XAPO Script - Hacked

[Gifted]

Blocking whole countries do not work either... i see  one email collecting every couple of min.. this is due to not having a timer on the email but if they are making false email accounts whats the point....i am at a dead stop with this problem..

[Salmen]

Blocking whole countries do not work either... i see  one email collecting every couple of min.. this is due to not having a timer on the email but if they are making false email accounts whats the point....i am at a dead stop with this problem..

From which email provider comes the most bots attack?

[ardodd]

Blocking whole countries do not work either... i see  one email collecting every couple of min.. this is due to not having a timer on the email but if they are making false email accounts whats the point....i am at a dead stop with this problem..

@Gifted I am new here but been reading this post for about two hours now. And been wondering how to effectively STOP BOTS from doing so much damage. I know everyone here has way more experience than myself.

I am ( In my little squirrel brain ) ( And yes not much room for thinking either ) mind ( hint smoke coming out of ears ) two things that come to mind are Log-in and Time on Site after Log-in.

Example #1
1) ABC user comes to site.
2) ABC user has to enter bitcoin wallet address or for Xapo a email address.
3) ABC user has to Solve Captcha.
4) ABC user is credited with xxx amount of satoshi.

***BOTS use a Captcha Service to Solve the Captcha's***

If the previous BOT or Hacker is running consecutive transactions is he/she or it having to Solve Captcha's before the transaction or has this BOT or person found a weakness in the script where they can call the same Captcha over and over. Not exactly sure how they would be able to freeze that Captcha but in theory it is possible and can explain how they are able to process so many transactions in a short period of time. 

I would like to ask if you are able to incorporate two ideas into the script and close all back doors for Captcha problems.

1) I know it is more of a bother than anything for any site to use a Password. But if we want the script to be secure we need to incorporate counter measures to STOP them. I would propose to add a Random Password from Random ORG with a Timer on it to input the Password or PassCode ( In theory it takes 20 seconds to see the code or password and enter it ) maybe longer if you are blind like me. By limiting the time on the Password or PassCode it stops the BOT from having time get it solved from a outsourcing place. This is for being able to STOP the BOT from entering. As the Password or PassCode is a one time thing and can not be duplicated for other users to benefit from.

2) If that is too much trouble then I would suggest as a last resort to have the user verify the Xapo email by sending them a Password or PassCode to enable automatic withdrawals. Which means the BOT or person would be hindered and frustrated so they would quit trying to hack it. As it keeps Honest Users Honest and DisHonest Users Away.

3) Use both methods and change the time limit on the Captcha Solving to under 20 seconds and Password or PassCode times to less than 20 seconds to respond. Adjust the time accordingly if needed.

 BOT = Password or PassCode  = BOT  = Owner  = Owner Reply   

[Gifted]

Blocking whole countries do not work either... i see  one email collecting every couple of min.. this is due to not having a timer on the email but if they are making false email accounts whats the point....i am at a dead stop with this problem..

@Gifted I am new here but been reading this post for about two hours now. And been wondering how to effectively STOP BOTS from doing so much damage. I know everyone here has way more experience than myself.

I am ( In my little squirrel brain ) ( And yes not much room for thinking either ) mind ( hint smoke coming out of ears ) two things that come to mind are Log-in and Time on Site after Log-in.

Example #1
1) ABC user comes to site.
2) ABC user has to enter bitcoin wallet address or for Xapo a email address.
3) ABC user has to Solve Captcha.
4) ABC user is credited with xxx amount of satoshi.

***BOTS use a Captcha Service to Solve the Captcha's***

If the previous BOT or Hacker is running consecutive transactions is he/she or it having to Solve Captcha's before the transaction or has this BOT or person found a weakness in the script where they can call the same Captcha over and over. Not exactly sure how they would be able to freeze that Captcha but in theory it is possible and can explain how they are able to process so many transactions in a short period of time.  

I would like to ask if you are able to incorporate two ideas into the script and close all back doors for Captcha problems.

1) I know it is more of a bother than anything for any site to use a Password. But if we want the script to be secure we need to incorporate counter measures to STOP them. I would propose to add a Random Password from Random ORG with a Timer on it to input the Password or PassCode ( In theory it takes 20 seconds to see the code or password and enter it ) maybe longer if you are blind like me. By limiting the time on the Password or PassCode it stops the BOT from having time get it solved from a outsourcing place. This is for being able to STOP the BOT from entering. As the Password or PassCode is a one time thing and can not be duplicated for other users to benefit from.

2) If that is too much trouble then I would suggest as a last resort to have the user verify the Xapo email by sending them a Password or PassCode to enable automatic withdrawals. Which means the BOT or person would be hindered and frustrated so they would quit trying to hack it. As it keeps Honest Users Honest and DisHonest Users Away.

3) Use both methods and change the time limit on the Captcha Solving to under 20 seconds and Password or PassCode times to less than 20 seconds to respond. Adjust the time accordingly if needed.

 BOT = Password or PassCode   = BOT   = Owner   = Owner Reply    

Its not as easy as you put it. the problem  is they can become a new client at anytime hence getting ip's. emails are suppose to be stopped by
 Xapo itself and changing ip addreses seems no big deal for these guys. there is no security flaw in the capcha  its in xapo wallet itself. i have written the security team on this issue and hopefully this will be fixed. im pretty sure the are doing it manual not by a bot because someone with programming knowlegde usaly wont waste their time with faucets when they are making six figure income. some bots do work but i think they were just someones hobby. but no bot can change ip's put new address in and solve captcha  and turn to next website it would just seem very unlikely

what your saying is just another captcha but custom. that works for bots but i think we are dealing with manual inputs "maybe paying for captcha services with a pool share"

[Gifted]

Blocking whole countries do not work either... i see  one email collecting every couple of min.. this is due to not having a timer on the email but if they are making false email accounts whats the point....i am at a dead stop with this problem..

From which email provider comes the most bots attack?

Russian

[ardodd]

Gifted,

As I said before I did not much experience in this but just wanted to give it a try. Thats no problem I have been called worse by better. And yes I am a idiot, I dont claim to be a genius by any means. Put a ROCK beside me and the ROCK would look like a ROCKET Scientist.

But to enhance this thread I went out looking for ways to get Bitcoins Fast and come back with this little contraption. It is called CoinCollector and I got it for $1.00 online. Now I did have to do some digging into it before I learned how it operated ( 30 Minutes to be exact ). And it was up and running gathering Bitcoins for me.

And this may not even be what you are talking about nor the whole conversation. But it is how I interpreted it.

#1 CoinCollector v4


#2 CoinCollector v4 Settings


#3 CoinCollector v4 ProxyList


#4 CoinCollector v4 Captcha Reading Services


I am sure any idiot could figure this out...I just need a little longer than your normal idoit...   

[babo]

@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.

[Gifted]

Gifted,

As I said before I did not much experience in this but just wanted to give it a try. Thats no problem I have been called worse by better. And yes I am a idiot, I dont claim to be a genius by any means. Put a ROCK beside me and the ROCK would look like a ROCKET Scientist.

But to enhance this thread I went out looking for ways to get Bitcoins Fast and come back with this little contraption. It is called CoinCollector and I got it for $1.00 online. Now I did have to do some digging into it before I learned how it operated ( 30 Minutes to be exact ). And it was up and running gathering Bitcoins for me.

And this may not even be what you are talking about nor the whole conversation. But it is how I interpreted it.

#1 CoinCollector v4


#2 CoinCollector v4 Settings


#3 CoinCollector v4 ProxyList


#4 CoinCollector v4 Captcha Reading Services


I am sure any idiot could figure this out...I just need a little longer than your normal idoit...   

yes i have seen those.. in fact they have my faucet list posted next to the download   as you can see here  http://thebot.net/threads/coincollector-v4-multi-faucet-bot.316973/page-36#post-3488787

[Gifted]

@Gifted
thank you for your amazing script, i ear about security problem of your code.. if you want i can help to fix the problems.

what can you do?? @babo

[crairezx20]

I heard in bitcoinblackhat i forgot the name of the forum that they have a script for timer resetter that can claim every minute.
so i think according to the claim in the first page in this thread i saw that every 2 seconds claim.
So i think he is using a complete bot. coin collector v4 dont work just like the same that every 2 seconds claim. because coin collector has only selected faucet..

[Gifted]

timer reset:

Open the source "inspect element" through the dev tools and remove the disabled attribute from the button/input tag. Simple
On Chrome, use ctrl-shift-I to bring up the dev panel. This can even be automated with a plugin such as tampermonkey. Write a script that modifies the site's DOM to remove those annoyances and have tampermonkey run it everytime you visit that faucet.

stop this by encrypting source code  fix is here  http://www.ioncube.com/html_encoder.php

new fix listed below

[Lionidas]

Another hack job? 
Is anything to do with bitcoin not safe to use anymore? These things seem to be affecting it more and more these days that I am starting to worry if my coins will be available whenever I go and check to see if they are still there.
Xapo wallets can be affected if this script takes their wallet address associated to what they used for this faucet.

[ardodd]

WOW !!!!!

Guess I am glad I come here to read up on some the problems before I started the project I have been wanting to do.

Gifted your script was and still is what I been looking for. But i wanted to add a Bitcoin Cycler on the side to double the bitcoins for users. But knowing that information here does make me very hesitant to start on it. And since I do not have any experience with manipulating code I might would need to seek professional help on this matter.

If you get the bugs fixed I definitely am interested in using the script and having the bitcoin cycler script running together. 

[Gifted]

 Code to stop timer reset has been implemented and disables right click for source and F12

Put in public_html/style/template/index.php   right before </head>


Disable right click:  

Code:

<script language="JavaScript">

var message="Function Disabled Due to Bots trying to Claim !";

///////////////////////////////////
function clickIE4(){
if (event.button==2){
alert(message);
return false;
}
}

function clickNS4(e){
if (document.layers||document.getElementById&&!document.all){
if (e.which==2||e.which==3){
alert(message);
return false;
}
}
}

if (document.layers){
document.captureEvents(Event.MOUSEDOWN);
document.onmousedown=clickNS4;
}
else if (document.all&&!document.getElementById){
document.onmousedown=clickIE4;
}

document.oncontextmenu=new Function("alert(message);return false")
</script>
// --> 
</script>

Disable ctr-shift-i "Just CTR"

Code:

 coming soon

Disable F12 for chrome but update for all browsers coming soon

Code:

<script language="JavaScript">

//////////F12 disable code////////////////////////
    document.onkeypress = function (event) {
        event = (event || window.event);
        if (event.keyCode == 123) {
           //alert('No F-12');
            return false;
        }
    }
    document.onmousedown = function (event) {
        event = (event || window.event);
        if (event.keyCode == 123) {
            //alert('No F-keys');
            return false;
        }
    }
document.onkeydown = function (event) {
        event = (event || window.event);
        if (event.keyCode == 123) {
            //alert('No F-keys');
            return false;
        }
    }
/////////////////////end///////////////////////
</script>

2 Anti Adblock code put in same spot under the code above

Code:

<noscript>&lt;center id=b6b2&gt;&lt;p&gt;Please enable JavaScript!&lt;br&gt;Bitte aktiviere JavaScript!&lt;br&gt;S'il vous pla&amp;icirc;t activer JavaScript!&lt;br&gt;Por favor,activa el JavaScript!&lt;br&gt;&lt;a href="http://antiblock.org/"&gt;antiblock.org&lt;/a&gt;&lt;/p&gt;&lt;/div&gt;</noscript>

Code:

<script>(function(w,u){var d=w.document,z=typeof u;function b6b2(){function c(c,i){var e=d.createElement('b'),b=d.body,s=b.style,l=b.childNodes.length;if(typeof i!=z){e.setAttribute('id',i);s.margin=s.padding=0;s.height='100%';l=Math.floor(Math.random()*l)+1}e.innerHTML=c;b.insertBefore(e,b.childNodes[l-1])}function g(i,t){return !t?d.getElementById(i):d.getElementsByTagName(t)};function f(v){if(!g('b6b2')){c('<p>Please disable your ad blocker to claim! (AdBlock, Adlock Plus, uBlock etc.)<br>Bitte deaktiviere Deinen Werbeblocker!<br>Veuillez d&eacute;sactiver votre bloqueur de publicit&eacute;!<br>Por favor, desactive el bloqueador de anuncios!<br><br>Our faucet provides the service of giving small fractions of Bitcoin visitors.<br>This service can provide through advertising on the site. <br>Please disable ad blocker! and help to give more Bitcoin free for all!<br><a href="http://www.bitcoinfaucetexchange.com/">I disable ad blocker and want to refresh the page!</a></p>','b6b2')}};(function(){var a=['AdBar1','ad_468_60','adsbox-left','adspot-295x60','headeradvertholder','kaufDA-widget','sidebar_ad','ad','ads','adsense'],l=a.length,i,s='',e;for(i=0;i<l;i++){if(!g(a[i])){s+='<a id="'+a[i]+'"></a>'}}c(s);l=a.length;setTimeout(function(){for(i=0;i<l;i++){e=g(a[i]);if(e.offsetParent==null||(w.getComputedStyle?d.defaultView.getComputedStyle(e,null).getPropertyValue('display'):e.currentStyle.display)=='none'){return f('#'+a[i])}}},250)}());(function(){var t=g(0,'img'),a=['.org/gads/','/adhandler.','/adleaderboardtop.','/ads/300.','/adv/ads/ad','/advertising.','/advertorial_','/no_ads.','/twgetad3.','.480x60.'],i;if(typeof t[0]!=z&&typeof t[0].src!=z){i=new Image();i.onload=function(){this.onload=z;this.onerror=function(){f(this.src)};this.src=t[0].src+'#'+a.join('')};i.src=t[0].src}}());(function(){var o={'http://pagead2.googlesyndication.com/pagead/show_ads.js':'google_ad_client','http://js.adscale.de/getads.js':'adscale_slot_id','http://get.mirando.de/mirando.js':'adPlaceId'},S=g(0,'script'),l=S.length-1,n,r,i,v,s;d.write=null;for(i=l;i>=0;--i){s=S[i];if(typeof o[s.src]!=z){n=d.createElement('script');n.type='text/javascript';n.src=s.src;v=o[s.src];w[v]=u;r=S[0];n.onload=n.onreadystatechange=function(){if(typeof w[v]==z&&(!this.readyState||this.readyState==="loaded"||this.readyState==="complete")){n.onload=n.onreadystatechange=null;r.parentNode.removeChild(n);w[v]=null}};r.parentNode.insertBefore(n,r);setTimeout(function(){if(w[v]===u){f(n.src)}},2000);break}}}())}if(d.addEventListener){w.addEventListener('load',b6b2,false)}else{w.attachEvent('onload',b6b2)}})(window);</script>

[Gifted]

Ive decided to make a fresh copy with all added security to it and display download sometime tomorrow. i was waiting for answers before i made a new copy . if someone would like to contribute more security code plz feel free to post

[sabotag3x]

It HIDE the source code? or you just can't open the source code window?

[Gifted]

It HIDE the source code? or you just can't open the source code window?

cant right click but you can still hit f12  try on my site http://www.bitcoinfaucetexchange.com

fixed both

[Gifted]

so now there is now inspect element at all blocking right click and f12 with the codes i listed above

but now there is ctr-shift-I  to stop lol


The problem is people will have a hard time pasting their btc address  this i will have to think about how to get around

[sabotag3x]

are you testing here -> http://www.bitcoinfaucetexchange.com ?
because I can right click, F12, CTRL+U, CTRL+SHIFT+I

[Gifted]

are you testing here -> http://www.bitcoinfaucetexchange.com ?
because I can right click, F12, CTRL+U, CTRL+SHIFT+I

refresh the page