Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Service Discussion
Re: My CEX.IO account has been hacked and has been drained dry.
by
Wassupia
on 06/01/2014, 12:46:51 UTC
Quote from: s1lverbox on January 05, 2014, 10:18:36 AM
Quote from: empoweoqwj on January 05, 2014, 02:20:34 AM
Quote from: 0zman on January 04, 2014, 02:34:41 PM
I have lost a bit more than 0.5 BTC in total.
I had 11 GH/s and had enough to buy another 1.5.
I have sent the files dumped in my TEMP folder to another CEX user, he will pull it apart and help to discover what and how he managed to get it done.
The webpage listed above ran a JAVA plugin, which I stupidly agreed to run.
What got my attention at first was btc-e loaded in another web browser that was closed.
It also ran an app called mtgox_bot.exe.
The Scumbag has managed to get into my account and change my password, I am locked out.
I was able to see my worker on ghash.io with 0 GH/s just before I was locked out of there.
I'm SAD.

Lesson for everyone. Never run a Java plugin. Sorry for your loss

Java is ok from trusted places or sandboxed. The best one is http://www.sandboxie.com/

I did download whole site as mirror and  applet.jar on the website. Anyone who knows java could look in that what's acctually this script doing.

Zip file is here: http://www38.zippyshare.com/v/80049771/file.html

I suggest if any one, to run it sundboxed.

I do not encourage anyone to download and open this file.

Files provided to analyse what contains that plugin and how they taking info from machine.

You can decompile with http://jd.benow.ca/

It's a regular java driveby, with a reg to disable uac and taskmanager (I think). I found 1 valid url inside, of which the domain expired on December 20.
http:**www.mundoonlinejava.com*cgi.bin*uploads*update2.jar

On http://web.archive.org  I see it was hosted by https://pt-br.facebook.com/KingHost.Brasil

whois:
http://whois.domaintools.com/mundoonlinejava.com
It's probably registered with the email-address of the hosting comp, not sure.

If someone could get the ip-adress the domain pointed to before it expired, you might be able to download the update2.jar to get more info.

I know there have been silent javadriveby's that would run without requiring permission.
You should disable the java plugin by default...
This way Jars won't even ask for permission, so you can't 'accidently' press 'run/allow', and silent driveby's don't have a chance.