0

I have a synchronous (1G/1G) network connection and I was willing to put up a full node that allows inbound synchs, but not without figuring out how someone opened a rogue wallet on my system. This attack undermines the faith in supporting the network, which is alarming to me.

So a rogue wallet was created on my Full Node, the question is how did that happen.

Luckily, I didn't have my own wallet open on the system, I was just trying to contribute to maintaining the blockchain. On 11/20 I noticed an empty rogue wallet created with the ridiculous name:

"th keyboad is clicky, WOWO what. uge supride i met you last sunday, and , you looked like you wantd to die!"

This is not my wallet and didn't have anything in it. It looks like it was just created, and I didn't see any evident transactions, but there certainly could have been.

HOW DID THIS HAPPEN? This PC is not used every day. There should have been ZERO chance of this happening, which is why I'm looking at the TCP/8333 bitcoin protocol in question. I did a forensics review of the machine in question and it has no RATs (Remote Access Terminals) or back doors. Unless the adversary deleted them, which is always a possibility. I've dug and dug and can't find anything, so I'm turning to you all for help.

System and network details:

  • SHA256 verified copy of bitcoin-22.0-win64-setup.exe (9169989d649937c0f9ebccd3ab088501328aa319fe9e91fc7ea8e8cf0fcccede)
  • Fully patched Windows 10 Pro
  • Network commercial grade firewall with NO inbound SNATS or ports exposed
  • Local (on PC) commercial grade software firewall
  • Local (on PC) commercial grade software anomaly detection
  • Network traffic was TCP/8333 outbound

Updates since original post:

  1. The system had/has a blank bitcoin.conf file.
  2. There were no GUI Configs or CLI options. I made no changes to the initial install.
  3. I've cleaned the system up, removed the rogue wallets, uninstalled and re-installed bitcoincore 22.0, and put it back on it's isolated network. It is synching up with the blockchain after an application wipe and should be back up in about 7 hours it says. I don't see why it wouldn't happen again. If it happens again, next step would be a complete wipe the OS and see if it still happens.
anonymous coward
  • 3
  • 2
Anonymous coward
  • 1
  • 2
    I assume that you are running Bitcoin Core. Where does the name of the wallet appear? And do you have your node configured to make RPC accessible? – Murch Dec 03 '21 at 18:27
  • What is in your bitcoin.conf, your GUI config and command-line options? – RedGrittyBrick Dec 03 '21 at 20:02
  • Thank you for the quick reply. The rogue wallet showed up in the user roaming directory. c:/Users/%user/AppData/Roaming/Bitcoin/wallets/(crazy name above) I was allowing incoming connections, I'm not sure how I could make the node RPC accessible? I didn't add anything else. Again, no ports were open to the outside world, so only established connections could make it back to this node. – anonymous coward Dec 03 '21 at 19:51
  • bitcoin.conf is 0 bytes and blank, There was nothing added to the GUI config or CLI. – anonymous coward Dec 03 '21 at 20:07
  • You maybe using a malware. Please check things shared in this answer: https://bitcoin.stackexchange.com/a/107738/ and clean your system/OS or use other machine for Bitcoin. –  Dec 03 '21 at 23:15

0 Answers0