Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Service Announcements
Re: Hashie.co - Cloud Mining from 0.0012 BTC / GH | NEW: AMHash | FREE 10 GH
by
primeminer
on 12/01/2015, 14:48:41 UTC
Quote from: darkgamer on January 12, 2015, 12:45:48 PM

09:12 < TradeFortress> I take full responsibility for leaving that much in the hot wallet.
09:13 < TradeFortress> The hacker tried resetting passwords for my email addresses, and was able to reset one which was created 6 years earlier, without phone / recovery email and gmail happily allowed resetting.
09:14 < TradeFortress> That compromised email account was the recovery for another hotmail email, which was also compromised.
09:15 < TradeFortress> BigBitz|wrk, read please.
09:15 < TradeFortress> I didn't use the old email account without MFA
09:15 < TradeFortress> That old email acc was the recovery email of another account
09:15 < TradeFortress> @gmail > @hotmail > @gmail (2, recv'd forwarding from admin@glados.cc)
09:16 < TradeFortress> BigBitz|wrk: yes
09:16 < TradeFortress> linode 2FA was bypassed
09:16 < TradeFortress> they seem to be aware of it and don't bother to fix it.
09:16 < TradeFortress> BigBitz|wrk: yes
09:17 < TradeFortress> the attacker also used a (compromised?) server close to my geographical location
09:17 < TradeFortress> I think that helped massively with email recovery
09:18 < TradeFortress> pbase: no. I want to be open and communcative about what has happened.
09:19 < TradeFortress> BigBitz|wrk: I took significant efforts in protecting Inputs' server, but I've never thought about old abandoned emails.
09:20 < TradeFortress> BCB: What do you want me to do then? Invent a magic wand?
09:20 < TradeFortress> I'm refunding as much as I can from all the BTC I have, and the assets I or CL owns.
09:21 < TradeFortress> 9536feebe3a50b94f85ca27d56e669a7209bd4188385d55c5b97227c95cf7f74
09:21 < TradeFortress> BTC was sent here, it's still unspent. https://blockchain.info/address/1EMztWbGCBBrUAHquVeNjWpJKcB8gBzAFx
09:24 < TradeFortress> Quite simply, I wasn't sure what to do, if I could acquire 4K btc so users are not at a loss, and as well as investigating the scope of the hack.
09:25 < TradeFortress> *sign*
09:26 < TradeFortress> BigBitz|wrk: the txid was the first inputs hack
09:26 < TradeFortress> the API was the second, done by the same attacker who dumped the user DB, and then used the API
09:27 < TradeFortress> TheButterZone, I can't see how that'd hurt.
09:28 < TradeFortress> bitsav3: 2x gmail, 1x hotmail
09:30 < TradeFortress> bitnumus, if you check the txid lots of deposits are recent
09:32 < TradeFortress> bitnumus: yes, there's cold storage, but there was more in the hot pocket than cold storage
09:34 < TradeFortress> viboracecata?
09:35 < TradeFortress> theboos, I'm very interested in what security vulns viboracecata claims to have on Inputs.
09:35 < TradeFortress> so has he followed up with the claim? and how long ago?
09:36 < TradeFortress> I'm not aware of any unsolved security vulnerabilities relating to Input's code and enviroment, other than the DB has been compromised. The attack was done through email resets and bypassing security features on Linode's side.
09:37 < TradeFortress> 2FA
09:38 < TradeFortress> BCB: no.
09:38 < TradeFortress> web server was bought from Linode, bitcoind server was on macminicolo
09:38 < TradeFortress> (I own the metal to the macminicolo)
09:39 < TradeFortress> crypt0queen: that's what was used
09:39 < TradeFortress> it wasn't compromised through a server vuln
09:40 < TradeFortress> Linode's position is that my account was not compromised. The attacker simply reset my Linode password through an email request, and then ssh'd into Linode's lish, and got console access to my Linode through lish with my linode account password.
09:40 < TradeFortress> linode lets you reset  root passwords..
09:42 < TradeFortress> the attacker copied certain files via FTP using mc, to another (I believe compromised server), and accessed the bitcoind server by pretending to make withdraw requests for an account with an inflated balance
09:42 < TradeFortress> BigBitz: NO
09:42 < TradeFortress> FTP WAS NOT ENABLED
09:42 < TradeFortress> yes
09:43 < TradeFortress> I have obtained the logs
09:43 < TradeFortress> (through Linode)
09:43 < TradeFortress> attacker installed mc
09:43 < TradeFortress> transferred files to 10;15Hd@mastersearching.com:mercedes49@69.85.88.31
09:43 < TradeFortress> BigBitz|wrk: yes, internal ones
09:45 < TradeFortress> BigBitz|wrk, multiple files that relates to internal functions of Inputs, ie the controller.
09:46 < TradeFortress> I have no evidence of the bitcoind mac mini getting compromised. it didn't bark. I suspect the attacker also made one account have -4000 BTC
09:46 < TradeFortress> which allowed it to pass sanity checks
09:46 < TradeFortress> as the total balance as reported by the db matched.
09:46 < TradeFortress> BigBitz|wrk: I have the logs of what they did to the server.
09:47 < TradeFortress> on the server, via lish, I should say.
09:47 < TradeFortress> theboos: did it directly through the DB
09:47 < TradeFortress> wasn't logged.
09:47 < TradeFortress> as it copied DB access creds
09:48 < TradeFortress> BigBitz|wrk: not on the database
09:48 < TradeFortress> bitsav3, I think they're compromised hosts
09:48 < TradeFortress> like http://mastersearching.com/
09:48 < TradeFortress> theboos, of course I've audited the db
09:49 < TradeFortress> the DB doesn't log every single change
09:50 < TradeFortress> general_log wasn't enabled
09:50 < TradeFortress> nor binary logs



what is that all about?

4k BTC hacked but where from???