|
Title: HELP NEEDED!! (0.5 btc bounty) Post by: fffeee on June 01, 2012, 01:02:25 PM Someone tries to cash me out.. There is a bug on my site and someone did try to steal my coins. He was able to order coins every 20 seconds via different proxies an with many different btcaddresses. If anyone can help me or will find this error, I would be very thankful. There is also a bounty on it (0.5)!
Edit: www.fiveminutecoin.com (http://www.fiveminutecoin.com) Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: Bitsky on June 01, 2012, 01:28:28 PM Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out. Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: BinaryMage on June 01, 2012, 03:01:35 PM I'm not clear what you're asking here. Are you giving us permission to pentest your website?
(And BTW, it returns a 404 right now.) Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: fffeee on June 01, 2012, 03:13:02 PM I'm not clear what you're asking here. Are you giving us permission to pentest your website? (And BTW, it returns a 404 right now.) I know this because I`m uploading the new Version right now.. ;) Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out. Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?! Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: fffeee on June 01, 2012, 03:45:53 PM I'm not clear what you're asking here. Are you giving us permission to pentest your website? (And BTW, it returns a 404 right now.) I know this because I`m uploading the new Version right now.. ;) Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out. Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?! I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that. ok.. I`m gonna implement that too.. thanks for your suggestion! :) Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: Bitsky on June 01, 2012, 03:54:47 PM Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.I use a ip blacklist now.. maybe it works!?! I'd start with a little math: Captcha solving costs something between $1-$2 per 1000 captches. 1000 successful requests mean 2.5btc when you don't bother to wait. Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit. You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them. Probably a good idea is to look around for a good real-time blacklist of proxies and block them. Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money. Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: fffeee on June 01, 2012, 04:47:14 PM Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.I use a ip blacklist now.. maybe it works!?! I'd start with a little math: Captcha solving costs something between $1-$2 per 1000 captches. 1000 successful requests mean 2.5btc when you don't bother to wait. Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit. You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them. Probably a good idea is to look around for a good real-time blacklist of proxies and block them. Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money. I`ll keep that in mind and maybe I`m gonna implement this tomorrow if the site works fine again.. Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: fffeee on June 01, 2012, 06:16:47 PM I'm not clear what you're asking here. Are you giving us permission to pentest your website? (And BTW, it returns a 404 right now.) I know this because I`m uploading the new Version right now.. ;) Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out. Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?! I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that. ok.. I`m gonna implement that too.. thanks for your suggestion! :) Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info.. Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: Nachtwind on June 01, 2012, 06:37:51 PM I'm not clear what you're asking here. Are you giving us permission to pentest your website? (And BTW, it returns a 404 right now.) I know this because I`m uploading the new Version right now.. ;) Are you checking if the 300 seconds passed in your backend? Because if not, then it's simple to create an automated tool. You just need to look at the request that gets send out. Yes,of course I do check it on the backend.. so I dont know how this could even be possible!? I use a ip blacklist now.. maybe it works!?! I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that. ok.. I`m gonna implement that too.. thanks for your suggestion! :) Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info.. Code: function IsTorExitPoint(){ if (gethostbyname(ReverseIPOctets($_SERVER['REMOTE_ADDR']).".".$_SERVER['SERVER_PORT'].".".ReverseIPOctets($_SERVER['SERVER_ADDR']).".ip-port.exitlist.torproject.org")=="127.0.0.2") { return true; } else { return false; } } function ReverseIPOctets($inputip){ $ipoc = explode(".",$inputip); return $ipoc[3].".".$ipoc[2].".".$ipoc[1].".".$ipoc[0]; } Does that one work for you? Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: Bitsky on June 01, 2012, 06:41:28 PM Or he could just use rbls provided by sorbs, spamhaus and efnet.
Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: Vernon715 on June 04, 2012, 12:25:52 AM Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info.. I think you can find a list if you download the tor software. Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: randomproof on June 05, 2012, 07:59:58 PM I've noticed that the timer was purely in javascript, so it was easy to override that with a Firefox extention that allows the user to execute any javascript.
Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: Vernon715 on June 05, 2012, 11:30:50 PM That is a pretty big hole...Is there a way to move the timer out of java?
Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: 01BTC10 on June 05, 2012, 11:36:40 PM Script to block Tor exit nodes: https://unixd0rk.livejournal.com/128269.html
You can get CSV of Tor exit node here: http://torstatus.blutmagie.de/ Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: nimda on June 05, 2012, 11:57:45 PM Two vulnerabilities:
1. The user can change the countdown value via firefox extension or Chrome's developer console 2. The user can request a CAPTCHA, then send a POST request directly to the server. Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: fffeee on June 06, 2012, 10:31:18 AM Thank you for this.. I`m gonna fix it ;)
Title: Re: HELP NEEDED!! (0.5 btc bounty) Post by: drawoc on June 06, 2012, 08:20:14 PM You can get a list of ip addresses for a ton of tor exit nodes like this:
Code: curl http://exitlist.torproject.org/exit-addresses | grep -o -e "ExitAddress [^ ]*" | sed "s/ExitAddress //" > ipban.txt If you run this in a bash terminal, it'll download a list of tor exit nodes from the tor project, format it in a nice, easy to use format, and save it to a file named ipban.txt. You might want to set up, eg. a cron job to run this and update the file every once and a while. Then, you just need to make your script deny anyone with one of these ip addresses. Then, nobody can access your site over tor. This is what that command gives me at the moment: http://pastebin.com/0iM6GrkM (http://pastebin.com/0iM6GrkM) |