need to partition).

This way you'll at least get around the possibility of a remaining file reinfecting your system. At least if the antivirus finds malware, anyway.

[Raoul Duke]

Usually the debug.log file is huge.
Try to look for the tx ID. It should show it there if it's recent. Hopefully it can tell you something.
Most transactions only appear with the first 20chars. Only transactions initiated from your client will appear with the full tx ID.

[pirate1]

I looked and found several with the tx ID.  Some saying "ask for tx" and others saying "getdata: tx.....".  I really can't make much out of it.  I am wanting to delete the whole wallet and my bitcoin client along with my guiminer and then redownload everything.  I am keeping it all for now in the hope that maybe I can discover something useful by looking through the files like these.  Trouble is, I don't really know what to look for or what it means when I see it.

[MoonShadow]

I looked and found several with the tx ID.  Some saying "ask for tx" and others saying "getdata: tx.....".  I really can't make much out of it.  I am wanting to delete the whole wallet and my bitcoin client along with my guiminer and then redownload everything.  I am keeping it all for now in the hope that maybe I can discover something useful by looking through the files like these.  Trouble is, I don't really know what to look for or what it means when I see it.

There is nothing useful to be found that can't also be found at blockexplorer.  If you are certain that the funds have been transfered out of your control, and it sounds like that is the case, then there is nothing that can be done.  That is, nothing within the context of the bitcoin system.  If you're determined enough & willing to teach yourself to be a bitcoin guru, it's possible that you could track this guy down eventually.  In which case, you'd need your existing data for prosecution.  But this requires that 1) you learn to be very good at digital forensics, 2) you have the time to put into it and 3) the thief eventually makes a mistake with the funds in those addresses.  For a value of about $50, it's probably best to take it all in as a fairly cheap lesson in security.  If the same thing were to happen to me, I'd be out thousands of $.  I keep about 10 btc on my cell phone.

[Raoul Duke]

MoonShadow, I didn't siad that he should look at the debug.log to track the guy. It was more in a way to try to find if he got jacked by RPC or malware installed in his computer.
You understand the inner workings of bitcoin a lot more than me, so you may be the right person to help.
Isn't there any way to find in any of the logs how that transaction was initiated? Was it from his computer? Did the thieve copied his wallet.dat and swept the funds? Was it RPC?
It could save the man 48hrs, by not having to format his computer and reinstall, in case he could be certain it was his RPC password that got exploited and not malware.

[pirate1]

MoonShadow, that makes sense.  I am taking it as a fairly cheap lesson in security.  I am going to go ahead and do the delete and redownload.  I am still considering a full reinstall of my OS.  I am waiting for my first couple of Bit Force Singles so now is the time to get this secure.  I am also leaning toward trying the Armory wallet app.  I am looking into the paper wallet a little more too.  I did find a couple of Trojans in my temp files with my SuperAntiSpyware right after this happened.  After I deleted them nothing else has been detected by any of the anti-virus or anti-spyware apps that I have run and I have ran several.  I am thinking that is where the problem was but as I am not sure it worries me.  People have talked about a hacking of the computer through the RPC interface.  I do have RPC turned off for my computer but I don't know if the Bitcoin app goes around that somehow.  It seems like becoming a Bitcoin guru may be a little time consuming.  I want to know as much as I can and definitely enough to be secure but spending the time to learn everything would probably be prohibitive.  I plan on getting an SSD in the next couple of months so I am thinking that will be the time to reinstall my OS and my programs.  I won't have any appreciable amount of bitcoins in my wallet until after that anyway so for now I'll see how it goes with the deletion, new download and maybe the Armory wallet.

Hey Psy, I just saw your new post.  You bring up exactly what I am really wanting to find out.  Just how did it happen?  I am thinking it was malware and one of the Trojans that my anti-spyware found but I really would like to be sure.

[Raoul Duke]

Hey Psy, I just saw your new post.  You bring up exactly what I am really wanting to find out.  Just how did it happen?  I am thinking it was malware and one of the Trojans that my anti-spyware found but I really would like to be sure.

Yeah. Only the how is important now, so you can decide on what to do next.
The who, screw that. You're not seeing your bitcoins back, that's for sure

[etotheipi]

I am also leaning toward trying the Armory wallet app.  I am looking into the paper wallet a little more too.  ...  I won't have any appreciable amount of bitcoins in my wallet until after that anyway so for now I'll see how it goes with the deletion, new download and maybe the Armory wallet.

For reference, when you create a new wallet with Armory, you can print a paper-backup with every address ever created by that wallet on one sheet of paper (it's 128 characters from which all private keys are generated).  You technically don't have to print it, you can just copy it down by hand if you can't get the printer working.  You can recover all of your funds at any time in the future if you have those 128 characters.  (although if you import any keys, they have to be backed up separately...)

Further, if you instead wanted to switch to another program, you can copy or print the individual private keys for each address you've used, which can then be imported into another application or service that supports importing addresses.  I'm not sure if that's what people mean when they say "paper wallets".

[MoonShadow]

MoonShadow, I didn't siad that he should look at the debug.log to track the guy. It was more in a way to try to find if he got jacked by RPC or malware installed in his computer.
You understand the inner workings of bitcoin a lot more than me, so you may be the right person to help.
Isn't there any way to find in any of the logs how that transaction was initiated? Was it from his computer? Did the thieve copied his wallet.dat and swept the funds? Was it RPC?
It could save the man 48hrs, by not having to format his computer and reinstall, in case he could be certain it was his RPC password that got exploited and not malware.

I'm sorry, but there is just too many ways to discretely copy and transmit an unencrypted wallet.dat for such efforts to be worthwhile.  I'm of the opinion that Windows isn't secure enough of an operating system to safely handle bitcoin of any significant amount at all, even if there isn't existing evidence of a breech.  There are simply too many ways to infect a windows machine, check to see that a bitcoin instance exists, copy & transmit the wallet.dat file (encrypted or not) and do the same for a keylogger stream.  I may be paranoid, but I wouldn't put much on any machine I don't have administrative rights upon, even if it was a GNU/Linux machine owned by someone that I trust and believe to have the skills.  If windows is all you have, IMHO you'd be much safer putting your spending money onto your android smartphone and using bitcoinspinner.  At least, for now, there are no know wallet.dat stealing viruses for android.  Or perhaps a split-wallet type online storage service, that permits two-factor logins.  If you use windows, you are already trusting the security model of some faceless entity for which you have no real recourse against in a dispute.  IMHO your odds of getting burned at an online wallet service are actually lower than your odds of being pwned with your own bitcoin client on a windows machine.

I don't know if there might be anything in the logs worth keeping on the off chance that this guy gets caught eventually, by him or others, but I'm fairly certain that there is nothing there that is going to tell you how he got pwned.  Not in the bitcoin logs, anway.  It's very unlikely that the thief targeted him specificly, and sent those coinds from his client.  If he had, the client would have displayed the loss immediately, rather than have to catch up to the blockchain first.

[organofcorti]

First thing this morning (Asian time) The money started moving again, to two addresses at a time. Most of it has ended up at the following addresses:

http://blockexplorer.com/address/1K2n1K7WUqsUfEyTr4QPagxffSqsT7f8Sy
http://blockexplorer.com/address/13BeKS3FCguWgYXyJy23ZMe2utAycpsgmg
http://blockexplorer.com/address/1FrtkNXastDoMAaorowys27AKQERxgmZjY
http://blockexplorer.com/address/1J2yiVk7oisnMELibVko4thHhHxRDwwtUV


It also went to other addresses that are well established and look like Tx fees and maybe a purchase of something. At least it's obvious you're not the only one stung. There's 21000 coins in one of those addresses which was started only a couple of weeks ago. Your coins might already be partly laundered.

Edit:

In fact, a portion of your coins went here:

http://blockexplorer.com/address/1kTt7jVHZ614g44LEjS1HtxHYpzE96Lkk

which just receives coin and then send it on, at least some of which has gone to bitcoinduit:

http://bitcoinduit.com/rounds/155

You might be able to start asking questions there.

[dooglus]

Either way, there's a lot of peace of mind knowing that no virus can survive an OS reinstallation...

I wouldn't be so sure:

http://www.bit-tech.net/news/bits/2009/03/24/researchers-create-bios-malware/1

[Mike Hearn]

pirate1? If that username is supposed to imply what kind of activity you do, I wouldn't be surprised if you had malware. Piracy is very often monetized by malware these days. If you use warez/cracks/keygens you're asking to get screwed.

Reformat your machine from scratch, don't touch warez, use an encrypted wallet and make sure you understand RPC settings!