Tejsei3
Newbie
Offline
Activity: 36
Merit: 0
|
|
April 20, 2013, 02:31:28 PM |
|
Thanks for your quick action.
|
|
|
|
pushyk
|
|
April 20, 2013, 02:34:12 PM |
|
That's quite interesting: # cat access.log.2 | grep 'POST /login' | wc -l 56236 # cat access.log.1 | grep 'POST /login' | wc -l 71523 # It seems that we find our problem. I'll add new rule into fail2ban settings. тoecть кaк я пoнял мoй пapoль чepeз кoйнoтpoн xaкнyли, или вcё-тaки y вac былa дыpa? нe coвceм пoнял .. вpoдe-бы и нeпpocтoй вocьмизнaчный цифpoбyквeнный был..
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 02:51:07 PM |
|
That's quite interesting: # cat access.log.2 | grep 'POST /login' | wc -l 56236 # cat access.log.1 | grep 'POST /login' | wc -l 71523 # It seems that we find our problem. I'll add new rule into fail2ban settings. тoecть кaк я пoнял мoй пapoль чepeз кoйнoтpoн xaкнyли, или вcё-тaки y вac былa дыpa? нe coвceм пoнял .. вpoдe-бы и нeпpocтoй вocьмизнaчный цифpoбyквeнный был.. Этo нe дыpa, a пpocтo бpyтфopc. Boзмoжнo, в кoмбинaции c yкpaдeнными пapoлями или пo cлoвapю.
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 03:01:46 PM Last edit: April 20, 2013, 03:24:44 PM by Balthazar |
|
New settings applied. WARNING [ltcmine-login] Ban 108.254.4.74 WARNING [ltcmine-login] Ban 24.188.138.99 WARNING [ltcmine-login] Ban 83.151.4.212 WARNING [ltcmine-login] Ban 128.73.39.106 WARNING [ltcmine-login] Unban 108.254.4.74 WARNING [ltcmine-login] Unban 24.188.138.99 WARNING [ltcmine-login] Unban 83.151.4.212 WARNING [ltcmine-login] Unban 128.73.39.106 Some details... If you tried to login more than three times, your IP will be banned for 600s.
|
|
|
|
BBN
Member
Offline
Activity: 77
Merit: 10
|
|
April 20, 2013, 03:07:35 PM |
|
Brute force with stolen passwords is what I am thinking as well. Balthazar it might be a good idea to stick a warning msg on the front page urging members to use unique password for the site
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 03:14:47 PM |
|
One of possible solutions is force users to use autogenerated passwords. Then all passwords obviously will be unique. But when I tried it once, I received toooooo much emails about forgotten passwords recovery. So, I think that google authentication + password will be quite reliable solution.
|
|
|
|
ymer
|
|
April 20, 2013, 03:17:22 PM |
|
If it helps I used the same user/password in these sites and none of my accounts were compromised:
coinotron give-me-ltc ltc.kattare.com wemineltc ltcmine.ru
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 03:18:33 PM |
|
You are lucky man
|
|
|
|
ymer
|
|
April 20, 2013, 03:20:52 PM |
|
You are lucky man Yea, well just trying to help find out the compromised site
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 03:23:53 PM |
|
kha0s will perform security audit soon, don't know about others. P.S. ETA for withdrawals is 1-1.5 hours approximately. I need to eat something...
|
|
|
|
|
kronut
Member
Offline
Activity: 86
Merit: 10
|
|
April 20, 2013, 03:56:39 PM |
|
The item that bothers me is the full usernames on the top miner and such stats. One can compile a list of usernames fairly easy to brute force.
Have you thought about obfuscating part of the usernames in the stats?
Another suggestion is a pin for withdrawal, changing the payout address, or even password changes. This way if someone does get logged in, they still can't make any changes without it.
Edit: Did you find it funny that MinerG is part of the compromised accounts?
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 04:28:21 PM |
|
I'll add "displayed name" feature soon. Anyway, with locked addresses there is no sense to brute force again anymore. Addresses will be unlocked after adding the google authentication, and only for GA sessions. Did you find it funny that MinerG is part of the compromised accounts? Of course. Unfortunately, his account was banned before, so hacker was unable to withdraw anything.
|
|
|
|
tacotime
Legendary
Offline
Activity: 1484
Merit: 1005
|
|
April 20, 2013, 04:35:21 PM |
|
I had about 10 LTC stolen. edit: Hot wallet address is okay, so no compromises there. Looks like it was just taken from my ltcmine account.
|
XMR: 44GBHzv6ZyQdJkjqZje6KLZ3xSyN1hBSFAnLP6EAqJtCRVzMzZmeXTC2AHKDS9aEDTRKmo6a6o9r9j86pYfhCWDkKjbtcns
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 05:37:09 PM Last edit: April 20, 2013, 07:09:06 PM by Balthazar |
|
Re-posting again: P.S. 10/59
|
|
|
|
BBN
Member
Offline
Activity: 77
Merit: 10
|
|
April 20, 2013, 07:09:00 PM |
|
Balthazar, about the G Verification is that an sms thingy/recaptcha or smth similar?
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 07:11:33 PM |
|
Balthazar, about the G Verification is that an sms thingy/recaptcha or smth similar?
It will be usual authentication using your google account. Maybe in addition to our login/password, to improve security. 11 accounts from 59 unlocked successfully. Waiting for another compromised account owners.
|
|
|
|
BBN
Member
Offline
Activity: 77
Merit: 10
|
|
April 20, 2013, 07:16:43 PM |
|
Just recovered my G account password
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 07:20:09 PM |
|
12/59
|
|
|
|
Balthazar (OP)
Legendary
Offline
Activity: 3108
Merit: 1359
|
|
April 20, 2013, 07:28:44 PM |
|
I'll back a hour later, and waiting for PMs and emails from compromised account owners. 12/59 isn't enough yet.
|
|
|
|
|