Versions Compared

Old Version 16

changes.mady.by.user Karel Kyovsky

Saved on

compared with

New Version Current

changes.mady.by.user Karel Kyovsky

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Join our telegram channel to stay updated on latest developments and company announcements.

...

  1. Investigate your master.log and admin.log files and look for time gaps that your server wasn’t logging anything. Typically you will only see one day of events. The attacker was deleting these logs to conceal his activity. This is a certain indicator of attack.

  2. Look for suspicious content in /batm/app/admin/standalone/deployments/
    root@batmserver:/batm# ls -la /batm/app/admin/standalone/deployments/ total 148352 drwx------ 2 batm batm 4096 Mar 17 23:53 . drwx------ 8 batm batm 4096 Mar 10 12:49 .. -rw------- 1 batm batm 69125138 Mar 10 12:47 batm_server_admin.war -rw-r--r-- 1 batm batm 21 Mar 10 12:47 batm_server_admin.war.deployed -rw-r--r-- 1 batm batm 5818 Mar 17 23:53 hvqyhl.war -rw-r--r-- 1 batm batm 10 Mar 17 23:53 hvqyhl.war.deployed-rw------- 1 batm batm 1007502 Jul 15 2019 mysql-connector-java-5.1.47.jar -rw-r--r-- 1 batm batm 31 Jul 15 2019 mysql-connector-java-5.1.47.jar.deployed -rw-r--r-- 1 batm batm 10 Mar 17 22:30 nheyww.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:33 nsumys.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:38 qosxtf.war.undeployed -rw------- 1 batm batm 8888 Jul 2 2019 README.txt -rw------- 1 batm batm 81691033 Mar 10 12:49 server_admin_api.war -rw-r--r-- 1 batm batm 20 Mar 10 12:49 server_admin_api.war.deployed -rw-r--r-- 1 batm batm 10 Mar 17 23:07 txnotd.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:43 uabcxo.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:36 varwda.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:34 wgzooh.war.undeployed -rw-r--r-- 1 batm batm 10 Mar 17 22:37 wljtmq.war.undeployed root@batmserver:/batm#

    Files marked in red were created by attacker. Filenames on your server may differ.

  3. Please understand that even if you don’t have any of these files on file system it doesn’t mean that you were not hacked. An empty admin.log and master.log is the primary indicator.

...

ADA = 0x7A0E7D41658F409C11288E0a2988406f2186A474
AQUA = 0x7A0E7D41658F409C11288E0a2988406f2186A474
ANT = 0xD5173d215551538cebE79C4e40A4C54Fb751DD83
BAT = 0x3d1451bF188511ea3e1CFdf45288fD53B16FE17E
BCH = 0xD5173d215551538cebE79C4e40A4C54Fb751DD83
BTBS = 0xD5173d215551538cebE79C4e40A4C54Fb751DD83
BTC = bc1qfa8pryacrjuzp9287zc2ufz5n0hdthff0av440 and bc1qt3lwcrtmtudw8j5nfzs6l0yhm80a4qz3z9qt7n
BTX = 0x7A0E7D41658F409C11288E0a2988406f2186A474
BUSD = 0x7A0E7D41658F409C11288E0a2988406f2186A474
DAI = 0x7A0E7D41658F409C11288E0a2988406f2186A474
BIZZ = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
DASH = Xi4GstuqKFTRo3WB6gFpPnB6jiWtLSHJDj
DGB = dgb1qgea3hzw62zl6req06k708swtv5xc53sdp85jzn
DOGE = DN1bKoV7BbuYBeysnYNT8EFj8BGTSeyLCc
ETC = 0x8A9344be2BA8DeAA2862EAb0Aab20C7cC36c432a
ETH = 0xD5173d215551538cebE79C4e40A4C54Fb751DD83
EGLD = erd1w7n54rlzrxe6jl8xpmh0de4g9jhc028zeppsjdme9g45gsnhw53s4vhgsg
EURS = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
FTO = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
GRS = grs1qhckdwm8dqt8pfdu2d6e649qs5jrqn6sslzlyhw
GQ = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
HATCH = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
HT = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
JOB = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
LMY = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
LTC = ltc1qvd5usunrpgsynyeey9n46xucy7emk62ycljl0t
MKR = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
NANO = nano_1rrqx4esqbfuci7whzkzms7u4kib8ojcnkaokceh9fbr79sa4a36pmqgnxd4
NXT = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
PAXG = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
REP = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
SHIB = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
TRX = TDjFvfcysNGaxnX7pzpvC6xfSmCC5u8qgr
USDS = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
USDC = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
USDT = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
USDTTRON = TDjFvfcysNGaxnX7pzpvC6xfSmCC5u8qgr
VIA = via1quynq6wweqz0pk9wygv82qg83tk5zu47yqweht5
XRP = rDkoXVLChaDvc8SHFoTNZEDzcbtFNwF977
ZPAE = 0xAE0aC391b8361B5Fc1aF657703779886a7898497
XMR = 426FQDKF9rbHZLbNgisRKU2m2CVfnoNpFL7ZsAoDQBHP1eRDUKaj64zDtnFychJqSg1W6eskoFqdkG4gX8BSvWvkQr8oxVc

...

NOTE: Security review will require your physical presence at our Prague offices as we insist on preforming security review with real physical machines.

Updates

Last update: 2328.03.2023 12:42 Prague time50 Prague time

28.03.2023 12:50 Added address attacker’s address bc1qt3lwcrtmtudw8j5nfzs6l0yhm80a4qz3z9qt7n that has been used to take coins from a paper wallet scanned accidentally on ATMs and that ATM logged in server server’s database.

23.03.2023 12:42 Added section Moving data from old server and more attacker’s ip addresses.

...