//sorry for bad english grammar
I am administrator of big mining rig plant. A few weeks i mined bitcoins. Several days ago i started namecoins mining. Today i found that my namecoin wallet has balance 250 instead of over 3600 (last seen balance).
>namecoind.exe listtransactions
[
{
"account" : "",
"address" : "NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb",
"category" : "send",
"amount" : -1.00000000,
"fee" : 0.00000000,
"confirmations" : 73,
"txid" : "6cce69f22841439b40bd576d15c46ec6d60ad44e1d604b51049ecebd011b53d4",
"time" : 1308401169
},
{
"account" : "",
"address" : "NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb",
"category" : "send",
"amount" : -0.00010000,
"fee" : -0.01000000,
"confirmations" : 72,
"txid" : "2a10ba927b1429f38d4469c0627ed9b2faa11c42c23829afdf23e4b7c7a6acfd",
"time" : 1308402131
},
{
"account" : "",
"category" : "immature",
"amount" : 50.01000000,
"confirmations" : 69,
"txid" : "1a8aa43b56090e101dcd860c98438dd50b6e077400b1b2bd58c26e8a66a75c65",
"time" : 1308403906
},
{
"account" : "",
"category" : "immature",
"amount" : 50.00000000,
"confirmations" : 67,
"txid" : "33a8a16901f8f0daf1b021e697ad46379d7aba75023fce50e3ea7c1a50b4c1cb",
"time" : 1308405324
},
{
"account" : "",
"category" : "immature",
"amount" : 50.02000000,
"confirmations" : 61,
"txid" : "b8ee07684392bb9d65ee9e1849382278b82b32cbb15f58dadb94d8de18cf423b",
"time" : 1308408420
},
{
"account" : "",
"category" : "immature",
"amount" : 50.00000000,
"confirmations" : 52,
"txid" : "dbc66b361c3a35494dca97598b3681db7fcdfa24577750dc7161103b98a81962",
"time" : 1308410830
},
{
"account" : "",
"address" : "N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY",
"category" : "send",
"amount" : -100.00000000,
"fee" : 0.00000000,
"confirmations" : 34,
"txid" : "08090e3ea33ccc3ba70fa9a7e01e6833cc2175f6fefccbebc93bef59cdcef37f",
"time" : 1308416871
},
{
"account" : "",
"address" : "N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY",
"category" : "send",
"amount" : -4200.00000000,
"fee" : 0.00000000,
"confirmations" : 34,
"txid" : "2b68da5ebcbdd6098804a5c1355b9b4dcdff16dfe88985e0fac2f531a6b654b7",
"time" : 1308416871
},
{
"account" : "",
"category" : "immature",
"amount" : 50.00000000,
"confirmations" : 32,
"txid" : "f4c82501f014b1524e73ddf29114fbb4005004fb332595fe56bad6998d0664ca",
"time" : 1308418194
},
{
"account" : "",
"category" : "immature",
"amount" : 50.03000000,
"confirmations" : 30,
"txid" : "c4640362ff8bda4e229283a5f0a13b5ed2be5f6b399d5ba4d5c8e550a0ede675",
"time" : 1308418719
}
]
I have bitcoin and namecoin wallets on single pc in different folders, my bitcoin wallet loses nothing so it is not result of cracking my computer
I have list of questions
0. WTF?
1. Where can i find some info about blocks and transactions in namecoin network (similar to http://blockexplorer.com/) ? Also can i see history of some particular namecoin transaction address? (now i'm looking for some irc client and look at irc channel #namecoin. I think i will find some useful info there)
2. Had everyone silimar situation?
stealed over 4000 namecoins
Re: stealed over 4000 namecoins
U are not alone. See this http://dot-bit.org/forum/viewtopic.php?f=2&t=146
U are lucky that U have prove and I have NOTHING. TOTALLY NOTHING. I wasted my time on mining namecoins and i have no idea what is going on.
U are lucky that U have prove and I have NOTHING. TOTALLY NOTHING. I wasted my time on mining namecoins and i have no idea what is going on.
Re: stealed over 4000 namecoins
did any on of you use the .exe gui that someone released?
-
doublec
- Posts: 149
- Joined: Mon May 23, 2011 12:47 am
- os: linux
- Location: Auckland, New Zealand
- Contact:
Re: stealed over 4000 namecoins
This is the 4200 transfer transaction: http://explorer.dot-bit.org/tx/31996vird wrote:1. Where can i find some info about blocks and transactions in namecoin network (similar to http://blockexplorer.com/) ? Also can i see history of some particular namecoin transaction address? (now i'm looking for some irc client and look at irc channel #namecoin. I think i will find some useful info there)
Re: stealed over 4000 namecoins
Where did you get your .exe (widnows version ?) from ?
If found this one too : http://explorer.dot-bit.org/tx/31995 (100BTC)
Is it yours ?
ps : this money is lost, sadly...
did any on of you use the .exe gui that someone released?
If found this one too : http://explorer.dot-bit.org/tx/31995 (100BTC)
Is it yours ?
ps : this money is lost, sadly...
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
Re: stealed over 4000 namecoins
1.
remote server is only place where wallet was stored as wallet.dat
I used only official bitcoind from dot-bit.org "namecoin linux 64bits (2011-05-17)" http://dot-bit.org/files/namecoin_linux64.tgz
root@massive-miner:/opt/miner-farm/scripts# cksum /opt/miner-farm/namecoin/64/namecoind
1970696483 4883486 /opt/miner-farm/namecoin/64/namecoind
2. I never used any GUI to namecoin. I type only getinfo and listtransactions commands. I never send namecoins from console. I have no scripts thats cointain sending namecoins. It's not result of my mistake.
3. Only namecoind server was running when this happens.
rpcallowip=10.1.*.*
was present in .conf file and there is no users in local network so human factor is excluded by design.
At time of incident a had bitcoins on my bitcoin wallet and they are still present. So there was no penetration to my system.
I don't understand why there was many transactions. Why not one big transaction with all my money? It's simplier.
By the way https://en.bitcoin.it/wiki/Incidents
So i guess this situation is not my fault but some minor mistake at source code. I think this is only one reason, that has some significant probability. (breaking of private keys has unbelievably small probability, man in the middle attack at my provider too, stealing wallet info too (how? why they not steal my bitcoin wallet? bitcoin and namecoin folders was really close. why not one single transaction? many factors that dramatically decrease probability) )
remote server is only place where wallet was stored as wallet.dat
I used only official bitcoind from dot-bit.org "namecoin linux 64bits (2011-05-17)" http://dot-bit.org/files/namecoin_linux64.tgz
root@massive-miner:/opt/miner-farm/scripts# cksum /opt/miner-farm/namecoin/64/namecoind
1970696483 4883486 /opt/miner-farm/namecoin/64/namecoind
2. I never used any GUI to namecoin. I type only getinfo and listtransactions commands. I never send namecoins from console. I have no scripts thats cointain sending namecoins. It's not result of my mistake.
3. Only namecoind server was running when this happens.
rpcallowip=10.1.*.*
was present in .conf file and there is no users in local network so human factor is excluded by design.
At time of incident a had bitcoins on my bitcoin wallet and they are still present. So there was no penetration to my system.
I don't understand why there was many transactions. Why not one big transaction with all my money? It's simplier.
By the way https://en.bitcoin.it/wiki/Incidents
So i guess this situation is not my fault but some minor mistake at source code. I think this is only one reason, that has some significant probability. (breaking of private keys has unbelievably small probability, man in the middle attack at my provider too, stealing wallet info too (how? why they not steal my bitcoin wallet? bitcoin and namecoin folders was really close. why not one single transaction? many factors that dramatically decrease probability) )
Re: stealed over 4000 namecoins
Each rpc is logged (in ~/.namecoin/debug.log), so you should find something like :
(or another rpc command to send : sendfrom, sendmany)
If you find that, and you didn't type it, someone else did it, locally or remotely.
You can also search for the beginning of the txid : 2b68da5e.
I've also address a search by address in the explorer to follow coins : http://explorer.dot-bit.org/a/N5dbhepBv ... LGAr3wp4cY
I compiled myself the linux builds from github source code... so, i hope there is no problem upstream...
Code: Select all
ThreadRPCServer method=sendtoaddressIf you find that, and you didn't type it, someone else did it, locally or remotely.
You can also search for the beginning of the txid : 2b68da5e.
I've also address a search by address in the explorer to follow coins : http://explorer.dot-bit.org/a/N5dbhepBv ... LGAr3wp4cY
I compiled myself the linux builds from github source code... so, i hope there is no problem upstream...
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
-
doublec
- Posts: 149
- Joined: Mon May 23, 2011 12:47 am
- os: linux
- Location: Auckland, New Zealand
- Contact:
Re: stealed over 4000 namecoins
But they did do one big transaction didn't they? The 'send' for 4200 coins is the only thing resulting in loss of money?vird wrote: I don't understand why there was many transactions. Why not one big transaction with all my money? It's simplier.
Re: stealed over 4000 namecoins
Code: Select all
>namecoind.exe listtransactions
[
{
"account" : "",
"address" : "NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb",
"category" : "send",
"amount" : -1.00000000,
"fee" : 0.00000000,
"confirmations" : 73,
"txid" : "6cce69f22841439b40bd576d15c46ec6d60ad44e1d604b51049ecebd011b53d4",
"time" : 1308401169
},
{
"account" : "",
"address" : "NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb",
"category" : "send",
"amount" : -0.00010000,
"fee" : -0.01000000,
"confirmations" : 72,
"txid" : "2a10ba927b1429f38d4469c0627ed9b2faa11c42c23829afdf23e4b7c7a6acfd",
"time" : 1308402131
},
{
"account" : "",
"address" : "N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY",
"category" : "send",
"amount" : -100.00000000,
"fee" : 0.00000000,
"confirmations" : 34,
"txid" : "08090e3ea33ccc3ba70fa9a7e01e6833cc2175f6fefccbebc93bef59cdcef37f",
"time" : 1308416871
},
{
"account" : "",
"address" : "N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY",
"category" : "send",
"amount" : -4200.00000000,
"fee" : 0.00000000,
"confirmations" : 34,
"txid" : "2b68da5ebcbdd6098804a5c1355b9b4dcdff16dfe88985e0fac2f531a6b654b7",
"time" : 1308416871
},
]
Left tx are :
2 send to NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb for an amount of 1.0001NMC
2 send to N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY for an amount of 4300NMC
NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb is not your address too ? (namecoind.exe validateaddress NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb)
Most important : search logs.
Another remark : you use "namecoind.exe", so you have a remote access from a windows. Maybe it comes from here too...
NamecoinID: id/khal
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
GPG : 9CC5B92E965D69A9
NMC: N1KHAL5C1CRzy58NdJwp1tbLze3XrkFxx9
BTC: 1KHAL8bUjnkMRMg9yd2dNrYnJgZGH8Nj6T
Register Namecoin domains with BTC
My bitcoin Identity - Send messages to bitcoin users
Charity Ad - Make a good deed without paying a cent
Re: stealed over 4000 namecoins
There were 4 transactions
1. "amount" : -1.00000000,
2. "amount" : -0.00010000,
3. "amount" : -100.00000000,
4. "amount" : -4200.00000000,
1 and 2 obviously is a testing.
4 obviously cracker knows my balance
Questions if there was crack
1. If cracker knows my balance, what is a reason testing? Waiting when i send money in other safe place?
2. If cracker don't know my balance, where is sequential growing transactions?
Whats about "method=sendtoaddress"
Sad, but it seems I haven't debug.log for exactly that period. I have one dey before and after changing wallet.
so
cat /path-to-stored/debug.log | grep "method=" > result.file
outputs only getinfo listtransactions and stop
BUT. A can't understand when action was written in log file because there is no timestamps in debug.log.
So answer "i found no one suspicious method call (stops are mine), but i'm not sure that this backup of debug.log covers that period of time"
Whats about "is this mine address?"
namecoind validateaddress NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb
{
"isvalid" : true,
"address" : "NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb",
"ismine" : false
}
namecoind validateaddress N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY
{
"isvalid" : true,
"address" : "N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY",
"ismine" : false
}
As i understand, answer is negative. Sad. I hoped that this will work.
I found some other important thing.
There was NO firewall on port 8332 as external port. "rpcallowip=10.1.*.*" was the only protection rule from malicious remote control. The only way to exploit this is using vulnerability at namecoind that allows override limitation "rpcallowip" at config. But if it's true - there is brand new vulnerability in namecoind (and possibly at bitcoind).
May be it can be possible that someone can make specially formed request that will execute but will not written in log (I mean buffer overflow vulnerability, null poison vulnerability or/and symbol escaping processing mistypes in code)
1. "amount" : -1.00000000,
2. "amount" : -0.00010000,
3. "amount" : -100.00000000,
4. "amount" : -4200.00000000,
1 and 2 obviously is a testing.
4 obviously cracker knows my balance
Questions if there was crack
1. If cracker knows my balance, what is a reason testing? Waiting when i send money in other safe place?
2. If cracker don't know my balance, where is sequential growing transactions?
Whats about "method=sendtoaddress"
Sad, but it seems I haven't debug.log for exactly that period. I have one dey before and after changing wallet.
so
cat /path-to-stored/debug.log | grep "method=" > result.file
outputs only getinfo listtransactions and stop
BUT. A can't understand when action was written in log file because there is no timestamps in debug.log.
So answer "i found no one suspicious method call (stops are mine), but i'm not sure that this backup of debug.log covers that period of time"
Whats about "is this mine address?"
namecoind validateaddress NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb
{
"isvalid" : true,
"address" : "NCC6cgymp1RMnwt6rhXVtyqVEHRHvJFAdb",
"ismine" : false
}
namecoind validateaddress N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY
{
"isvalid" : true,
"address" : "N5dbhepBvV2kpTnEP8X2eVxmLGAr3wp4cY",
"ismine" : false
}
As i understand, answer is negative. Sad. I hoped that this will work.
I found some other important thing.
There was NO firewall on port 8332 as external port. "rpcallowip=10.1.*.*" was the only protection rule from malicious remote control. The only way to exploit this is using vulnerability at namecoind that allows override limitation "rpcallowip" at config. But if it's true - there is brand new vulnerability in namecoind (and possibly at bitcoind).
May be it can be possible that someone can make specially formed request that will execute but will not written in log (I mean buffer overflow vulnerability, null poison vulnerability or/and symbol escaping processing mistypes in code)