Nullu
|
|
January 01, 2014, 02:08:43 PM |
|
I believe I mentioned SQL injection as a possibility in the original thread on ecrypto. It's basic security 101 for SQL and user input though.
Someone specifically said the GET variables were not being sanitised. I didn't check myself at the time. If that is the case then it's almost certainly how the hacker gained entrance so easily. A single un-escaped input gives the hacker complete control over the server. There's no way to check for GET sanitation on the front end of the site that I'm aware of, as it happens on the server after it retrieves the input. An SQL query is just a string, like any data. If you're coding a website that processes financial transactions and don't know how to prevent SQL injection, then you shouldn't be coding financial websites period. I cannot express how basic knowledge that is in secure web development. If this is what caused the hack, then I'm sorry, but I wouldn't put a single Dimecoin on Ecrypto. Yes I am assuming the person who claimed there is no GET sanitisation injected into the sql to test his hypothesis, otherwise it would make no sense since there's literally a million ways to penetrate a server. It is v basic php security which you'll learn in any beginner's book on php. This is why I posed OP the question, to ascertain how much of a php noob he is. Unfortunately the fact his site got hacked so damn quickly suggests in itself it was a basic security hole he left uncovered and not some sophisticated hack attempt. Yes, either that, or crying "hacked". Plausible deniability; we have no real way of proving if the site ever got hacked at all. Only his word.
|
BTC - 14kYyhhWZwSJFHAjNTtyhRVSu157nE92gF
|
|
|
|
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
RedHat
Newbie
Offline
Activity: 32
Merit: 0
|
|
January 01, 2014, 02:51:34 PM |
|
Anyway I've send an email to him for my coins. I have nothing but hope
|
|
|
|
demoniality
|
|
January 01, 2014, 05:29:20 PM |
|
|
ufo: C9icQvu4T4Jo6QpmnP1dgQW5ru1BfPJ4sV
|
|
|
meljohn333
Newbie
Offline
Activity: 21
Merit: 0
|
|
January 11, 2014, 11:17:05 PM |
|
that was quick, down forever?
|
|
|
|
|
erre
Legendary
Offline
Activity: 1666
Merit: 1205
|
|
January 19, 2014, 01:25:42 AM |
|
Any news?
|
|
|
|
erre
Legendary
Offline
Activity: 1666
Merit: 1205
|
|
January 31, 2014, 12:18:17 PM |
|
Bump.
I still didn't forget.
Are there more scammed people?
|
|
|
|
janhajk
Newbie
Offline
Activity: 2
Merit: 0
|
|
February 03, 2014, 09:18:27 AM |
|
Bump.
I still didn't forget.
Are there more scammed people?
Yep, i lost 0.5 BTC there. I have not forgot!
|
|
|
|
demoniality
|
|
February 03, 2014, 01:10:33 PM |
|
yep, we are not going to let this go forgotten..
|
ufo: C9icQvu4T4Jo6QpmnP1dgQW5ru1BfPJ4sV
|
|
|
erre
Legendary
Offline
Activity: 1666
Merit: 1205
|
|
February 03, 2014, 03:52:37 PM |
|
We do not Forgive. We do not Forget.
|
|
|
|
erre
Legendary
Offline
Activity: 1666
Merit: 1205
|
|
February 03, 2014, 04:03:14 PM |
|
Since many scammed people do know his identity, i'm really scared that someone will threat him in real life if he don't give any feedback soon. Of course i'll never do that, but i bet that some bad people would be glad to pay a little extra to someone to see him beaten or worst. you'll not see again you money, but it's cheaper than a legal In italy you usually get a shoot in your knees for a thing like that.. it's not lethal, but you'll need a baton for the rest of your life. How do you treat scammers in your countries?
|
|
|
|
Oldminer
Legendary
Offline
Activity: 1022
Merit: 1001
|
|
March 26, 2014, 09:36:28 PM |
|
Anyone here living in BC, Canada able to go pay this guy a visit? I also just saw the "grinning" cow on the website. He wouldn't have posted it, if he were in over his head. Seems to me, he just ran with all the money he collected.
This is very unfortunate for the people who deposited their coins there.
Which exchange do you trust besides Cryptsy?
I trust cn.bter.com and (maybe) vircurex. P.S. Name: bruce degrosbois Organization: sitemagik Street: 19613-42 ave City: langley State/Province: BC Postal Code: v3a3a3 Country: CA Phone: +1.6045399527 Experience Recreation and Tourism Alumni Event Coordinator at Vancouver Island University Professional Driver at AC Taxi Coder at Coastal Webmasters (Self-employed) Assistant Manager at Agape Ministry Manager at Edmonton Restaurant Slowpitch League, Edmonton, AB Coder at Coastal Webmasters (Self-employed) (From Linkedin) ExperienceCEO Ecrypto October 2013 – Present (3 months)Vancouver, Canada Area Ecrypto is developing the worlds most advanced cryptocurrency trading platform. Ecrypto is currently in Alpha development with an expected Beta release date of December 1, 2013. http://www.Ecrypto.netProjects Understanding Bitcoin March 2013 I suspect Bitcoin is a game changer much like windows was. It is hard not to love it once you understand it. The growth of Bitcoin is unprecedented and surprisingly the percentage growth of the alternate digital currency called Litecoin has been even higher. Many millionaires have been created by this and for the rest of us, well we missed the boat - this time. I see understanding Bitcoin as...more HeartofGoldProject.ca(Link) Simon Fraser UniversityUrban Planning Certificate, Urban Planning 2013 – 2014 (expected)RFABCMasters certificate, facility management 2012 – 2013I have been doing the courses for the past year and a half. I currently need 1 course to complete my certificate, however the course has not been offered - ever. Will complete it ASAP How we going with the payback plan Brucey boy?
|
|
|
|
erre
Legendary
Offline
Activity: 1666
Merit: 1205
|
|
March 27, 2014, 04:58:19 PM |
|
we're still waiting
|
|
|
|
Oldminer
Legendary
Offline
Activity: 1022
Merit: 1001
|
|
July 10, 2014, 06:05:57 AM |
|
bump
you still around brucey?
|
|
|
|
demoniality
|
|
July 13, 2014, 11:36:22 PM |
|
never forget
|
ufo: C9icQvu4T4Jo6QpmnP1dgQW5ru1BfPJ4sV
|
|
|
jertsy
|
|
January 01, 2015, 09:44:04 PM |
|
Bump
I don't suppose anyone's got their money back yet?
|
|
|
|
erre
Legendary
Offline
Activity: 1666
Merit: 1205
|
|
January 01, 2015, 11:31:06 PM |
|
No, but every time a service turned out to be a scam, like hashie or mintpal lately, I remeber of this.
This was the first time i was scammed by someone. I will Never forgive, never forget.
|
|
|
|
Oldminer
Legendary
Offline
Activity: 1022
Merit: 1001
|
|
January 02, 2015, 01:10:06 AM |
|
Ah old Brucey boy...how could we forget...
|
|
|
|
Crypty3
Newbie
Offline
Activity: 42
Merit: 0
|
|
January 02, 2015, 01:14:41 AM |
|
How much did he make off with?
|
|
|
|
jertsy
|
|
January 02, 2015, 11:27:45 AM |
|
How much did he make off with?
He claims it was only was only 11 BTC, but he also promised to pay everyone back 150% of what they lost, which he never did. We only have his word on how much he made off with, and he lied about paying everyone back. UPDATE!! Explanation for loss of service and plans for recovery and repayment. From the day Ecrypto started operating it was under attack. Many attempts to penetrate the servers occured and attempts to hack my personal accounts were constant. Unfortunatly on the morning of December 28 the attacker was successful in gaining entry to the wallet servers. Things were operating normally when I noticed the wallet balance had gone to -11 BTC. A few minutes later the wallet servers stopped responding completly, and access to them through the command line became impossible. Digital Ocean began to investigate the problem and after some time sent this response. Greetings, I appreciate your patience. After loading your droplet's into a recovery environment, it appears that someone has compromised both of your droplet's, and stolen your bitcoin from the `W2` droplet. This is confirmed from the `.bash_history` file, which the attack did not effectively remove. In an attempt to cover their tracks, they attempted to wipe out your droplets filesystem with `rm -rf /`, but mistakenly left the `/root` folder, which left some of the data for the blocks you had found. On the `W1` droplet, it is not apparent if there were any *coin's transferred, as the .bash_history folder over there was effectively wiped out prior to the `rm -rf /` on that droplet. For your reference, both droplets remain in the recovery environment right now, and have the drives mounted. I've taken a few screenshots of the console and pulled of the transfer of your 11 bitcoin on blockchain.info to confirm the theft: http://screencast.com/t/Ba7Mvgh6md0 http://screencast.com/t/1eKtogngnw https://blockchain.info/address/19Xn6GPjMoj8FMLMWg77Wq7PNiFSUsZxSVGiven the nature of bitcoin, this theft is effectively irreversible. Unfortunately, even if the data of your droplet's did remain intact, the theft would remain irreversible. I would certainly be quite suspicious of this compromise, as if these bitcoin were just transferred last night, it would seem someone associated with you, or the other party, is well aware of your two mining droplets, or may have had access to the droplet's prior. Unfortunately, there is truly nothing more that we are able to do for you at this point. Regards, Russell Mitchell | Support Team There is noone with access to the account information hare so clearly this was a pure hack. I made great efforts to make the servers impossible to hack, however the hacker simply walked right in and stole everything. The coins they did not steal, they deleted. Since the attack I have just been sick to my stomach. Ecrypto has taken 6 months of 16 hour days to build, and anyone suggesting this was a theft by me is a complete fool. The total stolen was only 11 BTC which is not a huge amount. If the hacker had waited, they would have been able to steal a significant amount more, but it is obviously just an impatient child. I am currently reworking the entire setup, making significant changes that will make it impossible to penetrate. The wallet servers will have NO communications with the website server at all, and gaining access to them should be impossible. The weak point will be the weak passwords that Digital Ocean automatically generates for servers, but since the wallet server will have no connection with the website, even finding the server will be nearly impossible. I will also change the location of the wallet server at least once a week, and transfer the majority of BTC and LTC in the wallets into cold storage for additional security. So the next question is, when will you get the coins you lost back? We have backup images of the wallet balances at the time of the attack. When the site comes back up, 100% of fees collected by the site will go to pay back lost coins. Not only will you receive the coins you lost, you will receive a 50% bonus. So for every 2 coins you had at the time of the attack - you will receive 3 coins as repayment. Unfortunatly this is the best I can do for now. I personally suffered a large loss as well which makes it impossible to repay the lost coins faster than the plan. When will the service resume operations? I am thinking a month or so. I need to make the servers bulletproof, and that will take time. If you feel the need to rant or call me names you can email ecryptox@gmail.com. Reasonable emails will be responded to ASAP.
|
|
|
|
|