XAPO Script - Hacked

[sabotag3x]

I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!

says im on  a proxie and im not

Yeap, other user tell me the same thing, I'm trying to fix it..
With this code I'm blocking everyone  

Code:

<?PHP
 
IF(ISSET($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
        DIE("Proxy servers not allowed.");
}
 
$proxy_headers = ARRAY(   
     'HTTP_VIA',   
     'HTTP_X_FORWARDED_FOR',   
     'HTTP_FORWARDED_FOR',   
     'HTTP_X_FORWARDED',   
     'HTTP_FORWARDED',   
     'HTTP_CLIENT_IP',   
     'HTTP_FORWARDED_FOR_IP',   
     'VIA',   
     'X_FORWARDED_FOR',   
     'FORWARDED_FOR',   
     'X_FORWARDED',   
     'FORWARDED',   
     'CLIENT_IP',   
     'FORWARDED_FOR_IP',   
     'HTTP_PROXY_CONNECTION'   
        );
FOREACH($proxy_headers AS $x){
     IF (ISSET($_SERVER[$x])) DIE("You are using a proxy.");
        EXIT;
}
 
?>

and with other script, any proxy can enter on the faucet..   well.. I go to sleep and try again tomorrow

[Gifted]

@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.

what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php

Sure take a look https://github.com/destinybogan/Faucet-Builder/archive/master.zip

I think it needs some kind of better admin for banning ip's and seeing whos been claiming, also better security for multi claiming with proxies vpn etc. maybe a timer for button to get better bounce rate

Feel free to give it a shot  

@Gifted,
I know I don't contribute much to this topic other than stirring things up.

I was looking at some backend app's that can actually steal the information and download it into CSV files and they can program their Bot to work. I am wondering if you have looked into ( iMacros ) for Chrome and Firefox as I just got them to see if they can in anyway effect your Script. Not sure how to use them but adding them and the Free Proxy List from Chrome it may be possible for them to find backdoors.

Again I am new to this and am trying to fully understand the script so i can use it.

iMacros for Chrome #1:


Free Proxy List for Chrome:


iMacros for Firefox #1:


iMacros for Firefox #2:

yes, this is very possible to use you can read more about it here. its very usefull gambling but could maybe be used in faucets http://www.howtogeek.com/113789/how-to-automate-repetitive-web-browser-tasks-with-imacros/

[ardodd]

I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!

When I go there it just tells me that I am using a Proxy. And nothing else. But I am looking into the source page for it right now and this is what I am seeing on it under properties.

body
aLink:""
accessKey:""
attributes:NamedNodeMap
background:""
baseURI:"http://www.bitcoinamerica.com.br/faucet/"
bgColor:""
childElementCount:0
childNodes:NodeList[1]
children:HTMLCollection[0]
classList:DOMTokenList[0]
className:""
clientHeight:775
clientLeft:0
clientTop:0
clientWidth:1042
contentEditable:"inherit"
dataset:DOMStringMap
dir:""
draggable:false
firstChild:text
firstElementChild:null
hidden:false
id:""
innerHTML:"You are using a proxy!"
innerText:"You are using a proxy!"
isConnected:true
isContentEditable:false
lang:""
lastChild:text
lastElementChild:null
link:""
localName:"body"
namespaceURI:"http://www.w3.org/1999/xhtml"
nextElementSibling:null
nextSibling:null
nodeName:"BODY"
nodeType:1
nodeValue:null
offsetHeight:759
offsetLeft:0
offsetParent:null
offsetTop:0
offsetWidth:1026
onabort:null
onbeforecopy:null
onbeforecut:null
onbeforepaste:null
onbeforeunload:null
onblur:null
oncancel:null
oncanplay:null
oncanplaythrough:null
onchange:null
onclick:null
onclose:null
oncontextmenu:null
oncopy:null
oncuechange:null
oncut:null
ondblclick:null
ondrag:null
ondragend:null
ondragenter:null
ondragleave:null
ondragover:null
ondragstart:null
ondrop:null
ondurationchange:null
onemptied:null
onended:null
onerror:null
onfocus:null
onhashchange:null
oninput:null
oninvalid:null
onkeydown:null
onkeypress:null
onkeyup:null
onlanguagechange:null
onload:null
onloadeddata:null
onloadedmetadata:null
onloadstart:null
onmessage:null
onmousedown:null
onmouseenter:null
onmouseleave:null
onmousemove:null
onmouseout:null
onmouseover:null
onmouseup:null
onmousewheel:null
onoffline:null
ononline:null
onpagehide:null
onpageshow:null
onpaste:null
onpause:null
onplay:null
onplaying:null
onpopstate:null
onprogress:null
onratechange:null
onrejectionhandled:null
onreset:null
onresize:null
onscroll:null
onsearch:null
onseeked:null
onseeking:null
onselect:null
onselectstart:null
onshow:null
onstalled:null
onstorage:null
onsubmit:null
onsuspend:null
ontimeupdate:null
ontoggle:null
onunhandledrejection:null
onunload:null
onvolumechange:null
onwaiting:null
onwebkitfullscreenchange:null
onwebkitfullscreenerror:null
onwheel:null
outerHTML:"<body>You are using a proxy!</body>"
outerText:"You are using a proxy!"
ownerDocument:document
parentElement:html
parentNode:html
prefix:null
previousElementSibling:head
previousSibling:head
scrollHeight:775
scrollLeft:0
scrollTop:0
scrollWidth:1042
shadowRoot:null
spellcheck:true
style:CSSStyleDeclaration
tabIndex:-1
tagName:"BODY"
text:""
textContent:"You are using a proxy!"
title:""
translate:true
vLink:""
webkitdropzone:""
__proto__:HTMLBodyElement

[Gifted]

Check my faucet as well and let me know what you think about. http://viral-alert.com/xapo

@viralalert: its working for your page

[Gifted]

Thanks for bringing up the imacros thing...i just found another security problem but i dont want to share here untill its fixed

[ardodd]

Where would he allow proxy servers at now that he has disabled them completey.

[ardodd]

Thanks for bringing up the imacros thing...i just found another security problem but i dont want to share here untill its fixed

@Gifted have you considered trying out the Sandboxie Software. And asking if it can be incorporated into the script?

http://www.sandboxie.com/

I am just asking cause on one of my Wordpress sites I setup Woocommerce and conected it to Paypal Gateway. And I had to set it up using Sandboxie Software to make it Secure.

[babo]

@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.

what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php

Sure take a look https://github.com/destinybogan/Faucet-Builder/archive/master.zip

I think it needs some kind of better admin for banning ip's and seeing whos been claiming, also better security for multi claiming with proxies vpn etc. maybe a timer for button to get better bounce rate

Feel free to give it a shot  

ok gifted, in holidays i try to improve admin panel, in specific way ip banning admin panel page

[Gifted]

@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.

what can you do?? @babo

improve your script, for work im a real frontenders fullstack.. im working with javascript but i also know php

Sure take a look https://github.com/destinybogan/Faucet-Builder/archive/master.zip

I think it needs some kind of better admin for banning ip's and seeing whos been claiming, also better security for multi claiming with proxies vpn etc. maybe a timer for button to get better bounce rate

Feel free to give it a shot  

ok gifted, in holidays i try to improve admin panel, in specific way ip banning admin panel page

great, would love to see what you add

[Gifted]

Ok guys, there is another hack that can be fixed by replacing this code in your index.php file not the one in style.


find this code

Code:

if($response->success){
      $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-success"><p>Congratulations you have won '.$amount.' Satoshis !!!</p></div></div>';
      $url = get_main_url()."?r=".$username;
      $view['main']['ref_link'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-success"><p>Share your referal link and earn a '.$settings["referral_percentage"].'% lifetime bonus. Your referal link is '.$url.'</p></div></div>';

and replace with this

Code:

if($response->success){
   header('Refresh: 30;url=[b]change to your faucets url[/b]');
 $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-success"><p>Congratulations you have won '.$amount.' Satoshis !!!</p></div></div>';
      $url = get_main_url()."?r=".$username;
      $view['main']['ref_link'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-success"><p>Share your referal link and earn a '.$settings["referral_percentage"].'% lifetime bonus. Your referal link is '.$url.'</p></div></div>';

This redirects back to your page after 30 seconds so that the captcha resets so that a imacro program cannot be programmed to just refresh and get credit every hour when they are sleeping. i would suggest do this immediately!  Make sure you put your faucet address where is says change to your faucet url.

[ardodd]

Ok guys, there is another hack that can be fixed by replacing this code in your index.php file not the one in style.


find this code

Code:

if($response->success){
      $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-success"><p>Congratulations you have won '.$amount.' Satoshis !!!</p></div></div>';
      $url = get_main_url()."?r=".$username;
      $view['main']['ref_link'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-success"><p>Share your referal link and earn a '.$settings["referral_percentage"].'% lifetime bonus. Your referal link is '.$url.'</p></div></div>';

and replace with this

Code:

if($response->success){
   header('Refresh: 30;url=[b]change to your faucets url[/b]');
 $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-success"><p>Congratulations you have won '.$amount.' Satoshis !!!</p></div></div>';
      $url = get_main_url()."?r=".$username;
      $view['main']['ref_link'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-success"><p>Share your referal link and earn a '.$settings["referral_percentage"].'% lifetime bonus. Your referal link is '.$url.'</p></div></div>';

This redirects back to your page after 30 seconds so that the captcha resets so that a imacro program cannot be programmed to just refresh and get credit every hour when they are sleeping. i would suggest do this immediately!  Make sure you put your faucet address where is says change to your faucet url.

@Gifted would it not be better if we wait til you have made a full new version with all the changes in it. As if we keep changing the code to what comes next seems alot of extra work on you also. Call them v1.1 and use the new v1.2 so we know it is the updated version.

Example: Yesterdays security updates
v1.1

Todays security update
v1.2

And every update could have ( v ) attached to it. Would it not seem better if you made the change and then just updated the name of the change. In the description you can tell or explain what is updated.

How much you want to bet that hackers read these post and see the code change and are already looking for counter measures to it. Personally I would think posting code that fixes a security measure should not be posted and kept inside your files so no one seems it. The only way they can get the fix is by downloading the newest Version in a update.

Just my thoughts   

[Gifted]

The patch is in php server side they cant have access and this needs to be fixed right away . i can see your point but a lot of people downloaded my script and they need to know now. i started a security patch thread already

[ardodd]

The patch is in php server side they cant have access and this needs to be fixed right away . i can see your point but a lot of people downloaded my script and they need to know now. i started a security patch thread already

Yes sir you are 100% correct about them needing to know right now to close these backdoors. Do you have a problem with hosting a private membership section for those that do use your code for their website. One that would allow them access to a secure site where only they can have access to your details.

Most people may not worry about where or how they got the script to use on a faucet. Like I can a S2Membership plugin on wordpress that only allows members if I approve them. And it is hard to get into it since i verify that they are who they say they are. And yours could be adapted to verifying that they use your script and it come from you if they wish to get details from the updates.

More like a private support for your script since you modified and made it secure now.

[Gifted]

The patch is in php server side they cant have access and this needs to be fixed right away . i can see your point but a lot of people downloaded my script and they need to know now. i started a security patch thread already

Yes sir you are 100% correct about them needing to know right now to close these backdoors. Do you have a problem with hosting a private membership section for those that do use your code for their website. One that would allow them access to a secure site where only they can have access to your details.

Most people may not worry about where or how they got the script to use on a faucet. Like I can a S2Membership plugin on wordpress that only allows members if I approve them. And it is hard to get into it since i verify that they are who they say they are. And yours could be adapted to verifying that they use your script and it come from you if they wish to get details from the updates.

More like a private support for your script since you modified and made it secure now.

Im just giving immediate patches at the moment the rest of the updates will be in the download when im finished

[ardodd]

@Gifted,

I do apologize for pushing so hard. And I apologize for my impatience, as I understand your position and wanting to help others protect their sites and incomes from this script. I can not only be an idiot but also a pushy idiot.

My Apologies.....

ardodd

[Gifted]

@Gifted,

I do apologize for pushing so hard. And I apologize for my impatience, as I understand your position and wanting to help others protect their sites and incomes from this script. I can not only be an idiot but also a pushy idiot.

My Apologies.....

ardodd

no, it was a good idea ...so dont worry

[alfaboy23]

I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!

says im on  a proxie and im not

Yeap, other user tell me the same thing, I'm trying to fix it..
With this code I'm blocking everyone  

Code:

<?PHP
 
IF(ISSET($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
        DIE("Proxy servers not allowed.");
}
 
$proxy_headers = ARRAY(   
     'HTTP_VIA',   
     'HTTP_X_FORWARDED_FOR',   
     'HTTP_FORWARDED_FOR',   
     'HTTP_X_FORWARDED',   
     'HTTP_FORWARDED',   
     'HTTP_CLIENT_IP',   
     'HTTP_FORWARDED_FOR_IP',   
     'VIA',   
     'X_FORWARDED_FOR',   
     'FORWARDED_FOR',   
     'X_FORWARDED',   
     'FORWARDED',   
     'CLIENT_IP',   
     'FORWARDED_FOR_IP',   
     'HTTP_PROXY_CONNECTION'   
        );
FOREACH($proxy_headers AS $x){
     IF (ISSET($_SERVER[$x])) DIE("You are using a proxy.");
        EXIT;
}
 
?>

and with other script, any proxy can enter on the faucet..   well.. I go to sleep and try again tomorrow

I'll try to help.

That proxy header from that code, try to put that in in your .htaccess file, then instead of that PHP code, try this and put it above <!DOCTYPE html> in your template public_html/yourfaucet/style/template/index.php:

Like this:

Code:

<?php if( @fsockopen( $_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1 ) )
{
echo "<h2 align=center>It appears that you are using a PROXY, please BE FAIR! </h2>";
   exit;
}
?>

<!DOCTYPE html>

Then test it in boomproxy, then after accessing your site in boomproxy click the clear cookies link and see if proxy blocking is successful. It should result like this:



Hope that helps even a little.

[sabotag3x]

I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!

says im on  a proxie and im not

Yeap, other user tell me the same thing, I'm trying to fix it..
With this code I'm blocking everyone 

Code:

<?PHP
 
IF(ISSET($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
        DIE("Proxy servers not allowed.");
}
 
$proxy_headers = ARRAY(   
     'HTTP_VIA',   
     'HTTP_X_FORWARDED_FOR',   
     'HTTP_FORWARDED_FOR',   
     'HTTP_X_FORWARDED',   
     'HTTP_FORWARDED',   
     'HTTP_CLIENT_IP',   
     'HTTP_FORWARDED_FOR_IP',   
     'VIA',   
     'X_FORWARDED_FOR',   
     'FORWARDED_FOR',   
     'X_FORWARDED',   
     'FORWARDED',   
     'CLIENT_IP',   
     'FORWARDED_FOR_IP',   
     'HTTP_PROXY_CONNECTION'   
        );
FOREACH($proxy_headers AS $x){
     IF (ISSET($_SERVER[$x])) DIE("You are using a proxy.");
        EXIT;
}
 
?>

and with other script, any proxy can enter on the faucet..  well.. I go to sleep and try again tomorrow

I'll try to help.

That proxy header from that code, try to put that in in your .htaccess file, then instead of that PHP code, try this and put it above <!DOCTYPE html> in your template public_html/yourfaucet/style/template/index.php:

Like this:

Code:

<?php if( @fsockopen( $_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1 ) )
{
echo "<h2 align=center>It appears that you are using a PROXY, please BE FAIR! </h2>";
   exit;
}
?>

<!DOCTYPE html>

Then test it in boomproxy, then after accessing your site in boomproxy click the clear cookies link and see if proxy blocking is successful. It should result like this:



Hope that helps even a little.

Like a glove! (I think).. My IP is blacklisted on a lot of services so I can't test at all.. and I can't renew lol
Thank you alfaboy!
I think it's working http://www.bitcoinamerica.com.br/faucet
anyone give me a feedback please

[Gifted]

I have same thing but i still let them go to page just not claim.


Security Patch V1.2 :



Got to index.php in the main root and find this:

Code:

$response = @file('http://verify.solvemedia.com/papi/verify?privatekey=' . $settings['solvemedia_verification_key'] . '&challenge=' . rawurlencode($captchaChallange) . '&response=' . rawurlencode($captchaResponse) . '&remoteip=' . $ip);

  if (!isset($response[0]) || trim($response[0]) === 'false'){
    $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-danger"><p>Wrong captcha!</p></div></div>';
    $message                     = "Wrong captcha";
  }
  
$q = $sql->prepare("select * from users where LOWER(username) = LOWER(?) or ip = ? order by claimed_at desc");
  $q->execute(array($username,$ip));
  $row = $q->fetch();

Put this code right underneath the one you find above:

Code:

//We do not allow proxy here

 if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))
{ 
  $view['main']['result_html'] = '<div class="row text-center"><div class="col-sm-6 col-md-offset-3 bg-danger"><p>Bots not allowed !! If you are not a bot and not on a proxy, i still cant help you !</p></div></div>';
    $message                     = "Proxy";
    goto error; 
  }
  //end proxie check

This will stop proxies if they try to claim and throw a message as you can see in the picture

[alfaboy23]

IMHO, we should totally blockout bad ISP and do not show anything to the users with bad ISPs since it is giving bad traffic to the network ads.