http://static1.nosis.com/glados.cc-/7501610/3 09:10 < TradeFortress> hi
09:12 < TradeFortress> I take full responsibility for leaving that much in the hot wallet.
09:13 < TradeFortress> The hacker tried resetting passwords for my email addresses, and was able to reset one which was created 6 years earlier, without phone / recovery email and gmail happily allowed resetting.
09:14 < TradeFortress> That compromised email account was the recovery for another hotmail email, which was also compromised.
09:15 < TradeFortress> BigBitz|wrk, read please.
09:15 < TradeFortress> I didn't use the old email account without MFA
09:15 < TradeFortress> That old email acc was the recovery email of another account
09:15 < TradeFortress> @gmail > @hotmail > @gmail (2, recv'd forwarding from
admin@glados.cc)
09:16 < TradeFortress> BigBitz|wrk: yes
09:16 < TradeFortress> linode 2FA was bypassed
09:16 < TradeFortress> they seem to be aware of it and don't bother to fix it.
09:16 < TradeFortress> BigBitz|wrk: yes
09:17 < TradeFortress> the attacker also used a (compromised?) server close to my geographical location
09:17 < TradeFortress> I think that helped massively with email recovery
09:18 < TradeFortress> pbase: no. I want to be open and communcative about what has happened.
09:19 < TradeFortress> BigBitz|wrk: I took significant efforts in protecting Inputs' server, but I've never thought about old abandoned emails.
09:20 < TradeFortress> BCB: What do you want me to do then? Invent a magic wand?
09:20 < TradeFortress> I'm refunding as much as I can from all the BTC I have, and the assets I or CL owns.
09:21 < TradeFortress> 9536feebe3a50b94f85ca27d56e669a7209bd4188385d55c5b97227c95cf7f74
09:21 < TradeFortress> BTC was sent here, it's still unspent.
https://blockchain.info/address/1EMztWbGCBBrUAHquVeNjWpJKcB8gBzAFx09:24 < TradeFortress> Quite simply, I wasn't sure what to do, if I could acquire 4K btc so users are not at a loss, and as well as investigating the scope of the hack.
09:25 < TradeFortress> *sign*
09:26 < TradeFortress> BigBitz|wrk: the txid was the first inputs hack
09:26 < TradeFortress> the API was the second, done by the same attacker who dumped the user DB, and then used the API
09:27 < TradeFortress> TheButterZone, I can't see how that'd hurt.
09:28 < TradeFortress> bitsav3: 2x gmail, 1x hotmail
09:30 < TradeFortress> bitnumus, if you check the txid lots of deposits are recent
09:32 < TradeFortress> bitnumus: yes, there's cold storage, but there was more in the hot pocket than cold storage
09:34 < TradeFortress> viboracecata?
09:35 < TradeFortress> theboos, I'm very interested in what security vulns viboracecata claims to have on Inputs.
09:35 < TradeFortress> so has he followed up with the claim? and how long ago?
09:36 < TradeFortress> I'm not aware of any unsolved security vulnerabilities relating to Input's code and enviroment, other than the DB has been compromised. The attack was done through email resets and bypassing security features on Linode's side.
09:37 < TradeFortress> 2FA
09:38 < TradeFortress> BCB: no.
09:38 < TradeFortress> web server was bought from Linode, bitcoind server was on macminicolo
09:38 < TradeFortress> (I own the metal to the macminicolo)
09:39 < TradeFortress> crypt0queen: that's what was used
09:39 < TradeFortress> it wasn't compromised through a server vuln
09:40 < TradeFortress> Linode's position is that my account was not compromised. The attacker simply reset my Linode password through an email request, and then ssh'd into Linode's lish, and got console access to my Linode through lish with my linode account password.
09:40 < TradeFortress> linode lets you reset root passwords..
09:42 < TradeFortress> the attacker copied certain files via FTP using mc, to another (I believe compromised server), and accessed the bitcoind server by pretending to make withdraw requests for an account with an inflated balance
09:42 < TradeFortress> BigBitz: NO
09:42 < TradeFortress> FTP WAS NOT ENABLED
09:42 < TradeFortress> yes
09:43 < TradeFortress> I have obtained the logs
09:43 < TradeFortress> (through Linode)
09:43 < TradeFortress> attacker installed mc
09:43 < TradeFortress> transferred files to 10;15Hd@mastersearching.com:mercedes49@69.85.88.31
09:43 < TradeFortress> BigBitz|wrk: yes, internal ones
09:45 < TradeFortress> BigBitz|wrk, multiple files that relates to internal functions of Inputs, ie the controller.
09:46 < TradeFortress> I have no evidence of the bitcoind mac mini getting compromised. it didn't bark. I suspect the attacker also made one account have -4000 BTC
09:46 < TradeFortress> which allowed it to pass sanity checks
09:46 < TradeFortress> as the total balance as reported by the db matched.
09:46 < TradeFortress> BigBitz|wrk: I have the logs of what they did to the server.
09:47 < TradeFortress> on the server, via lish, I should say.
09:47 < TradeFortress> theboos: did it directly through the DB
09:47 < TradeFortress> wasn't logged.
09:47 < TradeFortress> as it copied DB access creds
09:48 < TradeFortress> BigBitz|wrk: not on the database
09:48 < TradeFortress> bitsav3, I think they're compromised hosts
09:48 < TradeFortress> like
http://mastersearching.com/09:48 < TradeFortress> theboos, of course I've audited the db
09:49 < TradeFortress> the DB doesn't log every single change
09:50 < TradeFortress> general_log wasn't enabled
09:50 < TradeFortress> nor binary logs
09:51 < TradeFortress> +infinity
09:53 < TradeFortress> BCB: it's not enabled.
09:54 < TradeFortress> I didn't disable them, I'm pretty sure they're not enabled by default.
09:55 < TradeFortress> yup BCB
09:55 < TradeFortress> coingenuity, yes, macmini bitcoind iplocked to the web linode
09:55 < TradeFortress> that's a surprise to me
09:56 < TradeFortress> pbase: no, I have saved disk images as soon as I detected the compromise
09:56 < TradeFortress> yep
09:56 < TradeFortress> BigBitz|wrk: installed the env myself.
09:57 < TradeFortress> pbase: definitely not publicly. I'd expect there to be quite a lot of sensitive information in RAM, such as cached mysql data.
09:58 < TradeFortress> actually, no, I didn't do a ram dump.
09:58 < TradeFortress> but the disk image includes db data
09:59 < TradeFortress> I am not aware of if it was forensically sound. I estimate not.
09:59 < TradeFortress> The disk image was dumped via cloning using linode manager.
09:59 < TradeFortress> took like half a hour too
10:01 < TradeFortress> no, not booted
10:01 < TradeFortress> it was cloned to another linode that have not been booted
10:01 < TradeFortress> another as in brand new.
10:02 < TradeFortress> first of all, I'll have to figure out how to transfer the disk image
10:03 < TradeFortress> then I'll have to boot the disk image and remove the db files?
10:04 < TradeFortress> user DB is sorta sensitive. while passwords are hashed w/ bcrypt, PINs are exposed, and there's emails
10:05 < TradeFortress> theboos, that sounds like a good idea
10:05 < TradeFortress> BCB: password reset for my emails, linode, yes.
10:06 < TradeFortress> bitsav3, I will
10:06 < TradeFortress> BCB: they're like typical resets, what do you want to see?
10:07 < TradeFortress>
https://i.imgur.com/sQnXsx0.png10:07 < TradeFortress> the second time the attacker tried to get in
10:08 < TradeFortress> apisnetworks (my shared host, attacker thought there was something useful in here)
10:09 < TradeFortress> pastebin?
10:09 < TradeFortress>
http://pastebin.com/J7S9xWyT10:10 < TradeFortress> BigBitz|wrk: yep, there was one from Oct 23 that I can't now find for some reason.
10:10 < TradeFortress> BigBitz|wrk: hence 'the second time'.
10:10 < TradeFortress> right
10:11 < TradeFortress> BigBitz|wrk: where did you get the impression that I 'didn't do anything'?
10:11 < TradeFortress> I didn't just disregard the password reset email, especially since I couldn't login to linode again
10:11 < TradeFortress> second reset was mine, to regain access
10:12 < TradeFortress> BCB: no
10:12 < TradeFortress> BigBitz|wrk: what?
10:12 < TradeFortress> look at the screenshot
10:12 < TradeFortress> look at the screenshot
10:12 < TradeFortress> how many emails do you see
10:12 < TradeFortress> 2
10:12 < TradeFortress> 1st one: second time attacker tried to get access
10:12 < TradeFortress> 2nd one: me regaining access
10:15 < TradeFortress> glados.cc is powered by google apps
10:15 < TradeFortress> btcfaucet, tried pass resets
10:16 < TradeFortress> btcfaucet, I do not know what they performed, I do not remember the answer to security questions myself.
10:16 < TradeFortress> BigBitz|wrk: when you have shell access you can easily disable that.
10:16 < TradeFortress> BCB: k
10:16 < TradeFortress> duh
10:17 < TradeFortress> with gmail account, I recovered access simply by entering my old (changed) password
10:17 < TradeFortress> probably due to that I usually sign in from that device
10:17 < TradeFortress> BCB:
http://pastebin.com/MhKTa5zN10:19 < TradeFortress> BCB: show original > I see this.
10:19 < TradeFortress> bitcoind was dedi, I own the metal to it.
10:19 < TradeFortress> web was xen
10:20 < TradeFortress> BCB: tell me how.
10:20 < TradeFortress> just like the apisnetworks?
10:20 < TradeFortress> I'm accessing it the same way
10:20 < TradeFortress> 'Show Original'
10:21 < TradeFortress> BCB: I copied the entirety
10:21 < TradeFortress> understatement :p
10:23 < TradeFortress>
https://i.imgur.com/H0NEeI7.png10:24 < TradeFortress> for the linode
10:25 < TradeFortress> balances were signed because it's POSSIBLE that someone would have a negative balance on inputs
10:25 < TradeFortress> but in normal operation it hsouldn't
10:25 < TradeFortress> btcfaucet, that won't work because the mini does some sanity checking, such as SUM(balance)
10:26 < TradeFortress> stqism: no
10:26 < TradeFortress> whitelisted
10:28 < TradeFortress> BCB: they are.
10:28 < TradeFortress> you asked for the second email
10:28 < TradeFortress> I sent you the original (as exposed by mail.google.com) and pastebinned & screenshotted it.
10:29 < TradeFortress> stqism: I thought tcp packets with a faked source won't be accepted.
10:30 < TradeFortress> BCB: haven't I already told this twice
10:30 < TradeFortress> the email, on the top, was the attacker's 2nd reset
10:30 < TradeFortress> then I was unable to login, so I had to reset it again
10:30 < TradeFortress> you asked for the SECOND
10:30 < TradeFortress> so I sent you the SECOND
10:30 < TradeFortress> ie the one at the bottom
10:31 < TradeFortress> you want the one on the top? ask for the FIRST then.
10:31 < TradeFortress> go look at the screenshots
10:31 < TradeFortress> BCB: of?
10:31 < TradeFortress> have you looked at the screenshot
10:31 < TradeFortress> look at the SECOND email because you asked for the 2nd's original.
10:32 < TradeFortress> check the scrollback
10:32 < TradeFortress> it's this,
https://i.imgur.com/sQnXsx0.png, correct?
10:35 < TradeFortress> BigBitz|wrk: not after this.
10:35 < TradeFortress> BigBitz|wrk: to?
10:36 < TradeFortress> BigBitz|wrk: I exercise my right to reject it.
10:36 < TradeFortress> BCB: then why don't you ask.
10:38 < TradeFortress>
https://i.imgur.com/pCtanaU.png10:38 < TradeFortress> ever realize I might be screenshotting and uploading?
10:38 < TradeFortress> coingenuity, yep
10:39 < TradeFortress> BigBitz|wrk: gmail uses local time zones
10:39 < TradeFortress> BCB: did I? that's the full email.
10:41 < TradeFortress> kk, I've spent 1.5 hours or so here now.
10:42 < TradeFortress> I have another hundred emails to handle for Inputs.io
10:42 < TradeFortress> email me at
admin@glados.cc if you want to contact me, I'll try and pop in tomorrow.
10:43 < TradeFortress> what is wrong with you BCB
10:43 < TradeFortress> do you need glasses
10:43 < TradeFortress> they are different emails
10:44 < TradeFortress> BCB: post them, show where it was the same timestamp
10:48 < TradeFortress> BCB: nothing useful on apisnetworks
10:48 < TradeFortress> most you could do is change the index.html on
http://glados.cc/!
19:35 <@gribble> TradeFortress was last seen in #bitcoin-otc 8 hours, 46 minutes, and 30 seconds ago: <TradeFortress> most you could do is change the index.html on
http://glados.cc/!
2010-09-20
Expires: 2015-09-20
Owner: MARK RUSSELLS (.)
Hosting company: Global Net Access, LLC
Registrar: ENOM, INC.
IPs: 64.22.68.16
DNS: ns1.apisnetworks.com
ns2.apisnetworks.com
