I guess maybe you had no issues as any potential attackers didnt know your ip was likely to be holding crypto, at least certainly has access to crypto.
That kinda makes spending the time / energy to brute it more worthwhile.
RDPWrapper is not opening any ports to the external world. This has to happen on a firewall. Again, it was not injecting anything to your box, just enabling what Win Pro was enabling by default (RDP server). So, should we blame Power Shell as well, as it runs all kind of malware shit?
What I am trying to say is that it may be that this âRDPWrapperâ being a scum software that steals your XCH is similar to a previous shit-storm where people were blaming MM downloaded from some âChineseâ forums for stealing their XCH.
So, maybe one of the questions we should ask when people report stolen XCH is whether they run any security software (whether third party or Microsoft), and whether are patching their systems on schedule. It is just a waste of time to engage when the end user downloads all kind of crap, and then blames everyone else for what he/she has installed on such system.
By the way, my farmer and harvester are both running Win Pro. One doesnât have a video card, the other has (a NUC), but no monitor connected (to either one). I only connect with RDP to those boxes, and in settings limited RDP server to accept only local network connections. So, both of my boxes are running basically running the same âvulnerability enablingâ programs, as that guy has (via RDPWrapper). Am I worried, not really.
Could you elaborate how you ended up identifying RDPwrap as the source pf your problem?
The program you have highlighted in Task Manager (nlbrute) looks like is a tool that rides on the top of RDP protocol, so if you are running Win Pro, it will use what Win already has installed, and in case you run Win Home, potentially it will install RDPWrap.
Have you tried to run âFull scanâ under Win / Settings / Windows Security / Scan options?
However, it looks to me that neither RDPWrap, nor NLbrute are the source of your attack, but rather what some other malware you have installed. Although, the sole purpose of NLbrute is to basically to cause harm (as it is used by various malware to gain connection to the box), where RDPWrap is a tool that enables Microsoft built in RDP server on Win Home (not really intended to cause harm).
It could prevent XCH theft in some cases, but not all.
If this were me, Iâd steal your keys as soon as I got access to your computer. Then, if you didnât have enough chia worth stealing at the time, Iâd periodically check the wallet balance from my own system, using the stolen mnemonics/keys.
When ready, Iâd initiate the transaction from my own computers without having to log back on to the victimâs system. In that case, Iâd either modify the Chia software to bypass the 2FA, use the API or RPC (which presumably would bypass 2FA).
TLDR: 2FA might prevent someone sitting in front of your computer from sending all your chia somewhere, but if something steals your keys another way, then transaction 2FA provides no additional security. If Iâm understanding the type of 2FA and where it is supposed to sit.
That said, @Iztok31 , the RDP software may be something the attacker used at one point, but they may have stolen your keys long ago and have not logged back on since. Thatâd be less risky anyway. But if theyâre low tech, they might have left this backdoor, hoping it would stay open, and came in recently to initiate the transactions. But if the keys were compromised, they donât need your PC anymore.
Mnemonics can be stolen with 1-3 lines of code by any untrusted software you run on your node/wallet.
Good point and explanation. I guess this is a side effect of a decentralized setup because if this was a centrally ran system it would check-in to the vendor and enforce the 2FA setup on the account.
But, maybe this is an opportunity for Chia to use the power of the blockchain and create an NFT on-chain for the account. Then no matter where the mnemonics are used, the software would reference back to the on-chain contract and pull the settings for that account. Then enforce any 2FA settings enabled on the account (along with other settings like wallet settings or even farmer/harvester settings.). Why not? Heck, it could even set a variable showing if another system attempted to use the keys. Then the main node on the legit system could pop up and say âYo! Someone is attempting to use your stuff!â.
Interesting concept. Seems like it could be doable, but not as traditional time-based (TOTP) 2FA codes. In order to verify these 2FA codes, one needs to know the 2FA âsecretâ. Unless the secret key was in the NFT or on-chain, no nodes could actually verify that the code entered is correct or not.
Given all the problems, cold wallet, or transactional wallet seem far more secure and less cumbersome.
Your idea could work, but 2FA wouldnât be using an app like FreeOTP, Google Authenticator, or Authy, but would need to come up with a new scheme to verify the input (prob with public key cryptography). This would mean you need to manage another secret in addition to the wallet keys/mnemonics.
As a reminder, the Chia wiki has good tips about Chia Keys Management, and the Chia Plot has a great write-up on Chia Wallet Security, which goes in to a lot more detail than the Chia docs. Following these wallet security practices are likely enough to stop a majority of these thefts from occurring.
1 Like
You wonât see me running thisâŚRDPwrap
Are you running Win Home, or Pro / Ent?
To Answer your question, I have Windows 10 Enterprise running on my nodes.
So, you already do have the RDP server ready to roll and there is no need to install RDPWrap. Try to run RDP client from any other Win box to your farmer and see how it will respond. Will it give you a login screen?
Although, this is kind of a moot point, as in order to install RDPWrap you need to have some malware already installed that will bring it in. If you do have such malware, then exporting your mnemonics is rather a childâs play (either a mouse macro and cut/paste services, or Power Shell two/three lines script to grab it from the wallet directly). So, whether you have default MS RDP or you enabled it with RDPWrap is already postmortem.
I really believe that RDPWrap is not installing any malware, but rather the other way around.
1 Like
Yes sir, I have been using Windows RDP only on all of my nodes on my local network. farmer and harvesters etc, and I use this PC to log into them to check the log files etc.
1 Like
Same here. As mentioned, I have also installed it on my Linux boxes, and kind of slacking off to install it on my Mac (have NoMachines on it, though).
So, if the RDP protocol is the offender, basically all but Win Home and Linux farmer installations have âexploitâ ready to go the minute the OS is up - one that is mentioned in that @Bones provided article. The RDPWrap is just enabling that protocol on Win Home boxes (as Microsoft is not selling a $20 tool that would enable it on Win Home boxes). Although, it would be maybe helpful to check RDPwrap Github issues page to see whether anyone was complaining there about it installing malware.
I guess, I have tried to make two points. The first was to not confuse some well-known tools (e.g., RDP protocol, or mouse recorder, or cut-and-paste, or PowerShell scripting language) with the actual malware that is somehow installed on the box.
The second, where it looks like we all (most) agree is that chia software looks like a sieve as far as security goes, and for one year Chia didnât do much to improve that, neither there is a bullet to do something about it on their task list.
Every company can take one of two approaches. Either security issues are problems that end users need to deal with, or they try to improve based on vulnerabilities that were exposed. It is kind of lame that Chia got $70 m VC money and follows the first approach. Especially, I would really like to understand how that approach fits in their âone click installationâ task that is meant to enable any Joe/Jane to install their software and run it on their overprovisioned HD space. Especially that potentially that wide adoption can be considered the foundation of their banking business side (a robust network).
Actually can be some programs installed in a past, but I don not know, because it was new and installed with new OS just for making (for me a hoby) and purpose for CHIA and other crypto. Nothing else, I tried GTA 5 and Age of Empires 4 - cracked ofcourse, but thats all. Also you know in the begging of CHIA programs I tried a lot of different things to make it stable everythingâŚ
I think in the end it was a problem with IP, because I have a lot of different connections for internet acces, and I figure it out to make outside IP without any router, because it is much faster then with the router. So I have had static IP from provider directly, which is known also in a public area. So they are just waiting and checking where they can do that. RDP wrap was under defender shown as a treat, also some other security was disabled. After I changed the IP after router firewall there was no chance to connect again. It was my mistake, I predicted actually that could happend, so now I know that thieves are all around.
1 Like
You said you installed the OS new correct, then you installed CHIA? Did you format the drive when you installed the Operating System? So any issues would be due to that fact you installed 3rd party software. I have my system trimm3ed down and so far I still solo pool, but thatâs me. I may try pooling on another setup down the road. I have timeâŚ
Yes yes, newly installed both Win and Ubuntu
And if you put your machine directly on the net with a public address and no firewall to protect you, youâre asking for problems.
This is a good start.
This is the first place where you have most likely installed malware.
This is the second place where you have most likely installed even more malware
There were few chia related malwares on github that were promising to âhelpâ fine tune things, so this is the third place where you (this time) loaded Chia specific malware. Also, this is where most likely your keys were compromised.
Although, most likely, the first two (cracked games, public IP) were installing platforms to load your box with a specific malware later on.
I have just downloaded the latest (2017) binaries directly from github and scanned it with defender, and it was clean. So, your version is for sure a hacked one installed during one of those events outlined above.
With that said, your current chia setup is worthless, so just blow it away (including your plots and keys). Your keys are most likely leaked to multiple entities, and your farm will be harassed to no end (if you want to continue with the current keys).
The chia installation problems you have outlined are really not that complicated to fix. So, if you would like to start from scratch, just ask for help. Although, from what you have described, I would not be installing chia on your current OS. If you can get another box that you will dedicate to chia, that would be great. If you cannot, then going VM route is another option (depending how strong is your current box).
Although, the problem to me is that most likely your home network is really infested, and all your boxes are being scanned and loaded with new malware all the time, what makes working with any sensitive data rather challenging.
2 Likes
ROUTERâŚand be safeâŚforward the port and be safeâŚ
Did you put your keys into the core pool client 
Also simply installing a closed source chia client isnât recommended.
PS: for those who think of flexfarmer a reminder that it can be run in a container on a separate PC with ports closed, doesnât need your keys, and its Go binaries are easy to audit.