Coinchat doesn't salt or use a strong hash algo

[gweedo]

This is a warning! Don't use these site, TF can access your password at anytime! And take over your other accounts.

[1715350990]

1715350990

[1715350990]

1715350990

[1715350990]

1715350990

[favdesu]

bullshit,

WOW Your not a programmer, your a con, this is horrible. Should be salted and using a hash like bcrypt that can't be brute forced, so you can't post users passwords, that is the worst thing ever!

I use bcrypt for Inputs, and good salts for CoinLenders.
I don't care if I upset or violate the privacy of scammers. If you dislike this policy, you can (1) not scam people or (2) not use my services.

[scotaloo]

What's even funnier about the whole thing is, he's accusing me of all this crap, and those nicks are just people who use TOR ip's, only 4 are mine rest are innocent users he 'nuked' which takes their account balance too, I'm going to contact them to ask them to make a scam accusation against TF on here as he's essentially defrauded them out of their BTC on coinchat for no reason other than he made a mistake.

[keatonatron]

So, use a password that won't show up in a rainbow table and you'll be fine.

[scotaloo]

So your going to believe him if one of his sites doesn't have for sure, I am 100% none of his sites do. Just a programming hence, I use the same template for all my sites, and 99% of programmers do. So yeah. If you believe him then good for you, but I am not.

I recommend you port scan his server too... or I recommend you don't if you have BTC with him....It's shocking.

[favdesu]

bullshit,

WOW Your not a programmer, your a con, this is horrible. Should be salted and using a hash like bcrypt that can't be brute forced, so you can't post users passwords, that is the worst thing ever!

I use bcrypt for Inputs, and good salts for CoinLenders.
I don't care if I upset or violate the privacy of scammers. If you dislike this policy, you can (1) not scam people or (2) not use my services.

So your going to believe him if one of his sites doesn't have for sure, I am 100% none of his sites do. Just a programming hence, I use the same template for all my sites, and 99% of programmers do. So yeah. If you believe him then good for you, but I am not.

yes, I believe him.

This is a warning! Don't use these sites, TF can access your password at anytime! And take over your other accounts.

so, someone post the nmap and we'll analyze it.

[scotaloo]

Don't worry its perfectly legal to possess hacking software here and people need to see this, so:

$ nmap -T4 -A -v -PE -PS22,25,80 -PA21,23,80,3389 coinchat.org


Starting Nmap 5.21 ( http://nmap.org ) at 2013-07-12 08:48 IST
NSE: Loaded 36 scripts for scanning.
Initiating Ping Scan at 08:48
Scanning coinchat.org (192.155.86.153) [8 ports]
Completed Ping Scan at 08:48, 0.20s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:48
Completed Parallel DNS resolution of 1 host. at 08:48, 0.05s elapsed
Initiating SYN Stealth Scan at 08:48
Scanning coinchat.org (192.155.86.153) [1000 ports]
Discovered open port 80/tcp on 192.155.86.153
Discovered open port 22/tcp on 192.155.86.153
Discovered open port 8888/tcp on 192.155.86.153
Discovered open port 8000/tcp on 192.155.86.153
Discovered open port 9000/tcp on 192.155.86.153
Discovered open port 8333/tcp on 192.155.86.153
Completed SYN Stealth Scan at 08:48, 5.86s elapsed (1000 total ports)
Initiating Service scan at 08:48
Scanning 6 services on coinchat.org (192.155.86.153)
Completed Service scan at 08:49, 31.61s elapsed (6 services on 1 host)
Initiating OS detection (try #1) against coinchat.org (192.155.86.153)
Retrying OS detection (try #2) against coinchat.org (192.155.86.153)
Initiating Traceroute at 08:49
Completed Traceroute at 08:49, 0.20s elapsed
Initiating Parallel DNS resolution of 10 hosts. at 08:49
Completed Parallel DNS resolution of 10 hosts. at 08:49, 0.10s elapsed
NSE: Script scanning 192.155.86.153.
NSE: Starting runlevel 1 (of 1) scan.
Initiating NSE at 08:49
Completed NSE at 08:49, 30.34s elapsed
NSE: Script Scanning completed.
Nmap scan report for coinchat.org (192.155.86.153)
Host is up (0.19s latency).
rDNS record for 192.155.86.153: mafiahunt.net
Not shown: 985 closed ports
PORT     STATE    SERVICE         VERSION
22/tcp   open     ssh             OpenSSH 5.9p1 Debian 5ubuntu1.1 (protocol 2.0)
| ssh-hostkey: 1024 87:73:ff:39:8c:14:99:b2:a7:09:f8:2f:e1:95:b7:ba (DSA)
|_2048 0e:dc:0c:ff:45:c0:a1:f4:69:4e:58:80:f4:5d:f4:b7 (RSA)
25/tcp   filtered smtp
80/tcp   open     http?
2710/tcp filtered unknown
6666/tcp filtered irc
6667/tcp filtered irc
6668/tcp filtered irc
6669/tcp filtered irc
6969/tcp filtered acmsoda
7000/tcp filtered afs3-fileserver
8000/tcp open     http            Apache httpd 2.2.22 ((Ubuntu))
|_html-title: MafiaHunt - Realtime Mafia on the web
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported: CONNECTION
8333/tcp open     tcpwrapped
8888/tcp open     sun-answerbook?
9000/tcp open     cslistener?
9090/tcp filtered zeus-admin
3 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=5.21%I=7%D=7/12%Time=51DFB4D7%P=i686-pc-linux-gnu%r(GetReq
SF:uest,52,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Fri,\x2012\x20Jul
SF:\x202013\x2007:48:38\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOpt
SF:ions,52,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Fri,\x2012\x20Jul
SF:\x202013\x2007:48:39\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(FourOhF
SF:ourRequest,52,"HTTP/1\.1\x20404\x20Not\x20Found\r\nDate:\x20Fri,\x2012\
SF:x20Jul\x202013\x2007:48:40\x20GMT\r\nConnection:\x20close\r\n\r\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8888-TCP:V=5.21%I=7%D=7/12%Time=51DFB4D7%P=i686-pc-linux-gnu%r(GetR
SF:equest,1A1A,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2012\x20Jul\x2020
SF:13\x2007:48:38\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>
SF:\n<head>\n<title>CoinChat\x20-\x20free\x20bitcoins\x20and\x20chat\x20ro
SF:om</title>\n<link\x20href=\"//netdna\.bootstrapcdn\.com/twitter-bootstr
SF:ap/2\.3\.2/css/bootstrap-combined\.min\.css\"\x20rel=\"stylesheet\">\n<
SF:link\x20href='static/css/default\.css'\x20type='text/css'\x20rel='style
SF:sheet'>\n<link\x20rel=\"icon\"\x20type=\"image/png\"\x20href=\"static/i
SF:mg/chat\.png\">\n<meta\x20name=\"description\"\x20content=\"A\x20web\x2
SF:0chatroom\x20-\x20discuss\x20and\x20chat\x20with\x20a\x20nice\x20stylis
SF:h\x20functional\x20client\.\x20Works\x20everywhere,\x20Bitcoin\x20integ
SF:rated\">\x20\n</head>\n<body>\n\t<div\x20class='container'>\n\t\t<div\x
SF:20id='changepassmodal'\x20class='modal\x20fade\x20hide'>\n\t\t\t<div\x2
SF:0class='modal-header'>\n\t\t\t\t<button\x20type='button'\x20class='clos
SF:e'\x20data-dismiss='modal'\x20aria-hidden='true'>&times;</button>\n\t\t
SF:\t\t<h3>Change\x20Password</h3>\n\t\t\t</div>\n\t\t\t<div\x20class='mod
SF:al-body'>\n\t\t\t\t<p>Change\x20the\x20password\x20for\x20this\x20accou
SF:nt</p>\n\t\t\t\t<input\x20type='passw")%r(HTTPOptions,1A1A,"HTTP/1\.1\x
SF:20200\x20OK\r\nDate:\x20Fri,\x2012\x20Jul\x202013\x2007:48:39\x20GMT\r\
SF:nConnection:\x20close\r\n\r\n<!DOCTYPE\x20html>\n<head>\n<title>CoinCha
SF:t\x20-\x20free\x20bitcoins\x20and\x20chat\x20room</title>\n<link\x20hre
SF:f=\"//netdna\.bootstrapcdn\.com/twitter-bootstrap/2\.3\.2/css/bootstrap
SF:-combined\.min\.css\"\x20rel=\"stylesheet\">\n<link\x20href='static/css
SF:/default\.css'\x20type='text/css'\x20rel='stylesheet'>\n<link\x20rel=\"
SF:icon\"\x20type=\"image/png\"\x20href=\"static/img/chat\.png\">\n<meta\x
SF:20name=\"description\"\x20content=\"A\x20web\x20chatroom\x20-\x20discus
SF:s\x20and\x20chat\x20with\x20a\x20nice\x20stylish\x20functional\x20clien
SF:t\.\x20Works\x20everywhere,\x20Bitcoin\x20integrated\">\x20\n</head>\n<
SF:body>\n\t<div\x20class='container'>\n\t\t<div\x20id='changepassmodal'\x
SF:20class='modal\x20fade\x20hide'>\n\t\t\t<div\x20class='modal-header'>\n
SF:\t\t\t\t<button\x20type='button'\x20class='close'\x20data-dismiss='moda
SF:l'\x20aria-hidden='true'>&times;</button>\n\t\t\t\t<h3>Change\x20Passwo
SF:rd</h3>\n\t\t\t</div>\n\t\t\t<div\x20class='modal-body'>\n\t\t\t\t<p>Ch
SF:ange\x20the\x20password\x20for\x20this\x20account</p>\n\t\t\t\t<input\x
SF:20type='passw");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port9000-TCP:V=5.21%I=7%D=7/12%Time=51DFB4EA%P=i686-pc-linux-gnu%r(Four
SF:OhFourRequest,472,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2012\x20Jul
SF:\x202013\x2007:48:57\x20GMT\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x2
SF:0html>\n<html>\n<head>\n<script\x20src=\"socket\.io/socket\.io\.js\"></
SF:script>\n<script\x20src=\"static/jquery\.min\.js\"></script>\n<script\x
SF:20src='static/jquery\.cookie\.js'></script>\n<script\x20src='static/scr
SF:ipts\.js'></script>\n<script\x20src='\.\./js/chat\.js'></script>\n<scri
SF:pt\x20src='/js/jquery-ui\.js'></script>\n<meta\x20http-equiv='Content-T
SF:ype'\x20content='text/html;charset=UTF-8'\x20/>\n<link\x20rel=\"stylesh
SF:eet\"\x20type=\"text/css\"\x20href='static/style\.css'\x20/>\n</head>\n
SF:<body>\n<div\x20class='page'>\n\x20\x20<div\x20class='topmenu'>\n\x20\x
SF:20\t<span\x20class='setup'>Loading\.\.</span>\n\x20\x20\t<span\x20class
SF:='timer'>Loading\.\.</span>\n\x20\x20\t<span\x20class='leave'>Leave</sp
SF:an>\n\x20\x20</div>\n\x20\x20<div\x20class='leftbox'>\n\x20\x20\t<div\x
SF:20class='aliveyard'>\n\x20\x20\t</div>\n\x20\x20\t<div\x20class='gravey
SF:ard'>\n\x20\x20\t</div>\n\x20\x20</div>\n\x20<div\x20class='dayNav'>\.\
SF:.\.</div>\n\x20\x20<div\x20class='content'>\n\t<div\x20class='hello'>Lo
SF:ading\.\.\x20please\x20wait</div>\n\x20\x20</di");
Device type: WAP|general purpose|router|broadband router|webcam
Running (JUST GUESSING) : Linux 2.6.X|2.4.X (91%), Linksys Linux 2.4.X (90%), D-Link embedded (87%), Linksys embedded (87%), Peplink embedded (87%), AXIS Linux 2.6.X (87%)
Aggressive OS guesses: OpenWrt Kamikaze 7.09 (Linux 2.6.22) (91%), Linux 2.6.9 - 2.6.27 (91%), Linux 2.6.22 (Fedora Core 6) (91%), OpenWrt White Russian 0.9 (Linux 2.4.30) (90%), OpenWrt 0.9 - 7.09 (Linux 2.4.30 - 2.4.34) (90%), Linux 2.6.24 - 2.6.31 (89%), Linux 2.6.9 - 2.6.18 (89%), Linux 2.6.18 - 2.6.27 (88%), Linux 2.6.15 - 2.6.30 (88%), Linux 2.6.22 (88%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 4.372 days (since Sun Jul  7 23:53:26 2013)
Network Distance: 10 hops
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.28 seconds
           Raw packets sent: 1148 (52.820KB) | Rcvd: 1082 (45.508KB)

[scotaloo]

Looks like he closed 3389 and a few others after I warned him a week ago, good job, but still a financial site

[scotaloo]

Thank you kind sir, for taking the risk for all of us!

Im likely about to be banned unfairly for being an alt of an account that I am not when theymos wakes up so meh I could care less.

[🏰 TradeFortress 🏰]

So your going to believe him if one of his sites doesn't have for sure, I am 100% none of his sites do. Just a programming hence, I use the same template for all my sites, and 99% of programmers do. So yeah. If you believe him then good for you, but I am not.

Yeah good luck using a Node.js template for PHP

FUD like this is why you have a negative trust rating. I've already shown the source code function for CL.

[🏰 TradeFortress 🏰]

By hard proof, gweedo means that he wants the full source code and database of CoinLenders. I wonder what legitimate reasons he has for wanting the database?

I've already found vulnerabilities in them. It's simple, provide me with a written & signed contract authorizing penetration testing on your site.

The negative trust rating shows up for everyone by default, your negative trust rating shows up for no one except you. I suggest making a new throwaway and seeing what your profile looks like.

[escrow.ms]

Why are you guys abusing trust system for no reason?

[🏰 TradeFortress 🏰]

Why are you guys abusing trust system for no reason?

He's posting FUD (such as claiming that I don't hash or salt), when that's plainly untrue (your password is hashed in your browser for CoinLenders) which is untrustworthy.

That's not very different from false scammer accusations, which would get you a negative trust rating. Go claim John K is a scammer (when it is untrue) and see what your trust score looks like later for example.

Or claim that a web hosting company scammed you when you haven't purchased anything. Intentionally misleading statements are untrustworthy.

[escrow.ms]

The negative trust rating shows up for everyone by default, your negative trust rating shows up for no one except you. I suggest making a new throwaway and seeing what your profile looks like.

No His ratings are red because you are in " DefaultTrust"

[🏰 TradeFortress 🏰]

When did images become FUD and untrustworthy? I am not abusing any trust system, apparently he is very sensitive with this. He has extorted me to abuse the trust, he thinks he can hack me, and he just calling me untrustworthy which is slander.

This is a warning! Don't use these sites, TF can access your password at anytime! And take over your other accounts.

Which is untrue.

Your image shows that I don't salt passwords for CoinChat. I hash passwords with SHA256. So I cannot access your password at any time. That's an outright lie. For other sites I always salt at least.

No His ratings are red because you are in " DefaultTrust"

That's my point? My ratings show up my default, his doesn't.

[🏰 TradeFortress 🏰]

Besides, if you ARE using the same password for more than one site / don't use a password manager / etc, you need to fix that.

[escrow.ms]

That's my point? My ratings show up my default, his doesn't.

 

VIP donator Badge have lots of benefits. 

[🏰 TradeFortress 🏰]

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

[🏰 TradeFortress 🏰]

CoinLenders and CoinChat hashes passwords.

CoinLenders also salt passwords.

CoinLenders also hashes your password in your browser with Javascript.

I cannot access your password (unlike what gweedo is claiming) on CoinLenders. I can only access the hash which is useless if it has been salted with a strong hash.

Gweedo is spreading FUD that I don't do this. He is posting a misleading screenshot out of context. I DO hash passwords. I don't salt them for CoinChat, but they are hashed.

As I am tired of saying the same thing again and again, this is now my stock response.

[escrow.ms]

@Trade if you want i can make a test account on both of your sites with a random  password, you can then post hash with salt here and a screenshot of username /hash from database to prove him wrong.

You can also put a bounty to crack it.