Feel truly sorry for everyone who lost funds at CoinEx except that asshole that bitched me out and called me stupid for putting some BTC into btc-arbs.com, I don't feel sorry for that clown.,

Very surprising that so many seem to be claiming the "Heart Bleed" bug as their excuse for loosing everyone's funds and being unable to recover.  Who will be next?

I should add this...

Once a site has been hacked, unless the owner does a complete reinstall, it is factually impossible to ever be certain the site is completely secure again.  Now then anyone willing to take the time to screw around with user accounts and to set up fake sites to draw people from coinex chat, as was done prior to the hack, will have had a backdoor installed before he actually attacked coinex.

Why is that important?  Because right now, *NOBODY* knows who is in control of coinex.  This site is following the pattern that btc-arbs followed.  Site is hacked, promises of recovery are made, then stunning silence from support.

Why does that matter?

BECAUSE Today coinex.pw is forcing everyone to change their password before logging in.  I don't know about you but as for me, I am out of there.  Whatever you do, don't use a password you have used elsewhere.  Web servers keep very detailed logs about where you came from and where you went too.

There is most certainly a way to identify the owner of the account with the hosting service.  That would require the appropriate LEA in the hosting country to go to the hosting service and get the owner information from the service.  If that hosting service also hosts in the USA, then the FBI would have the authority to subpoena the records from the service.

Where there is a money trail, there is a paper trail.  There is no way this thief can hide *IF AND ONLY IF* a law enforcement agency decides they want to track that person down.  My suggestion is for everyone who has lost BTC to contact their law enforcement representatives and explain the situation to them.  Once any agency gets enough complaints, they will probably start moving.

That does not mean anyone should get their hopes up, but it does mean that the person's responsible will have something to think about while various LEAs start trying to track them down.

Just my two, but the web is IN NO WAY anonymous.  Anyone who says it is, needs to stick with bitcoin investing and stop talking out their arse.  Once you pay someone to host a site, you have left a money trail.

There is already a lot of information in this thread regarding the ownership of the site (74 through 76 I believe).

Anyway

Welp, I'll be surprised if he comes back up.

It is my sincerest hope that someone kicks that nutsack hard enough to lift him two feet off the floor.  If they do, they are welcome to whatever profit they may make from it.

It is my speculation that the uptick in the value of BTC was more than Adam could ignore.  He decided to sell.

Ok, so I have been working with the information the site provides to try to duplicate my actual results using the numbers the web site provides.
It is not possible to do that.  The daily percentages being reported are ever so slightly skewed upwards.

The data we are being given is being skewed in such a way that it looks good if you calculate the last couple of days but when you try to work a whole month you will always come up with a *much* bigger projected net than you will actually receive.

I am open to being corrected on this (actually would happily be corrected) but the numbers just don't work.  I've had BTC invested since 2 Feb.  I've pulled all the percentages into a spread sheet and all the transactions.  Considering deposits and earnings and using the following computation.  If the percentages were correct I would have about 1.8 to 2 times as much BTC in the account(s) than I actually do.  


For each day:
       # yesterday's balance + (yesterday's balance * interest)
       # example:
              balance = 1.234
              interest = 0.023
              new balance = (1.234 +( 1.234 * 0.023)) = 1.262382
              if there are new deposits add into new balance here.
Next day

When I use that process I get projected earnings far in excess (about double) of what I have actually seen.  Unfortunately since interest is compounded the projection gets farther and farther from true earnings over time.

The percentages reported are not the actual earnings.  Maybe truncation is taking place.  I think the programmer is making as much from my BTC as I am from the looks of it, or he is inflating the percentages.  My guess is the programmer is rounding down (truncating) when he computes my new balance and rounding up (google roundup function) when he reports daily percentage.  This is the logical way to run the site; however, the net for the site is much larger depending which decimal place is rounded.  We are not being given that information when we ask for it.

We do not have a clear enough picture of what we are paying for the service.

I will be moving 2/5 of my arbitrage investment to https://bitcoin-trader.biz/results.php.  I'm putting the last 1/5 back up on coinbase as a hedge.  Please set me as a referrer if you decide likewise:  https://bitcoin-trader.biz/?ref=micers

Did not know you needed to click the number on the calendar.

I am computing (today's balance) * (results percent) + (today's balance) == (new balance)

For example:  bal = 1.0 BTC, results = 2.34%
1 * (.0234) + 1 = 1.0234

It is not modeling correctly in the spread sheet.  It looks like rounding errors.  I think they are rounding up their results percentages.  I've repeatedly asked them to provide higher fidelity data and/or CSV downloads suitable for putting in a spread sheet.  Those support requests have been ignored on every account I manage.

I will be reducing my exposure.

If you look at the entry on the calendar for 01 April you will see that the percentage is being calculated to at least three decimal places but is being reported to two.

I suspect that the developer is rounding up to the next higher place in the second decimal place rather than doing true rounding.  That would explain the problems I am having getting things to match up.

I am trying to make the results page percentages match my actual results in a spread sheet and definitely having trouble matching them up.

Probably calculating it wrongly, anyone manage to make that work?

I agree with you that they have been piss poor communicators in this.

I am a Computer Scientist with pretty a pretty good resume of system administration and network management.  I've been all over that server today and believe it to be secure. I have posted a lot of my thoughts earlier in the thread.

I don't think someone who wanted to abscond with the funds would even bother taking the site down.  Why do that when you could continue to milk it for an extended period?  Think about Mt.GOX, they stole A LOT of BTC by milking the system over more than a year.  Why just shutdown (actually break) the web site and leave all the other services running?  Also consider the recent extended outage at CoinEx.  That one looked bad for the first couple of days.

This looks a lot like a case of server admin fat fingers and business manager failure to communicate.

At this point unless someone knows how to contact the admin and get some information we will just have to wait.

and hope...

There is no evidence for what you suggest.

Thank you for that.

Ah, good news.  That server is *NOT* vulnerable to the Heartbleed attack.
https://www.ssllabs.com/ssltest/analyze.html?d=btc-arbs.com

The version number reported is said to be vulnerable but if SSLLabs test shows it is not, it is not.

The IP which DNS returns for btc-arbs.com is 111.90.150.219.

http://ns.myip.ms/info/whois/111.90.150.219  <= Located in Malaysia???

Was being reported earlier as being located in a Hostgator data center in Utah.

IIRC btc-arbs.com's offices were supposedly in the EU somewhere.

The original problem yesterday was DNS issues.  Does anyone have an old IP address for btc-arbs.com?  Or can someone confirm they were at this same address a couple of days ago?

That web site is running OpenSSL 1.0.1e.  That version is subject to the Heartbleed vulnerability.

*A vulnerability in OpenSSL has been recently announced.  Specifically, the (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c, aka the Heartbleed bug.*

This ^^^^^^ has since been disproved.  The site is NOT vulnerable.
https://www.ssllabs.com/ssltest/analyze.html?d=btc-arbs.com

Beginning of March I asked the admin for a ball park estimate of the total number of coins the site managed.  He said less than 5000.  I'm guessing that maybe that many were at stake.

I'm inclined to trust the intentions of the site owner; however, I am worried about the competence of the team running the site.

Hostgator did indeed start having trouble yesterday at the same time that btc-arbs.com started having issues.  Hostator *reports* that they have fixed nearly all their issues but the latency to their data center is still running around 250 ms from my location.

Meanwhile the 500 internal server error has cropped up.

I am also troubled by the fact that btc-arbs.com's staff is nowhere to be heard from... Effing update us.  You have our email addresses, do a bulk send and get some info out here.

I completely agree with the argument you have made.  Technically your analysis is flaweless. The most alarming thing for me is the lack of any other contact points between the staff of the site and the customers of the site.

FYI

Discovered open port 22/tcp on 111.90.150.219   Secure shell
Discovered open port 993/tcp on 111.90.150.219 IMAP over SSL (hope it was patched for HeartBleed)
Discovered open port 587/tcp on 111.90.150.219 Secure Mail (IMAP)
Discovered open port 110/tcp on 111.90.150.219 POP (mail)
Discovered open port 25/tcp on 111.90.150.219  SMTP (mail)
Discovered open port 80/tcp on 111.90.150.219  HTTP
Discovered open port 995/tcp on 111.90.150.219 MAIL
Discovered open port 143/tcp on 111.90.150.219 IMAP
Discovered open port 443/tcp on 111.90.150.219 HTTPS
Discovered open port 111/tcp on 111.90.150.219 RPC
Discovered open port 21/tcp on 111.90.150.219 FTP
Discovered open port 53/tcp on 111.90.150.219 DNS
Discovered open port 26/tcp on 111.90.150.219 RSFTP
Discovered open port 465/tcp on 111.90.150.219 SMTP SSL (hope it was patched for HeartBleed)

These ports are world facing and NOT filtered.

This machine is basically a Linux box built for the purpose by someone who could not secure it but who could do an installation and get software running.  It may be hosted somewhere.  It maybe some guy with his own dedicated IP address but he is running all this shit on one server and most of it should not be available to world access.

This is another classic case of someone who can build a web server and make it work but who has absolutely NO CLUE how to properly secure the box he is running.

We are seeing too many of these in the community.  This shit HAS TO STOP, if we are to be accepted as a viable force in the economic community.

You obviously do not understand that any open port can be hacked.

Think about it for a moment an you will get it.

On a server which is managing say a few thousand dollars a day, only that, would you run multiple additional unnecessary services if you were competent?  I think not.

and by the way NO THEY ARE NOT MOSTLY MAIL RELATED SERVICES...

Now as far as exactly what each service is, I can detail them as well as you can.

Discovered open port 22/tcp on 111.90.150.219   Secure shell
Discovered open port 993/tcp on 111.90.150.219 IMAP over SSL (hope it was patched for HeartBleed)
Discovered open port 587/tcp on 111.90.150.219 Secure Mail (IMAP)
Discovered open port 110/tcp on 111.90.150.219 POP (mail)
Discovered open port 25/tcp on 111.90.150.219  SMTP (mail)
Discovered open port 80/tcp on 111.90.150.219  HTTP
Discovered open port 995/tcp on 111.90.150.219 MAIL
Discovered open port 143/tcp on 111.90.150.219 IMAP
Discovered open port 443/tcp on 111.90.150.219 HTTPS
Discovered open port 111/tcp on 111.90.150.219 RPC
Discovered open port 21/tcp on 111.90.150.219 FTP
Discovered open port 53/tcp on 111.90.150.219 DNS
Discovered open port 26/tcp on 111.90.150.219 RSFTP
Discovered open port 465/tcp on 111.90.150.219 SMTP SSL (hope it was patched for HeartBleed)

You completely miss the point.  The POINT IS many, many thousands of dollars per day are being handled by a server which has maybe 12 more ports open than it needs to do the SINGLE FUNCTION it should be doing.  That is only one of two things INCOMPETENCE or NEGLIGENCE.  That is it dude.  That is it.

You want email service, do it elsewhere.  You want SQL service, do it elsewhere.  Ok, so you want SQL service... FINE FILTER IT.  This server is offering services to the WORLD facing interface which it SHOULD NEVER OFFER.

I'm just saying.

You are either an idiot, or you are mocking the rest of us...

Too many services open...  What we have here is a Linux server with *WAY* too many services open.


NSE: Loaded 106 scripts for scanning.
NSE: Script Pre-scanning.
Initiating Ping Scan at 23:02
Scanning 111.90.150.219 [4 ports]
Completed Ping Scan at 23:02, 0.34s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:02
Completed Parallel DNS resolution of 1 host. at 23:02, 0.40s elapsed
Initiating SYN Stealth Scan at 23:02
Scanning mail.btc-arbs.com (111.90.150.219) [1000 ports]
Discovered open port 22/tcp on 111.90.150.219
Discovered open port 993/tcp on 111.90.150.219
Discovered open port 587/tcp on 111.90.150.219
Discovered open port 110/tcp on 111.90.150.219
Discovered open port 25/tcp on 111.90.150.219
Discovered open port 80/tcp on 111.90.150.219
Discovered open port 995/tcp on 111.90.150.219
Discovered open port 143/tcp on 111.90.150.219
Discovered open port 443/tcp on 111.90.150.219
Discovered open port 111/tcp on 111.90.150.219
Discovered open port 21/tcp on 111.90.150.219
Discovered open port 53/tcp on 111.90.150.219
Discovered open port 26/tcp on 111.90.150.219
Discovered open port 465/tcp on 111.90.150.219
Completed SYN Stealth Scan at 23:02, 7.33s elapsed (1000 total ports)
Initiating Service scan at 23:02
Scanning 14 services on mail.btc-arbs.com (111.90.150.219)
Completed Service scan at 23:02, 14.29s elapsed (14 services on 1 host)
Initiating OS detection (try #1) against mail.btc-arbs.com (111.90.150.219)
Initiating Traceroute at 23:02
Completed Traceroute at 23:02, 3.02s elapsed
Initiating Parallel DNS resolution of 16 hosts. at 23:02
Completed Parallel DNS resolution of 16 hosts. at 23:02, 11.04s elapsed
NSE: Script scanning 111.90.150.219.
Initiating NSE at 23:02
Completed NSE at 23:04, 110.97s elapsed
Nmap scan report for mail.btc-arbs.com (111.90.150.219)
Host is up (0.26s latency).
Not shown: 981 closed ports
PORT     STATE    SERVICE     VERSION
21/tcp   open     tcpwrapped
22/tcp   open     tcpwrapped
25/tcp   open     smtp        Postfix smtpd
|_smtp-commands: Couldn't establish connection on port 25
26/tcp   open     tcpwrapped
53/tcp   open     tcpwrapped
80/tcp   open     http        Apache httpd 2.2.26 ((Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635)
|_http-methods: No Allow or Public header in OPTIONS response (status code 301)
|_http-title: Did not follow redirect to https://mail.btc-arbs.com/
110/tcp  open     tcpwrapped
111/tcp  open     tcpwrapped
135/tcp  filtered msrpc
139/tcp  filtered netbios-ssn
143/tcp  open     tcpwrapped
| imap-capabilities:
|_  ERROR: Failed to connect to server
443/tcp  open     ssl/http    Apache httpd 2.2.26 ((Unix) mod_ssl/2.2.26 OpenSSL/1.0.1e-fips mod_auth_passthrough/2.1 mod_bwlimited/1.4 FrontPage/5.0.2.2635)
|_http-methods: No Allow or Public header in OPTIONS response (status code 500)
|_http-title: 500 Internal Server Error
| ssl-cert: Subject: commonName=btc-arbs.com
| Issuer: commonName=PositiveSSL CA 2/organizationName=COMODO CA Limited/stateOrProvinceName=Greater Manchester/countryName=GB
| Public Key type: rsa
| Public Key bits: 2048
| Not valid before: 2014-02-14T00:00:00+00:00
| Not valid after:  2015-02-14T23:59:59+00:00
| MD5:   1b49 96d4 de3c 022b 640a 1bfd 41a2 682f
|_SHA-1: d43b 2f3b 4929 2f2c c76a 698d 7045 f52a 996e 70f3
|_ssl-date: 2014-04-17T03:02:52+00:00; +5s from local time.
|_sslv2: server supports SSLv2 protocol, but no SSLv2 cyphers
465/tcp  open     tcpwrapped
|_smtp-commands: Couldn't establish connection on port 465
587/tcp  open     tcpwrapped
|_smtp-commands: Couldn't establish connection on port 587
993/tcp  open     tcpwrapped
995/tcp  open     tcpwrapped
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.1 - 3.4
Uptime guess: 6.316 days (since Thu Apr 10 15:29:06 2014)
Network Distance: 18 hops
TCP Sequence Prediction: Difficulty=247 (Good luck!)
IP ID Sequence Generation: All zeros

btc-arbs.com registry whois
   Updated 2 hours ago - Refresh
Domain Name: BTC-ARBS.COM
Registrar: ENOM, INC.
Whois Server: whois.enom.com
Referral URL: http://www.enom.com
Name Server: NS1.WEBKEVLAR.NET
Name Server: NS2.WEBKEVLAR.NET
Status: clientTransferProhibited
Updated Date: 28-jan-2014
Creation Date: 04-jan-2014
Expiration Date: 04-jan-2015
btc-arbs.com registrar whois
   Updated 2 hours ago
Domain Name: BTC-ARBS.COM
Registry Domain ID: 1841415035_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.enom.com
Registrar URL: www.enom.com
Updated Date: 2014-01-04 12:13:19Z
Creation Date: 2014-01-04 20:13:00Z
Registrar Registration Expiration Date: 2015-01-04 20:13:00Z
Registrar: ENOM, INC.
Registrar IANA ID: 48
Registrar Abuse Contact Email: email@enom.com
Registrar Abuse Contact Phone: +1.4252744500
Reseller: NAMECHEAP.COM
Domain Status: clientTransferProhibited
Registry Registrant ID:
Registrant Name: WHOISGUARD PROTECTED
Registrant Organization: WHOISGUARD, INC.
Registrant Street: P.O. BOX 0823-03411
Registrant City: PANAMA
Registrant State/Province: PANAMA
Registrant Postal Code: NA
Registrant Country: PA
Registrant Phone: +507.8365503
Registrant Phone Ext:
Registrant Fax: +51.17057182
Registrant Fax Ext:
Registrant Email: email@WHOISGUARD.COM
Registry Admin ID:
Admin Name: WHOISGUARD PROTECTED
Admin Organization: WHOISGUARD, INC.
Admin Street: P.O. BOX 0823-03411
Admin City: PANAMA
Admin State/Province: PANAMA
Admin Postal Code: NA
Admin Country: PA
Admin Phone: +507.8365503
Admin Phone Ext:
Admin Fax: +51.17057182
Admin Fax Ext:
Admin Email: email@WHOISGUARD.COM
Registry Tech ID:
Tech Name: WHOISGUARD PROTECTED
Tech Organization: WHOISGUARD, INC.
Tech Street: P.O. BOX 0823-03411
Tech City: PANAMA
Tech State/Province: PANAMA
Tech Postal Code: NA
Tech Country: PA
Tech Phone: +507.8365503
Tech Phone Ext:
Tech Fax: +51.17057182
Tech Fax Ext:
Tech Email: email@WHOISGUARD.COM
Name Server: NS1.WEBKEVLAR.NET
Name Server: NS2.WEBKEVLAR.NET
DNSSEC: unSigned
URL of the ICANN WHOIS Data Problem Reporting System: http://wdprs.internic.net/
Last update of WHOIS database: 2014-01-04 12:13:19Z

Just going to point out to you that they are stored on exchanges under someone else's key.

I am trusting the admins WRT to their intentions.

Still with Heartbleed, and all the other DNS stuff that has been going on with them all day.  I am not comfortable with the skill of the administrative staff.  I have tens of BTCs invested and I am worried whenever a site that stores passwords crashes.

Like I said, KIDDIES enable two factor authentication.

It is not a damn fraud...  This is a typical site hack.  The clowns who run the site are not competent to manage security.

For that matter the damn owners of the site need to UNPLUG THAT THING FROM THE NETWORK until they figure out what happend.  AT THIS POINT they have not done that.  That troubles me greatly.  Why?  Because once a site is compromised the attacker can do whatever he wants with the site.  He can break the web server and continue to steal from the site.

That site needs to be OFF LINED RIGHT NOW!

Anyone with a contact to the admins of that site, call them RIGHT now and have them take the damn thing off the network RIGHT NOW.  We should not be getting an error page from the server.  The system should be offlined BECAUSE it has our BTC stored on it.  If it is OFFLINE, that BTC can not be stolen.