Openex hacked but coins recovered

[r3wt]

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing

Update
the coins were recovered a short time later. we are paying out withdrawals and asking all coins to be withdrawn from the exchange so that we can start from scratch.

[1715293958]

1715293958

[1715293958]

1715293958

[1715293958]

1715293958

[wontonforevuh]

nice security...
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?

[Crackmacs]

We'll find you eventually you little cock sucker. return our shit or ******************

Edit: Good idea removing that part.

Wow that sucks.

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

[r3wt]

nice security...
and why would the attacker return .5 bitcoins when he could keep the 11bitcoins ?

i could have swore i installed fail2ban

[peterlustig]

http://www.fail2ban.org/wiki/index.php/Main_Page
Oops yeah you know that already. @ every server owner: install that.

[The_Catman]

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.

[r3wt]

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.

worth a shot. its all i have.

[tk808]

Out of curiosity, why would the thief return them for significantly less money? (just trying to play devils advocate, I hope you do get them back).

I think he's hoping the attacker feels guilty. He/she probably doesn't.

worth a shot. its all i have.

I hope you get them back dude, even a partial refund. Mr. Grey Fox may be reading this, with a conscious.

[peterlustig]

Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2

First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2

left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)

exact time of theft would be useful.

[Crackmacs]

I think it only hurts the community and *coin in general when large scale theft happens. S'all we need is a bunch of articles telling people to invest in gold instead because of the wild wild west theft that occurs etc. I understand it though. Anything worth anything gets stolen.

The most I hold to my name is 1 Litecoin and almost 4 RonPauls. Not much, but after mining them myself (even though it's not worth much), I would feel devastated. People suck.

[r3wt]

Guess it's him:
Jan 14 00:51:56 server sshd[211810]: Accepted password for root from 66.87.95.20 port 33982 ssh2
Jan 14 00:51:56 server sshd[211810]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 14 00:51:57 server sshd[211810]: subsystem request for sftp by user root
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session opened for user root by (uid=0)
Jan 14 00:52:01 server CRON[212231]: pam_unix(cron:session): session closed for user root
Jan 14 00:52:01 server sshd[212176]: Accepted password for root from 66.87.95.20 port 54132 ssh2

First occurence of similar ip in log:
Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2

left a message?
Jan 13 12:53:35 server sshd[103395]: Invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161
Jan 13 12:53:35 server sshd[103395]: input_userauth_request: invalid user xkcd^777^xkcd&99starfive792***$$$$# [preauth]
Jan 13 12:53:38 server sshd[103395]: Failed none for invalid user xkcd^777^xkcd&99starfive792***$$$$# from 66.87.94.161 port 58427 ssh2
Jan 13 12:53:39 server sshd[103395]: Received disconnect from 66.87.94.161: 13: Unable to authenticate [preauth]
Jan 13 12:53:51 server sshd[104648]: Accepted password for root from 66.87.94.161 port 47277 ssh2
Jan 13 12:53:51 server sshd[104648]: pam_unix(sshd:session): session opened for user root by (uid=0)

I think that's justin's ip(http://www.geoiptool.com/en/?IP=66.87.94.161) he has the server pass, i have the server pass. funny thing is justin's supposedly from oklahoma.


he started the crons last night so i'm pretty sure it wasn't him atleast that is consistent with what i know.

the attacker was probably not stupid enough to leave the log unchanged. if you will notice there is no activity for 6 minutes in between the last failed attempt and where i logged in (173.216.136.127)

[surfer43]

What is the address of the wallet?

[r3wt]

What is the address of the wallet?

i don't know. he took the wallet.dat

i can provide what my account address was and the account address of others who mentioned it in support emails, and anyone else who deposited to the exchange can provide theirs if they can find it in transactions of their personal wallet, but other than that i have no idea what the "main" address was.

and yes, i will repay this somehow. i have no other choice but to repay it. i'm sorry

[phazon307]

absolutely degusting degenerate people can't earn shyt for themselves so they have to steal it from the people who can.

[phazon307]

let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.

[r3wt]

let me ask you a question was that the only wallet.dat file you have I backed up mine on three different storage units you should always have one and then another wallet that you could quickly send it to if you suspect something.

yes unfortunately it was. i thought about cold storaging the majority of the coins but alot of people complain about slow withdrawal times. it was an honest mistake, one i will pay dearly for i'm sure.

[Millicent]

I'm astounded.  root login, password ugh!

1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction

OMGOMGOMG Spend the $400.00 on someone to secure your server.

I am sorry for your loss, but holy $h1t dude.

[stevenlam]

r3wt is a trusted man, so, dont blame anything before he repay to all of your lost, so in this time, we must patient

[hostmaster]

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing


i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.


here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing


Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.

use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons!

[Zombie123]

1CxwZYMmprkY6Dx4crFCXVBFBjXRit7oDg

1) Withdrawal: 0.20402197 BTC

Destination: 1PafQJLSQSjV5AYVHzBRyjTFScGCJknoT9

TXID: 6603ea056688752ab9bf9c3b4c7bc2a7f4fd2dc53347ca2630ef93c3bdba3c6c


So I Guess it was my account you were looking into and you found out the issue

[dr_yan_yan]

Well just letting other users know that withdrawing other coins works fine and is quick.

[surfer43]

May have found the address: 1Ndo4EfFKi8f5jbHXEyuezgK9Mmb6f9uCV https://blockchain.info/address/1Ndo4EfFKi8f5jbHXEyuezgK9Mmb6f9uCV
first transaction on 1-02-14
think this is it?

[minerman1234]

You son of a bitch, you posted this in GOOGLE DRIVE of all things?

DO NOT open this shit, Google Drive is great but leaves a breadcrumb trail that a blind man can follow.  OP, if you're fuckin serious about this, use Pastebin.

[r3wt]

You son of a bitch, you posted this in GOOGLE DRIVE of all things?

DO NOT open this shit, Google Drive is great but leaves a breadcrumb trail that a blind man can follow.  OP, if you're fuckin serious about this, use Pastebin.

whats wrong with google drive? the more the authorities know about this the better. i want the person who did this to either pay back or go to prison for this.

[phazon307]

I hope what I told you to do help you man I would hate it if someone did that to me I would probably be so motivated to track them down and hurt them physically or financially, or I would find a way to send them to prison for a long time. Chances are if he is stealing from you he is stealing from other people as well.

[pedemaann]

you dont encrypte your wallet ! omg you're not carefully

[pedemaann]

BTC   0.155494065   1Mz56er1T89vz9byA2D9gLY1itdemRfpnq

Still pending ? I will get my coin ? Right ?

[vingaard]

Please... remove restrictions of minimun amount for withdraws...

I know that I have a small amount of coins but is MY SMALL AMOUNT OF COINS and I want to withdraw them due to all of this...

Thanks

[r3wt]

i'm not sure if the attacker had a change of heart or if this was just an elaborate demonstration, but i was running file recovery software and the wallet reappeared and i sent all 11 btc to cold storage. not sure how i got them back but they are now in my possesion once more.

https://blockchain.info/tx/930e49bd2452e277411c7ed19a4950136d0d894e94b160563939b2322514581f

[surfer43]

i'm not sure if the attacker had a change of heart or if this was just an elaborate demonstration, but i was running file recovery software and the wallet reappeared and i sent all 11 btc to cold storage. not sure how i got them back but they are now in my possesion once more.

FUCK YES

[tk808]

Mr Thief, you did the right thing

[elitemobb]

Nice save, Now its time to FORTIFY!

[milly6]

Right on... i would assume they werent ready to move them yet since its easy to see.

[iGotSpots]

Surprise surprise

[r3wt]

Surprise surprise

thanks for returning the coins. i owe you guys one for the lesson.

[Zombie123]

Thanks op for resolving this it was 20 days of mining money thanks hoping to see it in my wallet soon

[surfer43]

OMFG I think the server is infected

[iGotSpots]

That's kinda what is supposed to happen when you deposit coins onto an exchange where the owner has negative red trust

[iGotSpots]

Surprise surprise

thanks for returning the coins. i owe you guys one for the lesson.

You really think I had anything to do with this? I found out 2 seconds ago on Skype

[tucksmcgucks]

Awesome! Much happiness, so mystery... very M. Night Shyamalan

What a twist!!  

[r3wt]

withdraw all coins. time to shut it down until we can get everything sorted.

[milly6]

That's kinda what is supposed to happen when you deposit coins onto an exchange where the owner has negative red trust

who are you referring to?

[tucksmcgucks]

Settle down Spots!! Settle! Seeeeetttllleee... good dog! You're a good puppy aren't you? Yes you are! Yeeees you are!

[SweetLou]

i just processed a withdraw, I hope its not too late

[surfer43]

Any insight about those files? 

[pedemaann]

I dont understand what you're saying ?  Can someone explaint please ?

[r3wt]

That's kinda what is supposed to happen when you deposit coins onto an exchange where the owner has negative red trust

who are you referring to?

his self in the third person most likely.

[hostmaster]

i'm not sure if the attacker had a change of heart or if this was just an elaborate demonstration, but i was running file recovery software and the wallet reappeared and i sent all 11 btc to cold storage. not sure how i got them back but they are now in my possesion once more.

https://blockchain.info/tx/930e49bd2452e277411c7ed19a4950136d0d894e94b160563939b2322514581f

great news, you make better security... this time.

[tucksmcgucks]

I dont understand what you're saying ?  Can someone explaint please ?

Bruce Willis and ex-Governor Jesse Ventura decided via IRC only minutes ago that they are going to co-direct a remake of Citizen Kane starring Uma Thurman playing Orson Welles' character from the original....

GOING TO BE EPIC LIKE KIM JONG!!!

http://weknowmemes.com/wp-content/uploads/2011/12/movie-idea-kim-jong-ils-life-featureing-ken-jeong.png

[phil92]

BTC   0.155494065   1Mz56er1T89vz9byA2D9gLY1itdemRfpnq

Still pending ? I will get my coin ? Right ?

Same, BTC deposit pending for 24 hours, is it safe ? When can we expect to be able to withdraw them ?

[iGotSpots]

That's kinda what is supposed to happen when you deposit coins onto an exchange where the owner has negative red trust

who are you referring to?

r3wt
Sr. Member
****


Activity: 266
Posts: 4055




View Profile  WWW  Personal Message (Offline)
Trust: -4: -1 / +0(0)
Warning: Trade with extreme caution!

[tucksmcgucks]

BTC   0.155494065   1Mz56er1T89vz9byA2D9gLY1itdemRfpnq

Still pending ? I will get my coin ? Right ?

Same, BTC deposit pending for 24 hours, is it safe ? When can we expect to be able to withdraw them ?

https://i.imgur.com/wU2iuVb.jpg

[pedemaann]

Hi.
 

I dont understand ,

Money still in your server or has been lost ?

[tucksmcgucks]

Surprise surprise

https://i.imgur.com/5jd0G7s.jpg

[glongsword]

So you recovered the wallet using my suggestion from PM?  Great!  Do I get the bounty?

1PnKAZuLC2cDVDYb1wefMV2UviLjzRRSTo

If so, thanks!

[milly6]

That's kinda what is supposed to happen when you deposit coins onto an exchange where the owner has negative red trust

who are you referring to?

r3wt
Sr. Member
****


Activity: 266
Posts: 4055




View Profile  WWW  Personal Message (Offline)
Trust: -4: -1 / +0(0)
Warning: Trade with extreme caution!

Thats funny cuz mine says:
r3wt
Sr. Member
****


Activity: 266



View Profile WWW Personal Message (Offline)
Trust: 0: -0 / +0(0)
Ignore


And looks like people who gave him neg comments have much more negative comments on them soooo.....
Thanks for telling us to pump your coin so you could dump all over everyone who actually listened to you Spots... thanks.

[iSnow]

* SSH server with root access

* with password auth

* no backups

=> get your coins out of this disaster and fast. The owner has no clue to what he is doing.

[r3wt]

* SSH server with root access

* with password auth

* no backups

=> get your coins out of this disaster and fast. The owner has no clue to what he is doing.

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

[milly6]

* SSH server with root access

* with password auth

* no backups

=> get your coins out of this disaster and fast. The owner has no clue to what he is doing.

He has a clue but theres a few things we need to work on.

[tucksmcgucks]

* SSH server with root access

* with password auth

* no backups

=> get your coins out of this disaster and fast. becuz I haz no clue to what I am doing!!!11

Breh! You seem flustered! Here, take a gander at dis shiz fer a moment breh---

https://i.imgur.com/5eJzbFJ.jpg

[pedemaann]

* SSH server with root access

* with password auth

* no backups

=> get your coins out of this disaster and fast. The owner has no clue to what he is doing.

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

Hide me now !!

support free ,I'm expert about security on Linux.

[phil92]

* SSH server with root access

* with password auth

* no backups

=> get your coins out of this disaster and fast. The owner has no clue to what he is doing.

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

smh
I'm mixing some plutonium and uranium in my bathroom right now trying to build a nuclear weapon. Don't know if this is gonna work but let's give it a try.

[allyouracid]

* SSH server with root access

* with password auth

* no backups

=> get your coins out of this disaster and fast. The owner has no clue to what he is doing.

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

Hello r3wt,

first of all: great that the attacker hasn't moved the BTC yet and you were able to recover them.

But also - and i don't want to sound insulting - if that was really your first server, i would really not run something important on it, especially if it "stores" money of other people.
Meanwhile, i have multiple years of Linux server experience and i'd say i know pretty well what i do. But under no circumstances i would run something myself which could affect others, especially when it comes down to money. And, as others have already said, there were some general failures (no need to repeat them over and over) which should not have happened.

Server administration is nothing to just try and grow with it... learning by doing just cannot be applied here.

Please, for the sake of your users, get an admin whom you trust to handle such stuff. Just installing some kind of "auto-admin-tool" really is not a solution.

Again, i don't want to sound insulting (i really don't). But when it comes down to money, people become very creative.

[phil92]

* SSH server with root access

* with password auth

* no backups

=> get your coins out of this disaster and fast. The owner has no clue to what he is doing.

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

smh
I'm mixing some plutonium and uranium in my bathroom right now trying to build a nuclear weapon. Don't know if this is gonna work but let's give it a try.

So far so g

[r3wt]

all the btc is confirmed. i'll start sending out payments in the morning.

we are gonna go back to work and take every step to ensure when we reopen the exchange it will run more smoothly and be more secure.

[evoked22]

all the btc is confirmed. i'll start sending out payments in the morning.

we are gonna go back to work and take every step to ensure when we reopen the exchange it will run more smoothly and be more secure.

You can always place a bounty and ask people to try and get into the system before putting it live. You can even ask people what are the best methods of applying security.

Im sure people would be happy to support a new exchange.

[pedemaann]

all the btc is confirmed. i'll start sending out payments in the morning.

we are gonna go back to work and take every step to ensure when we reopen the exchange it will run more smoothly and be more secure.

hi,

 I withdrew money from  you server but it still pending . When I can coin ?

Thanks

[SweetLou]

all the btc is confirmed. i'll start sending out payments in the morning.

we are gonna go back to work and take every step to ensure when we reopen the exchange it will run more smoothly and be more secure.

hi,

 I withdrew money from  you server but it still pending . When I can coin ?

Thanks

well according to his post that you quoted, in the morning.

[r3wt]

all the btc is confirmed. i'll start sending out payments in the morning.

we are gonna go back to work and take every step to ensure when we reopen the exchange it will run more smoothly and be more secure.

hi,

 I withdrew money from  you server but it still pending . When I can coin ?

Thanks

well according to his post that you quoted, in the morning.

i have your request to. really i'm just letting them build up. i'm bout to drink my coffee. i couldn't sleep so i'm going to send whatevers in the queue after i drink my coffee.

[bitpop]

Try some basic digital ocean tutorials. I have much more security on a bitcoin node that has no funds and you didnt even change the ssh port or use keys? Thats insane.

[CatCoin]

Why is it that the entire crypto community seems to be security-challenged?  That's a serious question.  It's absolutely pathetic that the people representing crypto seem to generally have the experience level of "derp, where did they take my megahortz?"

If you don't know exactly how to lock a server down, *** you sure as hell shouldn't start by trying to run one that stores other peoples' money ***

The scary thing is, thanks to overconfident new school "developers", all of us are at risk no matter how careful we are personally.  Somewhere out there, your personal data is about to be "put in the cloud" by one of these people who have convinced your doctor, your lawyer, your bank, your credit card company, etc... that that's the way of the future... and there's nothing you can do to stop it.

[bitpop]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

It also bothers me the elite developers keep inventing new crap like nodejs when we haven't learned the simplest of things.

[CatCoin]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

I've unfortunately seen how some of them do it, and it's by hiring others who have tricked them into believing that they're cut out for the job to do it for them.  I just got done cleaning up the mess from one of these instances for someone who was fooled.  Same deal, SSH on port 22, MySQL open to the outside world with admin/mysql or something similar as a password setup.  Drupal with similarly stupid passwords, etc..

The best part was that they paid this moron $2,500 to do that for them.  $2,500 for about 10 minutes of following a tutorial written by a moron who shouldn't be writing tutorials.

It's really, really not funny at this point.  It makes me want to smash my head off a brick wall repeatedly until it stops.

[bitpop]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

I've unfortunately seen how some of them do it, and it's by hiring others who have tricked them into believing that they're cut out for the job to do it for them.  I just got done cleaning up the mess from one of these instances for someone who was fooled.  Same deal, SSH on port 22, MySQL open to the outside world with admin/mysql or something similar as a password setup.  Drupal with similarly stupid passwords, etc..

It's really, really not funny at this point.  It makes me want to smash my head off a brick wall repeatedly until it stops.

I suck at Linux but I always change my port, configure ufw and use keys. I feel stupid for not doing more but it seems I'm in the 99% percentile. No wonder target got hacked.

[r3wt]

Catcoin bitpop, you're both full of shit. enjoy your day in the sun where you get to sit high and mighty. it won't last long.

[bitpop]

Catcoin bitpop, you're both full of shit. enjoy your day in the sun where you get to sit high and mighty. it won't last long.

Relax you got a free lesson. You do have to admit it was incompetent though. I'm not sitting high, I would never attempt what you did even with what i know.

[CatCoin]

What are you even talking about?  "It won't last long"?  You're welcome to dispute anything I said, but there's nothing to dispute.  

You got in over your head.  That's life.  I respect that you're aiming to pay people back.  Learn from your mistakes and don't do it again.  

[Snail2]

I'm astounded.  root login, password ugh!

1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction

+ syslog export to a separate server with different credentials and strict IP restrictions.

[bitpop]

Op, there was another underage kid that lost 100k btc a year ago. The younger generation is very eager but reckless.

[CatCoin]

Let's play "cutting corners with the Millenials"

1.)  Learns about bitcoin

2.)  Writes "hello world" using javascript
(optional / 2a) - Starts accepting investments  *edit*  holy shit, I was joking, but this really happened.

3.)  Opens an internet currency exchange

[Snail2]

Leave him alone guys. Thanks to God nothing rally serious happened and I guess he have learned from this lesson. Instead of mocking him give him some useful advice about OS hardening.

[bitpop]

No mocking and we did.

[r3wt]

What are you even talking about?  "It won't last long"?  You're welcome to dispute anything I said, but there's nothing to dispute.  

You got in over your head.  That's life.  I respect that you're aiming to pay people back.  Learn from your mistakes and don't do it again.  

i recovered the wallet.dat with foremost and all the coins were still there, which leads me to believe the attacker was a greyhat giving out a lesson to a rookie sysadmin. "aimining to pay people back" i'm readying the transaction as we speak. fyi, i don't write javascript. hired out for most of that.

[cassieheart]

Selling my OpenEx shares 21 Available. 0.075 a share. Pm me for more details.

[CatCoin]

Leave him alone guys. Thanks to God nothing rally serious happened and I guess he have learned from this lesson. Instead of mocking him give him some useful advice about OS hardening.

My OS hardening advice:
Quit while you're ahead before you put more people at risk of losing their money.

The attitude you present here is exactly why people will keep making this mistake, and others will keep losing money because of it.  There is no "it's ok, try harder next time".  This isn't a game anymore... people are losing real money so that kids can "give running an exchange a try".  It isn't funny, and it shouldn't be encouraged to continue.

[r3wt]

Leave him alone guys. Thanks to God nothing rally serious happened and I guess he have learned from this lesson. Instead of mocking him give him some useful advice about OS hardening.

My OS hardening advice:
Quit while you're ahead before you put more people at risk of losing their money.

The attitude you present here is exactly why people will keep making this mistake, and others will keep losing money because of it.  There is no "it's ok, try harder next time".  This isn't a game anymore... people are losing real money so that kids can "give running an exchange a try".  It isn't funny, and it shouldn't be encouraged to continue.

thanks for the advice but no. i didn't come this far to give up. and stop calling me a kid.

[bitpop]

Leave him alone guys. Thanks to God nothing rally serious happened and I guess he have learned from this lesson. Instead of mocking him give him some useful advice about OS hardening.

My OS hardening advice:
Quit while you're ahead before you put more people at risk of losing their money.

The attitude you present here is exactly why people will keep making this mistake, and others will keep losing money because of it.  There is no "it's ok, try harder next time".  This isn't a game anymore... people are losing real money so that kids can "give running an exchange a try".  It isn't funny, and it shouldn't be encouraged to continue.

thanks for the advice but no. i didn't come this far to give up. and stop calling me a kid.

Jesus kid, how old are you?

[Coin_Master]

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

That in itself is scary.  Security is ongoing, when you say "properly secure the server" you imply that at some point the job is done.  You should not be running a server that has other peoples money stored on it.  My advice would be to get some qualifications first.

[r3wt]

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

That in itself is scary.  Security is ongoing, when you say "properly secure the server" you imply that at some point the job is done.  You should not be running a server that has other peoples money stored on it.  My advice would be to get some qualifications first.

thanks for your advice. everyone can learn. you are wrong.

[bitpop]

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

That in itself is scary.  Security is ongoing, when you say "properly secure the server" you imply that at some point the job is done.  You should not be running a server that has other peoples money stored on it.  My advice would be to get some qualifications first.

thanks for your advice. everyone can learn. you are wrong.

Of course. We are all passionate about technology here, but don't learn while holding people's money.

[Snail2]

I didn't expected such fundamental mistakes with that site as well, but mocking with the site owner is contra productive will not lead anywhere. Your point are valid and I share your concerns but if you point him to some "Top 100 step by step Linux hardening" site that could be more fruitful .

[Coin_Master]

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

That in itself is scary.  Security is ongoing, when you say "properly secure the server" you imply that at some point the job is done.  You should not be running a server that has other peoples money stored on it.  My advice would be to get some qualifications first.

thanks for your advice. everyone can learn. you are wrong.

Getting qualified is a part of learning, you need to demonstrate that you can apply what you have learned correctly, by passing an examination.

[CatCoin]

This whole situation is just an elaborate troll, right?  This guy can't be for real.

[r3wt]

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

That in itself is scary.  Security is ongoing, when you say "properly secure the server" you imply that at some point the job is done.  You should not be running a server that has other peoples money stored on it.  My advice would be to get some qualifications first.

thanks for your advice. everyone can learn. you are wrong.

Getting qualified is learning.  But you need to demonstrate that you can apply what you have learned correctly, by passing an examination.

last time i checked, experience > exams. i was A+ certified @ 17. i fell into drugs, got back into computers and started programming about a year and a half ago. started working on the exchange about 4 months ago.

[r3wt]

This whole situation is just an elaborate troll, right?  This guy can't be for real.

no man, its very real look at the logs. lets just say i learned a valuable lesson, more than i could possibly convey through the computer.

[bitpop]

Go to digital ocean and do all their tutorials. It'll cost you a couple bucks. You'll learn almost everything.

[Coin_Master]

last time i checked, experience > exams

Would you try flying a plane without a license, without taking exams to determine you are capable and competent.  I hope not.

[r3wt]

Go to digital ocean and do all their tutorials. It'll cost you a couple bucks. You'll learn almost everything.

thanks for the advice, will do. it looks like the tutorials are all pretty old. are they possibly out of date?

[Snail2]

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

That in itself is scary.  Security is ongoing, when you say "properly secure the server" you imply that at some point the job is done.  You should not be running a server that has other peoples money stored on it.  My advice would be to get some qualifications first.

thanks for your advice. everyone can learn. you are wrong.

There are no "properly secure the server". Securing a server is a cyclic task with continuous risk assessment, fine tuning your systems and admin procedures, searching for vulnerabilities and fixing them. Perhaps you should take a look at ISO 27001.

[CatCoin]

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

That in itself is scary.  Security is ongoing, when you say "properly secure the server" you imply that at some point the job is done.  You should not be running a server that has other peoples money stored on it.  My advice would be to get some qualifications first.

thanks for your advice. everyone can learn. you are wrong.

Getting qualified is learning.  But you need to demonstrate that you can apply what you have learned correctly, by passing an examination.

last time i checked, experience > exams. i was A+ certified @ 17. i fell into drugs, got back into computers and started programming about a year and a half ago. started working on the exchange about 4 months ago.

I'm quoting this so that it lives on forever.

A+ certification + 1 year of supposed programming experience == I'm ready to run a crypto exchange and safeguard peoples' money

[bitpop]

Go to digital ocean and do all their tutorials. It'll cost you a couple bucks. You'll learn almost everything.

thanks for the advice, will do. it looks like the tutorials are all pretty old. are they possibly out of date?

I don't think so. I did see ubuntu is 12.04 and newest is 13.10 but it doesn't matter.

[r3wt]

last time i checked, experience > exams

Would you try flying a plane without a license, without taking exams to determine you are capable and competent.  I hope not.

the loudest voice in the room is often the weakest

[r3wt]

it's my first server, doesn't mean i'm incapable of learning i just don't know because i'm not experienced. maybe i'll find someone who is and hire them to teach me how to properly secure the server.

That in itself is scary.  Security is ongoing, when you say "properly secure the server" you imply that at some point the job is done.  You should not be running a server that has other peoples money stored on it.  My advice would be to get some qualifications first.

thanks for your advice. everyone can learn. you are wrong.

There are no "properly secure the server". Securing a server is a cyclic task with continuous risk assessment, fine tuning your systems and admin procedures, searching for vulnerabilities and fixing them. Perhaps you should take a look at ISO 27001.

I was gonna be sarcastic here, but what the hell. thank you for your informative post.

[Coin_Master]

last time i checked, experience > exams

Would you try flying a plane without a license, without taking exams to determine you are capable and competent.  I hope not.

the loudest voice in the room is often the weakest

You are a dangerous man r3wt! (probably more like reckless actually)

[r3wt]

last time i checked, experience > exams

Would you try flying a plane without a license, without taking exams to determine you are capable and competent.  I hope not.

the loudest voice in the room is often the weakest

You are a dangerous man r3wt! (probably more like reckless actually)

i got the gist of it without the parenthesis

[phil92]

last time i checked, experience > exams

Would you try flying a plane without a license, without taking exams to determine you are capable and competent.  I hope not.

the loudest voice in the room is often the weakest

You are a dangerous man r3wt! (probably more like reckless actually)

i got the gist of it without the parenthesis

OMG stop responding to comments here and solve our deposits/withdrawals issues on the website !!!

[r3wt]

last time i checked, experience > exams

Would you try flying a plane without a license, without taking exams to determine you are capable and competent.  I hope not.

the loudest voice in the room is often the weakest

You are a dangerous man r3wt! (probably more like reckless actually)

i got the gist of it without the parenthesis

OMG stop responding to comments here and solve our deposits/withdrawals issues on the website !!!

what, i'm not allowed to multitask?

[Coin_Master]

1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction

This was posted earlier in the thread.  If you insist on running an exchange at this point in time, I would suggest setting an 'ip address restriction'.
This means no ssh connections can be made to your server from any ip address that is not permitted.  It is not 100% fool proof as your ISP could launch an attack on your server by spoofing your permitted ip addresses.  This is extremely unlikely, but a possibility.  Doing this one thing would likely prevent any future compromises.

[r3wt]

1) non-standard port
2) no root login
3) ssh key entry only
4) iptables ip restriction

This was posted earlier in the thread.  If you insist on running an exchange at this point in time, I would suggest setting the 'ip address restriction'.  This means no ssh connections can be made to your server from any ip address that is not permitted.  It is not 100% fool proof as your ISP could launch an attack on your server by spoofing your permitted ip addresses.  This is extremely unlikely, but a possibility.  Doing this one thing would likely prevent any future compromises.

i have read a few tutorials on the subject and after discussing with Justin, we have chosen to do the smart thing and have contacted a professional server administrator. he's not cheap but he's agreed to help us get it secured as much as humanly is possible, with the notion that we would hire him full or part time once we can afford it.

[jytou]

Give the guy a break. He messed up. And he confessed it. I know others who would have kept it silent until complete crash or recover. Others might have just disappeared.
He may not be a security guru, but his site is working. Not a noob as I would call it. And whoever is keeping lots of funds on an exchange site is a fool. Not saying he shouldn't do something about it: I guess he had his lesson.
@Coinmaster: at last a constructive message.

[Coin_Master]

[bzyzny]

I was hoping things would go well for this exchange since it was open source. but having it open source before security auditing may have given some clue about its insecurity unfortunately. hope you will have better luck next time or at least hire someone reputable to help with security.

also, I was wondering if username/passwords where stolen, or any other coins? was the hack only affecting btc wallet?

0.14203175btc @ 1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN

[McC0rm1ck]

I pay a bounty of 1'000 BinaryCoin (BIC) to someone where find this very poor burglar and take him to justice.

I hope that the developer will continue his work. He made a nice open source exchange!

[r3wt]

I was hoping things would go well for this exchange since it was open source. but having it open source before security auditing may have given some clue about its insecurity unfortunately. hope you will have better luck next time or at least hire someone reputable to help with security.

also, I was wondering if username/passwords where stolen, or any other coins? was the hack only affecting btc wallet?

0.14203175btc @ 1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN

whoever it was only in the server for 6 minutes before i found out.

we do not know, but as a precaution we are having everyone withdraw all coins. database will be completely wiped, along with wallet.dats and conf files. have to start over from scratch. who knows what they took while they were in there.

[jdebunt]

Sorry to hear this happened r3wt

[nocoin]

Wait did you use a password for your ssh login?

What is the address of the wallet?

i don't know. he took the wallet.dat

it's my first server

r3wt is a trusted man

[phil92]

I was hoping things would go well for this exchange since it was open source. but having it open source before security auditing may have given some clue about its insecurity unfortunately. hope you will have better luck next time or at least hire someone reputable to help with security.

also, I was wondering if username/passwords where stolen, or any other coins? was the hack only affecting btc wallet?

0.14203175btc @ 1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN

whoever it was only in the server for 6 minutes before i found out.

we do not know, but as a precaution we are having everyone withdraw all coins. database will be completely wiped, along with wallet.dats and conf files. have to start over from scratch. who knows what they took while they were in there.

Sorry to insist, but as I can see you will delete the entire database and wallet, what about pending DEPOSITS ? I'd be happy to withdraw my money but I can't.
0.02569114 BTC - Deposit address at the time : 1A4LKQVr4r7WgG3rTYMBfDrM4qhpRU6ufR. But you changed that address since then so don't know it this will be of any help...

[50cent_rapper]

It's better to have bad things at start, rather than when you are operating 500 btc-s.
And yeah, shit happens.

[r3wt]

I was hoping things would go well for this exchange since it was open source. but having it open source before security auditing may have given some clue about its insecurity unfortunately. hope you will have better luck next time or at least hire someone reputable to help with security.

also, I was wondering if username/passwords where stolen, or any other coins? was the hack only affecting btc wallet?

0.14203175btc @ 1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN

whoever it was only in the server for 6 minutes before i found out.

we do not know, but as a precaution we are having everyone withdraw all coins. database will be completely wiped, along with wallet.dats and conf files. have to start over from scratch. who knows what they took while they were in there.

Sorry to insist, but as I can see you will delete the entire database and wallet, what about pending DEPOSITS ? I'd be happy to withdraw my money but I can't.
0.02569114 BTC - Deposit address at the time : 1A4LKQVr4r7WgG3rTYMBfDrM4qhpRU6ufR. But you changed that address since then so don't know it this will be of any help...

I will be happy to help you phil. let me know the details via pm.

[r3wt]

Sorry to hear this happened r3wt

Yeah me too. back to the drawing board once more.

[allyouracid]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

It also bothers me the elite developers keep inventing new crap like nodejs when we haven't learned the simplest of things.

Sorry, but that's nonsense. There's enough people understanding node.js and i can assure you that.
Also, i would consider someone who needs to visit tutorial sites being not in a good position to actually run a server.

Don't get me wrong, but it's not just about stolen Bitcoin, it's also about all those hundreds of thousands of spam machines who are all run by some kids who "can i haz server, pls?", which require me (and others) to constantly setup and finetune spam filters, watch spam folders and crap because they're just not able to secure a machine.
If people want to play, no problem. There's plenty of server software you can run on your local machine to try and test and become a pro one day. But please, keep the internet clean from those sloppily setup machines who bring a hell of an effort if they're being compromised again.

By the way, this is one of the points which literally cry for a regulation!

[r3wt]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

It also bothers me the elite developers keep inventing new crap like nodejs when we haven't learned the simplest of things.

Sorry, but that's nonsense. There's enough people understanding node.js and i can assure you that.
Also, i would consider someone who needs to visit tutorial sites being not in a good position to actually run a server.

Don't get me wrong, but it's not just about stolen Bitcoin, it's also about all those hundreds of thousands of spam machines who are all run by some kids who "can i haz server, pls?", which require me (and others) to constantly setup and finetune spam filters, watch spam folders and crap because they're just not able to secure a machine.
If people want to play, no problem. There's plenty of server software you can run on your local machine to try and test and become a pro one day. But please, keep the internet clean from those sloppily setup machines who bring a hell of an effort if they're being compromised again.

By the way, this is one of the points which literally cry for a regulation!

i clearly underestimated the role of a sysadmin.

[deepwex]

Wait did you use a password for your ssh login? Please use SSH Keys next time, they are the most secure way to do ssh. Also run bitcoind, under it's own user account. Disable root and use sudoers file instead, then you can ban bitcoind commands. Also cold storage should always be used.

+1

Passwords shouldn't be used for ssh logins.

But I would have taken it a longer step. The coin daemon shouldn't run at the exchange webserver at all, but instead be talked to via an security layer checking what type of RPC commands that are sent, and validate/discard them based on internal security routines. (Depends on the setup)

"Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2"

Please, for your own sake, never ever even boot a server with a ssh config simular to this: "PermitRootLogin yes"

[allyouracid]

i clearly underestimated the role of a sysadmin.

It's really a good thing that you see it this way. Nobody is free from errors and the importance is clearly: learning from them. And just to make it clear: my posts really are not about ranting or attacking someone blindly (because that's not productive). I just think it's important to know certain things when running a server.

[lonesoul]

As someone mentioned Fail2Ban   i use a similar program to protect my servers from brute force attacks - its called RDPGuard - when i downloaded it, it came with a 30 day trial. might be worth adding extra protection (It should work along side Fail2Ban I believe)

You could also blacklist all IP addresses from connecting to the server and whitelist your own IP (or other secure IPs)  I tend to do this for servers that have very little reason for anyone to ever log on to.


Sorry if these suggestions are a bit "nooby" but its often simple things that can throw a spanner in the works for an attacker. (especially if the attacker is just some kid trying his/her luck! normally they don't have enough knowledge to even change the dictionaries used for their attacks.)

[CatCoin]

I constantly see people saying "I installed fail2ban" as if that step instantly provides bulletproof security.  It doesn't.  It's just one layer of basic protection, and a thin one at that.

[r3wt]

I constantly see people saying "I installed fail2ban" as if that step instantly provides bulletproof security.  It doesn't.  It's just one layer of basic protection, and a thin one at that.

i would appreciate if you would enlighten us all a bit. give a crash course. i'll pay you for your time. i might even list catcoin if this works out good.

[CatCoin]

I constantly see people saying "I installed fail2ban" as if that step instantly provides bulletproof security.  It doesn't.  It's just one layer of basic protection, and a thin one at that.

i would appreciate if you would enlighten us all a bit. give a crash course. i'll pay you for your time. i might even list catcoin if this works out good.

I don't own any catcoin.  I was developing a "catcoin" a while ago, but the current one was suddenly "pre-announced" about a week before I was going to release mine.  The username was registered a while ago.  Also, I doubt it needs to even be said that I wouldn't be registering an account on your exchange any time soon.

You really don't need a crash course, and I'd be doing you and your users a disservice by providing one.  You need about 10 years of real world experience running servers that won't end up losing a bunch of peoples' money if they end up breached.  Otherwise, you need someone with a lot of experience securing a project like yours working for you full time, and you need them to be able to go over and help you secure your entire app, not just the sysadmin-type stuff.

This is something that should be tested thoroughly in an isolated environment before it ends up anywhere near the internet being used by actual people.  When I said what I said about it not being a good idea for someone without the experience to try to do something like this and skip every step in the middle, I wasn't kidding, and I wasn't saying it just to be a dick or crush your dreams.  You can't cut corners with something like this.

Start over, create a virtual machine and set it up as a server with your app on it.  Encrypt the filesystem on the VM.  Distribute that VM image to people and offer a bounty to anyone who can breach it.  Start over, do that again.  Repeat.  Once you feel confident with what you have, bring in a pro and see if they agree.  Test some more... etc.

Rushing into this is sure to end in tears for you and, more importantly, your users, every time.  There's nothing more dangerous than a cocky young web app developer who has absolutely no idea what they're getting into, and is playing with peoples' money.

[hypes]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

[r3wt]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

[vingaard]

I cancelled several Dimecoins sell orders and all those coins dosn't refund to my account... do you know what happen?

And, another thing, please... remove minimum withdraw limit in order to get all my founds... I know that they are small amounts but a lot of small amount make a big one....

Thanks

[hypes]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

I don't understand why it's not done MVC

[r3wt]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

I don't understand why it's not done MVC

it basically is. the pages do some work the system folder does some work which is not shared in the github, but the majority of it is handled through the objects in our various class files and the functions in the models folder.

we have our models and controllers in /models

our "view" is in /pages

while its not quite conformant yet, we tend to refactor the code into classes where possible and slowly remove them from the view.

[hypes]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

I don't understand why it's not done MVC

it basically is. the pages do some work the system folder does some work which is not shared in the github, but the majority of it is handled through the objects in our various class files and the functions in the models folder.

we have our models and controllers in /models

our "view" is in /pages

while its not quite conformant yet, we tend to refactor the code into classes where possible and slowly remove them from the view.

Right. I can see you've put a lot of work into it. I just don't like seeing queries in the views *shudder*

[hypes]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

[lonesoul]

Sorry to hear this happened r3wt

Yeah me too. back to the drawing board once more.

"Edison failed 10, 000 times before he made the electric light. Do not be discouraged if you fail a few times.”
– Napoleon Hill
 

“I’ve missed more than 9000 shots in my career. I’ve lost almost 300 games. 26 times, I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.”

– Michael Jordan

“I was set free because my greatest fear had been realized, and I still had a daughter who I adored, and I had an old typewriter and a big idea. And so rock bottom became a solid foundation on which I rebuilt my life.”

– J.K. Rowling

Many of Life's failures are People that didn't realize how close they were to success when they gave up

– Thomas Edison

If you want the Rainbow, you gotta put up with the rain

– Dolly Parton


And finally a chinese proverb my dad used to say.

Fall seven times
Stand up eight



Keep trying matey, You have put so much time and effort in You'll make it sooner or later!

Remember when ever you fail, you always learn what not to do next time!

[r3wt]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

[CatCoin]

Encouraging people to keep trying when their failures will ultimately cost other people money is incredibly irresponsible.

[r3wt]

Sorry to hear this happened r3wt

Yeah me too. back to the drawing board once more.

"Edison failed 10, 000 times before he made the electric light. Do not be discouraged if you fail a few times.”
– Napoleon Hill
 

“I’ve missed more than 9000 shots in my career. I’ve lost almost 300 games. 26 times, I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.”

– Michael Jordan

“I was set free because my greatest fear had been realized, and I still had a daughter who I adored, and I had an old typewriter and a big idea. And so rock bottom became a solid foundation on which I rebuilt my life.”

– J.K. Rowling

Many of Life's failures are People that didn't realize how close they were to success when they gave up

– Thomas Edison

If you want the Rainbow, you gotta put up with the rain

– Dolly Parton


And finally a chinese proverb my dad used to say.

Fall seven times
Stand up eight



Keep trying matey, You have put so much time and effort in You'll make it sooner or later!

Remember when ever you fail, you always learn what not to do next time!

thank you for the inspirational quotes and kind words. we are not giving up. #NeverYield

[hypes]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

You're re-inventing the wheel though, really. 1000s of devs have colabed on frameworks for good reasons, don't write them off because you want to write it all yourself!

Being able to code in a framework isn't newb, it's considered more pro imo.

[r3wt]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

You're re-inventing the wheel though, really. 1000s of devs have colabed on frameworks for good reasons, don't write them off because you want to write it all yourself!

on the same token though, i can scrutinize the code i write to a great degree of certainty, where as with a framework i have to worry about my code and that of the framework.

[hypes]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

You're re-inventing the wheel though, really. 1000s of devs have colabed on frameworks for good reasons, don't write them off because you want to write it all yourself!

on the same token though, i can scrutinize the code i write to a great degree of certainty, where as with a framework i have to worry about my code and that of the framework.

Like i said, when you've got some of the best PHP devs in the world working on these - it's very rare you have to worry about their code. And even if something is wrong, it's patched very quickly.

[hiksush2]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

[solracx]

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

So the code here is junk?

Any recommendations of other open source exchanges that might be better?

[Stouse49]

Will withdrawal fees be lowered since we are forced to remove our coins.  I have 0.00015 BTC from trading that is stuck.

[GigaCoin]

well that's really bad, i hope openEX can recover soon and i'm sure it will as it is an honest business.

I was wondering though, were you able to retrieve the stolen coins or are you refunding deposits from your own funds ?

[r3wt]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

well that's really bad, i hope openEX can recover soon and i'm sure it will as it is an honest business.

I was wondering though, were you able to retrieve the stolen coins or are you refunding deposits from your own funds ?

i retrieved the wallet while running foremost. i then sent the coins to a new address.

[phillipsjk]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

I face-palmed here. It is "not invented here" syndrome.

The problem is that computers are too complex for any one person to know. That is why abstraction is used.

The difficulty I have with abstraction is that the abstraction layer (there is more than one) is rarely proven correct. This can lead to abstraction leakage. However, to start proving a whole system is correct will take many man-centuries. It is not something you can do on your own.

Myself, I have been delayed months setting up a simple Bitcoin node intended for merged-mining. I may be overly cautious compared to you.

[hiksush2]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

Oh I don't know, the topic of this thread you fucking idiot comes to mind.  Also whatever double cancel bug you had that allowed people to gives themselves coins.

And then of course there's always this one:

https://openex.pw/index.php?page=trade&market='';alert('You%20are%20an%20idiot.');

I'm sure you have no idea why that's a problem though.  I don't understand why anyone in this thread is cutting you slack at all.  What you did is the equivalent of opening a bank, taking people's deposits, and then leaving the doors unlocked and the vault wide open.  Your code is the quality of what I made in middle school, and your attitude fits that age range as well.  I'm done with this thread, but a warning for anyone reading it:

Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk!  His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.

When his next site gets hacked, don't say I didn't tell you so.

[surfer43]

I got most of my skeincoins back, thanks. And tbh you could double your account deposits of skeincoin by force checking and entering TXID-000...

[johningreece]

9.17 bitcoins were hacked from my account at cex.io. I am seeking an experienced investigator to help me retrieve the lost coins.

[Zombie123]

All Bitcoins returned Thanks OP

[solracx]

9.17 bitcoins were hacked from my account at cex.io. I am seeking an experienced investigator to help me retrieve the lost coins.

did you have 2 factor authentication turned on?

[PinkPotatos]

good to see they are back!

[whiskers75]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

It also bothers me the elite developers keep inventing new crap like nodejs when we haven't learned the simplest of things.

I might make a server-secure.sh script at some point soon.

[CatCoin]

The sad thing is, a "secure-server.sh" script would probably be a huge step forward for most of the new coin exchanges, online wallets, etc... that have been showing up recently.

[teknohog]

Just my 2 cents on this experience:

• Got all my coins back
• Lost a Blakecoin exchange, hopefully one of the established exchanges will adopt it
• It's pointless to blame r3wt specifically, as many big/professional exchanges have been hacked too
• Don't keep large amounts of coin in any exchange for a long time
• Remember http://xkcd.com/792/ that was apparently referenced in the log

[phazon307]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

well that's really bad, i hope openEX can recover soon and i'm sure it will as it is an honest business.

I was wondering though, were you able to retrieve the stolen coins or are you refunding deposits from your own funds ?

i retrieved the wallet while running foremost. i then sent the coins to a new address.

Glad my idea worked for you, even if it was a different software that you used

[Zeke_Vermillion]

I am still waiting to get my BLC back from OpenEx. I was told you'd have to "owe" me for some of it, but so far, "some" appears to mean "all". The problem is that you should not have honored the inflated balance that we got when you double-credited order cancellations. And once you announced your policy of honoring the double-credit, you then should not have invited everyone to withdraw their funds all at once! Argh!

Cryptsy had a similar problem recently, and they froze accounts until people paid back the double credit. This was quite annoying but necessary to avoid the situation you now find yourself in.

If you have the bitcoin on hand, I really think you ought to see about buying up some BLC (and other currencies where you have a shortfall). Otherwise, if you wait to do this until later, it may become too expensive for you to cover in the market. And, despite the best of intentions, you will not be able to repay me and others in my position. If you know the BLC folks, you might also consider raising an equity / fee share tranche in exchange for BLC. Heck, I might even participate by rolling in part of my IOU, if you are able to recover from this rough launch...

[sarr]

one of my  pending deposit of 0.037btc just disappeared , i did manage to recover all other coins tho, but wonder what happened to that one deposit.
txid of it is ed625d262e80d9804925251e023a0cfc457038ce83e5fbf4c34cd6cb22b087ae.

nvm it appeared in my account, now just waiting for my pending withdrawals

[emu]

atm I'm waiting for 10k SKC, they are said to be pending, let's see

[XCASH]

The openEx website currently says

"Please withdraw all coins by 1/15/2014".

After that it's anyone's guess what will happen to them.

[r3wt]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

Oh I don't know, the topic of this thread you fucking idiot comes to mind.  Also whatever double cancel bug you had that allowed people to gives themselves coins.

And then of course there's always this one:

https://openex.pw/index.php?page=trade&market='';alert('You%20are%20an%20idiot.');

I'm sure you have no idea why that's a problem though.  I don't understand why anyone in this thread is cutting you slack at all.  What you did is the equivalent of opening a bank, taking people's deposits, and then leaving the doors unlocked and the vault wide open.  Your code is the quality of what I made in middle school, and your attitude fits that age range as well.  I'm done with this thread, but a warning for anyone reading it:

Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk!  His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.

When his next site gets hacked, don't say I didn't tell you so.

hey cock server, the application is extremely secure. it was the server that was compromised. also i didn't write any of the trade engine code, if you want to talk shit, perhaps you want to talk to justin?

[Zeke_Vermillion]

r3wt, thanks for processing my withdrawal request. just putting that on record.

[Slingshot]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk!  His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.

When his next site gets hacked, don't say I didn't tell you so.

+1


 Innocent yet foolish Delusions of Grandeur rings a loud bell.


Caveat emptor - let the buyer beware

[Millicent]

I was hoping things would go well for this exchange since it was open source. but having it open source before security auditing may have given some clue about its insecurity unfortunately. hope you will have better luck next time or at least hire someone reputable to help with security.

also, I was wondering if username/passwords where stolen, or any other coins? was the hack only affecting btc wallet?

0.14203175btc @ 1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN

whoever it was only in the server for 6 minutes before i found out.

How long do you think it would take this to ruin your life? 6 seconds?    root@openex #rm -rf /

Whatever you do, don't try to use this server again.  Format and re install whatever your OS of choice is...

Are you using hard iron or in the cloud?  For what you are trying to do I suggest hard iron with a separate firewall (at least 1) located at a secure datacenter with backup.

Start a thread asking about preferred methods of security and layout a plan.  As it's been said before this is no joke and you got WAAAAAAAAAAAAAAAAy lucky.

Plenty of people have offered help, take them up on it.  Find a trusted admin that you can share their insight with and make a plan.  Don't rush to bring this back.  Get it right and implement features slowly and methodically.

Good luck with your venture

[CatCoin]

hey cock server, the application is extremely secure.

Based on what?  The fact that you couldn't think of any ways in which it wasn't secure?  Look at your track record and total lack of experience, then consider thinking twice before making statements you can't back up.  You have the technical knowledge of a best buy employee.

it was the server that was compromised. also i didn't write any of the trade engine code

Then how is it, exactly, that you can claim it's secure?

You look worse every time you continue to try to act like you have this under control.  It's painfully obvious that you are completely clueless.

[hypes]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

Oh I don't know, the topic of this thread you fucking idiot comes to mind.  Also whatever double cancel bug you had that allowed people to gives themselves coins.

And then of course there's always this one:

https://openex.pw/index.php?page=trade&market='';alert('You%20are%20an%20idiot.');

I'm sure you have no idea why that's a problem though.  I don't understand why anyone in this thread is cutting you slack at all.  What you did is the equivalent of opening a bank, taking people's deposits, and then leaving the doors unlocked and the vault wide open.  Your code is the quality of what I made in middle school, and your attitude fits that age range as well.  I'm done with this thread, but a warning for anyone reading it:

Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk!  His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.

When his next site gets hacked, don't say I didn't tell you so.

I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.

[bzyzny]

I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.

We all underestimated just how "open" OpenEx.PW was, I don't think r3wt meant it so literally. My question is, regardless of his ability to code, didn't he TEST it before launching? Some of these bugs were painfully obvious. Just from using the sites functionality as intended, ppl were getting double credits and such.

[r3wt]

I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.

We all underestimated just how "open" OpenEx.PW was, I don't think r3wt meant it so literally. My question is, regardless of his ability to code, didn't he TEST it before launching? Some of these bugs were painfully obvious. Just from using the sites functionality as intended, ppl were getting double credits and such.

yes we tested. attacker was in and out of the server fucking with the trade engine code. it took us a while to catch on that someone was changing our code besides us.

lessons learned:

hire a server admin

don't use mysql functions and real escape string.

i found a tutorial on devshed that teaches how to use pdo. i've been practicing all morning and i can't believe its so easy. we'll be back as soon as we've addressed the issues with the server and fixed the flaws in the application. though your intent was to humiliate, i thank you for being blatantly honest. you're helping make openex better though you're trying to fud it to death.

[surfer43]

Can you send me my 50 SKC? address in sig 

[kev7112001]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

[r3wt]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

[bzyzny]

R3wt, I'm glad that you have learned a lot from this, and I hope your exchange is successful in the future. Its unfortunate that you had to learn at such great expense, but those are the lessons most taken to heart. Some people may be bashing you harder than u deserve, but its true you were not ready to launch a site which handles money. I was not referring to that 6min hack though, but the order cancel, txid-000, and other bugs that where alledgedly there prior to the hack. Did u not test for such scenarios as what would happen if a person tried to sell to them self? Or if copy/paste txid from wallet which includes the -000. All I'm saying is that it was not necessary to try to find these bugs, they occurred from using the site as a normal customer would. Perhaps next time you should have a more thorough  testing period.

[kev7112001]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

wow you are crap hope your shit goes down again u and your premined coins lol

[Nullu]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

wow you are crap hope your shit goes down again u and your premined coins lol

Your friend's advice isn't worth 4 dollars. Let alone 400. Get a grip.

[kev7112001]

what noob you have no idea what your talking about

[kev7112001]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

wow you are crap hope your shit goes down again u and your premined coins lol

Your friend's advice isn't worth 4 dollars. Let alone 400. Get a grip.

u must be apart of his premine scam lol

[kev7112001]

atleast i dont try to open a exchange with no coding skills and lose people coins

[Nullu]

what noob you have no idea what your talking about

Something doesn't go your way, so you trash talk people? If you want to have any credibility on this forum, you might want to consider acting with a little sense of decorum. Just some advice from a "noob".

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

wow you are crap hope your shit goes down again u and your premined coins lol

Your friend's advice isn't worth 4 dollars. Let alone 400. Get a grip.

u must be apart of his premine scam lol

I don't even know him. But your wild accusations are just fantastic.

[kev7112001]

lol i dont need it ive been here longer than u and more respected in the community lol

[kev7112001]

and what are u talking about gong my way trash talking u already sound dumb that made no sense lol

[kev7112001]

i call it like i see it this exchange is amateur hour

[emu]

10k SKC withdraw didn't work, said it was pending, nothing happened.
tried 2 x 5k now, let's see what happens
(the test with 500SKC did work, BTC did work, too)

if you  need to send coins manually, here my wallet for openex withdraws
SZrhBmcXzS88MbbsUkWQ1PNyXBrgjyjSCo

thx

[rogersofnorwich]

OK, got most of my coin out of OpenEx now.

Please send the remaining BTC 0.01390023 to 16UCtfwLvuSMTcfTNTTW5c3vgKfgP8SdJT ...attempted to withdraw 'smaller amounts' and but've basically had my fill of trying.

75 BTCScrypt deposit never showed, you can forward this to 1CXT76Lug3fdB3DDLJjLiWQmeEvcW72VAv

Still waiting on QRK withdrawal, for 19.896020000 ...I appreciate you might be snowed under but if it has slipped through the net please send this to QVaz75ss2utvuG6dwhxd6WzqFTsaXiLQki

Thanks.

Good luck getting everything fixed.

[lajz99]

lol i dont need it ive been here longer than u and more respected in the community lol

Respect in the community? lol, cmon' nobody knows or cares who the fuck you are kid...

Edit:  Confirmed.  I looked through all of your posts and you're a nobody. 

[darthburnstuff]

I'm still waiting for 479 RAD coin that disappeared.  If they were recovered why aren't they back in my account? 

[kev7112001]

lol i dont need it ive been here longer than u and more respected in the community lol

Respect in the community? lol, cmon' nobody knows or cares who the fuck you are kid...

Edit:  Confirmed.  I looked through all of your posts and you're a nobody.  

your and idiot and dont call me kid son
you can look through this forum all day proves nothing noob i have more than 1 account and
like this is the only forum fuckin noobs lol

i can prove my case can u

[kev7112001]

ans just so u know bitcointalk is not the community

[allyouracid]

ans just so u know bitcointalk is not the community

Can you please stop posting here? You're really an annoying person. I mean, really. Really. Really, really, really annoying. Thanks.

[r3wt]

ans just so u know bitcointalk is not the community

Can you please stop posting here? You're really an annoying person. I mean, really. Really. Really, really, really annoying. Thanks.

thank you

[robelneo]

wow  I am late I have 60k dimecoin here ...Is there a way  I can get it back I am willing to receive any compensation if there is any I just hope the admin will offer this so he will not lose his reputation

[sarr]

r3wt is doing his best, I've managed to get most of my coins out of the exchange with his help. just be patient people, you will get your coins. give him a chance.

[r3wt]

wow  I am late I have 60k dimecoin here ...Is there a way  I can get it back I am willing to receive any compensation if there is any I just hope the admin will offer this so he will not lose his reputation

the site is back live, all of the wallets are back live.

[emu]

ps: still no 10k SKC on my wallet

[Ice_Blade]

Guys, please stop the bickering and bashing each other.

If you don't agree with each other, fine, but please stop with the name-calling and other childish behavior.

Lets try to stick to the topic of this thread, so that people that actually want to know about it can find relevant information instead of having to read how much you guys apparently hate each other.

Thanks!

[XCASH]

wow  I am late I have 60k dimecoin here ...Is there a way  I can get it back I am willing to receive any compensation if there is any I just hope the admin will offer this so he will not lose his reputation

the site is back live, all of the wallets are back live.

Is the site permanently back, or just temporarily so people can withdraw their coins? It was displaying a notice to withdraw everything by 17th until recently, but now the notice has disappeared.

[teknohog]

Guys, please stop the bickering and bashing each other.

Just use the "Ignore" function on the left, no need to feed the troll.

[robelneo]

wow  I am late I have 60k dimecoin here ...Is there a way  I can get it back I am willing to receive any compensation if there is any I just hope the admin will offer this so he will not lose his reputation

the site is back live, all of the wallets are back live.

when I access it this is what being displayed



OpenEx Is Undergoing Maintenace

We'll Be Back Soon! :-)

[gielbier]

ans just so u know bitcointalk is not the community

Can you please stop posting here? You're really an annoying person. I mean, really. Really. Really, really, really annoying. Thanks.

i dont listen to idiots especially noobs like you

Kev, What do you expect. It was/is a penny stock exchange. That the total value of the btc wallet was 11 btc surprised me, but that's still peanuts. But I greatly welcome the concept of an opensource exchange. When the coding is far enough along. No need to harass the dude that is trying, just don't risk to much btc/coin on it.

[ORBOTRON]

So, when the coins were initially stolen, I tried to make trades with my ~.06btc and withdraw, a couple small trades went through, but others just ended with my BTC vanishing into thin air, about 0.052btc Do you still have all the old records/database to figure out what happened and credit my btc?

I honestly gave up and was just going to count it as a loss because I realized after thinking about it that I would be taking other people's coins, that hadn't been stolen, and they would be getting credits for btc that didn't exist. It was the BTC wallet that was stolen, and I was holding BTC, so I should take the loss, but now that it's recovered, I certainly wouldn't mind having it back, haha

[darthburnstuff]

I'm still waiting for 479 RAD coin that disappeared.  If they were recovered why aren't they back in my account? 

This problem has been resolved.  Thank you r3wt.

[hiksush2]

wow  I am late I have 60k dimecoin here ...Is there a way  I can get it back I am willing to receive any compensation if there is any I just hope the admin will offer this so he will not lose his reputation

the site is back live, all of the wallets are back live.

Wait, so you reopened it completely?  Because registrations were closed before, and now they are open.  Please tell me you didn't think it was ok to reopen it.  Because it's not.  Not without a huge warning telling people your code is fully vulnerable and depositing coins is essentially donating them to whichever hacker gets there first.

[r3wt]

i heard from a reliable source that the txid-000 bug still exists. how the fuck did u relaunch the site without fixing known bugs?

in general, you kinda have to know about the bug to fix it. no one told me about it. i fix all bugs as soon as i know.

[r3wt]

R3wt, I'm glad that you have learned a lot from this, and I hope your exchange is successful in the future. Its unfortunate that you had to learn at such great expense, but those are the lessons most taken to heart. Some people may be bashing you harder than u deserve, but its true you were not ready to launch a site which handles money. I was not referring to that 6min hack though, but the order cancel, txid-000, and other bugs that where alledgedly there prior to the hack. Did u not test for such scenarios as what would happen if a person tried to sell to them self? Or if copy/paste txid from wallet which includes the -000. All I'm saying is that it was not necessary to try to find these bugs, they occurred from using the site as a normal customer would. Perhaps next time you should have a more thorough  testing period.

this is the first i'm hearing of the tx-id bug. i'll check it out now.

[CatCoin]

i heard from a reliable source that the txid-000 bug still exists. how the fuck did u relaunch the site without fixing known bugs?

Because he doesn't know what he's doing, and is in a rush to get more people to naively trust him with their money so that he can pat himself on the back and tell himself "i'm good enough, smart enough, and doggonit, people like me".  When he gets hacked again, which is only a matter of time, he will once again lash out at everyone who tells him he's in over his head, and tell himself it would have happened to anyone else, and his 6 months of experience gives him all the info he needs to be able to say that.

Time to get back to trying to re-invent the wheel, since the thousands of developers before him with massive amounts of experience clearly had no idea what they were doing.

[r3wt]

i heard from a reliable source that the txid-000 bug still exists. how the fuck did u relaunch the site without fixing known bugs?

Because he doesn't know what he's doing, and is in a rush to get more people to naively trust him with their money so that he can pat himself on the back and tell himself "i'm good enough, smart enough, and doggonit, people like me".  When he gets hacked again, which is only a matter of time, he will once again lash out at everyone who tells him he's in over his head, and tell himself it would have happened to anyone else, and his 6 months of experience gives him all the info he needs to be able to say that.

Time to get back to trying to re-invent the wheel, since the thousands of developers before him with massive amounts of experience clearly had no idea what they were doing.

Oh stop it, you're gonna make me cry!

[Ice_Blade]

i heard from a reliable source that the txid-000 bug still exists. how the fuck did u relaunch the site without fixing known bugs?

Because he doesn't know what he's doing, and is in a rush to get more people to naively trust him with their money so that he can pat himself on the back and tell himself "i'm good enough, smart enough, and doggonit, people like me".  When he gets hacked again, which is only a matter of time, he will once again lash out at everyone who tells him he's in over his head, and tell himself it would have happened to anyone else, and his 6 months of experience gives him all the info he needs to be able to say that.

Time to get back to trying to re-invent the wheel, since the thousands of developers before him with massive amounts of experience clearly had no idea what they were doing.

Oh stop it, you're gonna make me cry!

Sorry to tell you this, but CatCoin is right. The txid-000 bug was also mentioned in this thread.

[r3wt]

i heard from a reliable source that the txid-000 bug still exists. how the fuck did u relaunch the site without fixing known bugs?

Because he doesn't know what he's doing, and is in a rush to get more people to naively trust him with their money so that he can pat himself on the back and tell himself "i'm good enough, smart enough, and doggonit, people like me".  When he gets hacked again, which is only a matter of time, he will once again lash out at everyone who tells him he's in over his head, and tell himself it would have happened to anyone else, and his 6 months of experience gives him all the info he needs to be able to say that.

Time to get back to trying to re-invent the wheel, since the thousands of developers before him with massive amounts of experience clearly had no idea what they were doing.

Oh stop it, you're gonna make me cry!

Sorry to tell you this, but CatCoin is right. The txid-000 bug was also mentioned in this thread.

Alright, i went back and saw it. feature has been disabled and i've started a bug/vuln bounty. thanks

[Millicent]

Alright, i went back and saw it. feature has been disabled and i've started a bug/vuln bounty. thanks

Your bounty relies on the honesty of those who either find it or know  about it.  The hacker that finds the exploit is going to administrate his own bounty.

[bitpop]

We'll all be dead in 80 years. Who cares.

[Millicent]

That's sooner than later for some of us...

[bitpop]

Let's pretend none of this ever happened

[r3wt]

Alright, i went back and saw it. feature has been disabled and i've started a bug/vuln bounty. thanks

so i should get a bounty for pointing out this bug? please direct it to the address below and i'll gladly tell you about a few more bugs i see. sorry to swear at you, i usually dont get nasty with people on the internet, but i had a weak moment considering the circumstances.

1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN

funny how quickly your attitude changes. you can submit a pull request. then you get paid.

[Gerrit]

If others only help you if they get a bounty, I don't need anything:

A "bug" I notice is the display of wrong balances in the "account balances". All trade amounts seem to add up to your old balances. So after some trades your "account balances" are way too high. But luckily, in the trading (and withdrawing) part the right amount is displayed. So guess it's impossible to benefit from this bug. After reopening some old BTC fractions caused a wedge as well.

Pathetic how some paupers try to benefit from this situation. I don't want to interfere in the discussion, as both parts have some good points, but for sure you don't get too many helping hands.

[emu]

I got most of my skeincoins back, thanks. And tbh you could double your account deposits of skeincoin by force checking and entering TXID-000...

I guess surfer is the one who should get credits, this is days old from this thread

[r3wt]

I got most of my skeincoins back, thanks. And tbh you could double your account deposits of skeincoin by force checking and entering TXID-000...

I guess surfer is the one who should get credits, this is days old from this thread

yep

[surfer43]

This was right before it was hacked. But now I tried the same thing and it didn't work. So this glitch was fixed.

[jdh015232]

where did the astrocoin market go?

[r3wt]

where did the astrocoin market go?

removed. info to come.

[surfer43]

where did the astrocoin market go?

Wrong thread. And there are admins on the live chat on the website that might be able to answer you.

[jdh015232]

they are working on the issues..:/

[itos]

I had trades open for the Astrocoin. They can at least closed those trades on Openex so we can use those coins for other stuff.

[r3wt]

I had trades open for the Astrocoin. They can at least closed those trades on Openex so we can use those coins for other stuff.

its just closed temporarily while we attempt to figure out what happened. i asked the dev's point blank why they changed the genesis hash, and they have yet to answer. for the safety of our customers, asr is delisted until we figure out whether the problem is on our end or in the actual client.

[ameermas]

be careful eveyone!!!

it seems openex.pw has been hacked again in 23 january, 30 ASTROCOIN was withdrawn from my account to this account:

http://cryptexplorer.com/tx/bd95cc5b76fac29a39e51dfb0aa6346219487180912d5a9e72e028b73a848072#o1

i have bought them from another guy and he still waiting for me to pay him.

I've been 5 days asking them to solve my case in every possible way: site chat, support ticket, twitter..but they disclaimed any liability for their own website and didn't take care of my case, it seems i have to make more noise and greater exposure to the media so they will take care of my problem

be careful dealing with me, and share this to everyone who has account their and let them know...

If the site does not take responsibility for and protects his clients in such cases, there is no reason you continue to trade there

[Eriks0n]

I really hope the site takes responsibility. If not you'll see it's user base fall off pretty quickly.

[r3wt]

I will not feed the trolls.

I will not feed the trolls.

.....

[surfer43]

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto 

[rapidfire187]

Srry to hear that r3wt. I really like the exchange layout and feel. skeincoin to da moooooooon

[shaber122]

be careful eveyone!!!

it seems openex.pw has been hacked again in 23 january, 30 ASTROCOIN was withdrawn from my account to this account:

http://cryptexplorer.com/tx/bd95cc5b76fac29a39e51dfb0aa6346219487180912d5a9e72e028b73a848072#o1

i have bought them from another guy and he still waiting for me to pay him.

I've been 5 days asking them to solve my case in every possible way: site chat, support ticket, twitter..but they disclaimed any liability for their own website and didn't take care of my case, it seems i have to make more noise and greater exposure to the media so they will take care of my problem

be careful dealing with me, and share this to everyone who has account their and let them know...

If the site does not take responsibility for and protects his clients in such cases, there is no reason you continue to trade there

You are not alone, there are scammers
https://bitcointalk.org/index.php?topic=430185.new#new

[TheD0ct0r]

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

[r3wt]

quick everyone, over to workforcrypto to trade your cryptocoins. 

[surfer43]

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

yeah... noobs are not going to be trusted when it comes to scam accusations. especially 5 of them saying the same thing 

[TheD0ct0r]

Yea just another one of R3wts alt accounts or lackys... Anyone with half a brain knows this guy is a common thief it doesn't take a Hero member to figure this out..
He say's he apologized for all his scams that's laughable. He hasn't began to scratch the surface of what he has pulled in this community.
This guy has an army of alt accounts he has developed over time ...

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

yeah... noobs are not going to be trusted when it comes to scam accusations. especially 5 of them saying the same thing  

[surfer43]

Yea just another one of R3wts alt accounts or lackys... Anyone with half a brain knows this guy is a common thief it doesn't take a Hero member to figure this out..
He say's he apologized for all his scams that's laughable. He hasn't began to scratch the surface of what he has pulled in this community.

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

yeah... noobs are not going to be trusted when it comes to scam accusations. especially 5 of them saying the same thing 

Whatever. It is strange to see noobs know "this community" in depth. FYI I am not r3wt.

[r3wt]

Yea just another one of R3wts alt accounts or lackys... Anyone with half a brain knows this guy is a common thief it doesn't take a Hero member to figure this out..
He say's he apologized for all his scams that's laughable. He hasn't began to scratch the surface of what he has pulled in this community.

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

yeah... noobs are not going to be trusted when it comes to scam accusations. especially 5 of them saying the same thing 

Whatever. It is strange to see noobs know "this community" in depth. FYI I am not r3wt.

just an FYI, you are talking to iGotSpots. he's butthurt over some shit that went down a long time ago. basically it all boils down to about 40 dollars and betrayed trust. he can't let it go, not that i wasn't wrong but he will probably always be following me around crying like this. i've learned to live with it.

[TheD0ct0r]

 Lol this guy ... Are you really going to poke fun at some one you scammed? No guess again.
 Its some one else you Scammed and screwed over. Btw I have never used your exchange.
 
 All the people you have fucked over the past year you didn't think it would ever come back to haunt you?
 You are one arrogant POS.

Yea just another one of R3wts alt accounts or lackys... Anyone with half a brain knows this guy is a common thief it doesn't take a Hero member to figure this out..
He say's he apologized for all his scams that's laughable. He hasn't began to scratch the surface of what he has pulled in this community.

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

yeah... noobs are not going to be trusted when it comes to scam accusations. especially 5 of them saying the same thing 

Whatever. It is strange to see noobs know "this community" in depth. FYI I am not r3wt.

just an FYI, you are talking to iGotSpots. he's that went down a long time ago. basically it all boils down to about 40 dollars and betrayed trust. he can't let it go, not that i wasn't wrong but he will probably always be following me around crying like this. i've learned to live with it.

[r3wt]

i have a new reply for you in the other thread. tell me what i did to you, if its true i will admit it. you're either lying or i forgot. been a long time since i scammed anybody, and when i did they were tiny, pointless stupid scams. i won't deny it, never have.

 Lol this guy ... Are you really going to poke fun at some one you scammed? No guess again.
 Its some one else you Scammed and screwed over. Btw I have never used your exchange.
 
 All the people you have fucked over the past year you didn't think it would ever come back to haunt you?
 You are one arrogant POS.

Yea just another one of R3wts alt accounts or lackys... Anyone with half a brain knows this guy is a common thief it doesn't take a Hero member to figure this out..
He say's he apologized for all his scams that's laughable. He hasn't began to scratch the surface of what he has pulled in this community.

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

yeah... noobs are not going to be trusted when it comes to scam accusations. especially 5 of them saying the same thing  

Whatever. It is strange to see noobs know "this community" in depth. FYI I am not r3wt.

just an FYI, you are talking to iGotSpots. he's that went down a long time ago. basically it all boils down to about 40 dollars and betrayed trust. he can't let it go, not that i wasn't wrong but he will probably always be following me around crying like this. i've learned to live with it.

[TheD0ct0r]

You think people are going to believe you did nothing more than - Quote: tiny, pointless stupid scams. ? Those are Just the tip of the iceberg.

He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truths without the world's believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions.

THOMAS JEFFERSON, Aug. 19, 1785

i have a new reply for you in the other thread. tell me what i did to you, if its true i will admit it. you're either lying or i forgot. been a long time since i scammed anybody, and when i did they were tiny, pointless stupid scams. i won't deny it, never have.

 Lol this guy ... Are you really going to poke fun at some one you scammed? No guess again.
 Its some one else you Scammed and screwed over. Btw I have never used your exchange.
 
 All the people you have fucked over the past year you didn't think it would ever come back to haunt you?
 You are one arrogant POS.

Yea just another one of R3wts alt accounts or lackys... Anyone with half a brain knows this guy is a common thief it doesn't take a Hero member to figure this out..
He say's he apologized for all his scams that's laughable. He hasn't began to scratch the surface of what he has pulled in this community.

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

yeah... noobs are not going to be trusted when it comes to scam accusations. especially 5 of them saying the same thing  

Whatever. It is strange to see noobs know "this community" in depth. FYI I am not r3wt.

just an FYI, you are talking to iGotSpots. he's that went down a long time ago. basically it all boils down to about 40 dollars and betrayed trust. he can't let it go, not that i wasn't wrong but he will probably always be following me around crying like this. i've learned to live with it.

[r3wt]

You think people are going to believe you did nothing more than - Quote: tiny, pointless stupid scams. ? Those are Just the tip of the iceberg.

He who permits himself to tell a lie once, finds it much easier to do it a second and third time, till at length it becomes habitual; he tells lies without attending to it, and truths without the world's believing him. This falsehood of the tongue leads to that of the heart, and in time depraves all its good dispositions.

THOMAS JEFFERSON, Aug. 19, 1785

i have a new reply for you in the other thread. tell me what i did to you, if its true i will admit it. you're either lying or i forgot. been a long time since i scammed anybody, and when i did they were tiny, pointless stupid scams. i won't deny it, never have.

 Lol this guy ... Are you really going to poke fun at some one you scammed? No guess again.
 Its some one else you Scammed and screwed over. Btw I have never used your exchange.
 
 All the people you have fucked over the past year you didn't think it would ever come back to haunt you?
 You are one arrogant POS.

Yea just another one of R3wts alt accounts or lackys... Anyone with half a brain knows this guy is a common thief it doesn't take a Hero member to figure this out..
He say's he apologized for all his scams that's laughable. He hasn't began to scratch the surface of what he has pulled in this community.

Ever wonder why he has so many Trolls as he calls them?  Just do a quick search here with "  R3wt scam "  and you will get a good idea..
Its funny now hes blaming is so called Devs for this one. Who are the Devs? Justin7674 another know scammer LMFAO... GTFO
I have first hand knowledge he has been Skimming coins from Openex.pw from day one under the Guise of Bad code and Hackers.

I will not feed the trolls.

I will not feed the trolls.

.....

Good motto  

yeah... noobs are not going to be trusted when it comes to scam accusations. especially 5 of them saying the same thing  

Whatever. It is strange to see noobs know "this community" in depth. FYI I am not r3wt.

just an FYI, you are talking to iGotSpots. he's that went down a long time ago. basically it all boils down to about 40 dollars and betrayed trust. he can't let it go, not that i wasn't wrong but he will probably always be following me around crying like this. i've learned to live with it.

let he who is without sin cast the first stone.

[TheD0ct0r]

 
 You guys haven't figured out by now hes skimming coins? Even the most incompetent amateurs don't make these kinds of mistakes.
 Who releases a site like this a second time without a closed beta and extensive testing? Best Con i have seen in awhile.
 The guys been skimming coins since day one blaming it on Devs, bad code and hackers. You people need to wake up.
 

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing


i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.


here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing


Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.

use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons!

[r3wt]

 You guys haven't figured out by now hes skimming coins? Even the most incompetent amateurs don't make these kinds of mistakes.
 Who releases a site like this a second time without a closed beta and extensive testing? Best Con i have seen in awhile.
 The guys been skimming coins since day one blaming it on Devs, bad code and hackers. You people need to wake up.
 

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing


i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.


here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing


Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.

use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons!

once again, you are lying. i haven't skimmed a single coin and thats the honest to God truth. there really was a hack, as evidenced by the ssh logs clearly showing bruteforcing on the server. then there was the duplicate balance issue. i've paid close to 4,000 dollars out of my own pocket, and still haven't covered all of the balances. you can take your foot out of your lying ass mouth now. its one thing to call me on shit i actually did but to make shit up off of your head like your so certain is just hilarious. you're full of shit and you show your own ignorance by the minute.

[r3wt]

Oh, and one more thing about the hack(the subject of this thread before it went into the period drama), i actually filed a complaint with the ic3 while i was still reeling over the missing 11 btc(that i was responsible for mind you). so before you try to claim again i'm lying, i actually have the ic3 report saved in my email, forgot all about it.

Complaint Id: I1401140028481641

[TheD0ct0r]

Nice try haha 4,000 out of your own pocket and still haven't covered the balances that's laughable. Are you trying to make yourself look stupid? I am going to take a shot in the dark and just double that number. So what your telling us is OpenEx has lost over $8,000 + usd in Coins in under a month, 4,000 usd you covered out of pocket?
That could easily be 24,000 usd in losses in your first quarter.

Ask yourselves who would continue to operate their business at that kind of loss for no reason? Why would they habitually risk the public and their own money? There is no logical reason at this point to keep the doors open to the public. They could easily close doors and continue development and testing until most of the major problems have been worked out. Like i said before hes reckless and sloppy and it doesn't take a genus to figure this Scam Out. Do not let him play stupid anymore.

Also what does your little screen scam shots prove ? Absolutely nothing, Just keep trying cling to the sides of the toilet while your swirling down the hole..

 You guys haven't figured out by now hes skimming coins? Even the most incompetent amateurs don't make these kinds of mistakes.
 Who releases a site like this a second time without a closed beta and extensive testing? Best Con i have seen in awhile.
 The guys been skimming coins since day one blaming it on Devs, bad code and hackers. You people need to wake up.
  

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing


i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.


here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing


Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.

use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons!

once again, you are lying. i haven't skimmed a single coin and thats the honest to God truth. there really was a hack, as evidenced by the ssh logs clearly showing bruteforcing on the server. then there was the duplicate balance issue. i've paid close to 4,000 dollars out of my own pocket, and still haven't covered all of the balances. you can take your foot out of your lying ass mouth now. its one thing to call me on shit i actually did but to make shit up off of your head like your so certain is just hilarious. you're full of shit and you show your own ignorance by the minute.

[surfer43]

Nice try haha 4,000 out of your own pocket and still haven't covered the balances that's laughable. Are you trying to make yourself look stupid? I am going to take a shot in the dark and just double that number. So what your telling us is OpenEx has lost over $8,000 + usd in Coins in under a month, 4,000 usd you covered out of pocket?
That could easily be 24,000 usd in losses in your first quarter.

Ask yourselves who would continue to operate their business at that kind of loss for no reason? Why would they habitually risk the public and their own money? There is no logical reason at this point to keep the doors open to the public. They could easily close doors and continue development and testing until most of the major problems have been worked out. Like i said before hes reckless and sloppy and it doesn't take a genus to figure this Scam Out. Do not let him play stupid anymore.

Also what does your little screen scam shots prove ? Absolutely nothing, Just keep trying cling to the sides of the toilet while your swirling down the hole..

 You guys haven't figured out by now hes skimming coins? Even the most incompetent amateurs don't make these kinds of mistakes.
 Who releases a site like this a second time without a closed beta and extensive testing? Best Con i have seen in awhile.
 The guys been skimming coins since day one blaming it on Devs, bad code and hackers. You people need to wake up.
  

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing


i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.


here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing


Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.

use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons!

once again, you are lying. i haven't skimmed a single coin and thats the honest to God truth. there really was a hack, as evidenced by the ssh logs clearly showing bruteforcing on the server. then there was the duplicate balance issue. i've paid close to 4,000 dollars out of my own pocket, and still haven't covered all of the balances. you can take your foot out of your lying ass mouth now. its one thing to call me on shit i actually did but to make shit up off of your head like your so certain is just hilarious. you're full of shit and you show your own ignorance by the minute.

In order to make it profitable and make lost money back maybe?  Really why would he risk so much through fraud? You can get in real trouble for that. I have gotten every penny back from him.

[r3wt]

Nice try haha 4,000 out of your own pocket and still haven't covered the balances that's laughable. Are you trying to make yourself look stupid? I am going to take a shot in the dark and just double that number. So what your telling us is OpenEx has lost over $8,000 + usd in Coins in under a month, 4,000 usd you covered out of pocket?
That could easily be 24,000 usd in losses in your first quarter.

Ask yourselves who would continue to operate their business at that kind of loss for no reason? Why would they habitually risk the public and their own money? There is no logical reason at this point to keep the doors open to the public. They could easily close doors and continue development and testing until most of the major problems have been worked out. Like i said before hes reckless and sloppy and it doesn't take a genus to figure this Scam Out. Do not let him play stupid anymore.

Also what does your little screen scam shots prove ? Absolutely nothing, Just keep trying cling to the sides of the toilet while your swirling down the hole..

 You guys haven't figured out by now hes skimming coins? Even the most incompetent amateurs don't make these kinds of mistakes.
 Who releases a site like this a second time without a closed beta and extensive testing? Best Con i have seen in awhile.
 The guys been skimming coins since day one blaming it on Devs, bad code and hackers. You people need to wake up.
  

attacker used ssh to gain access and steal btc wallet. i discovered this while trouble shooting a customer who had not received his deposit even though it showed pending. then i discovered our btc wallet was drained, all the accounts gone and the wallet.dat missing


i am offering 400 bucks for the attacker to return the money to me privately via pm, or for anyone who can catch the attacker and bring him to justice.


here is the log
https://drive.google.com/file/d/0B5V5vln-sS3ERUh2dm1jdThnN1k/edit?usp=sharing


Edit: If you lost bitcoins, i am sorry. kindly post the amount as well as your address below and i will repay them asap. i obviously don' t have the money but i have every intention to pay for it when i do. again, i'm sorry.

use ssh keys or completely shut down the ssh server. unless you dont use ssh keys any one with little knowledge can login. %75 of the world servers are hackable. You can make mistakes but time to get lessons!

once again, you are lying. i haven't skimmed a single coin and thats the honest to God truth. there really was a hack, as evidenced by the ssh logs clearly showing bruteforcing on the server. then there was the duplicate balance issue. i've paid close to 4,000 dollars out of my own pocket, and still haven't covered all of the balances. you can take your foot out of your lying ass mouth now. its one thing to call me on shit i actually did but to make shit up off of your head like your so certain is just hilarious. you're full of shit and you show your own ignorance by the minute.

mayhbe if you would read the development thread you would be less uninformed(we do plan on closing doors to the public, the problem is they won't withdraw their coins). you can continue to spread your fud, i give about 1 iota about what you say, and that iota i give is only to prove you wrong, which i have done and will continue to do as necessary. have a great day, "Doctor Nobody".

[broken_pixel]

TheD0ct0r
Newbie
*
Activity: 12

 

[cce]

Hello,

If there are any openex admins on this board, would you please advise as to the procedure for withdrawing one's coins from openex?  I have initiated and confirmed withdrawals that have not arrived.  Multiple support tickets have gone unanswered. 

Any help would be appreciated.  Thanks.

[phazon307]

I like how I am the one who gave this guy the idea how to get his wallet file recovered and he used my idea and he even posted it and it's like he figured it all out himself when he was begging for help on this forum thanks a lot pal and people wonder why people don't want to help anyone.

[TheD0ct0r]

I went to login Openex.pw today and found this Disturbing conversation in chat. I am still Loz.. OOops looks like some one forgot to clear logs...

1: R3wt openly admits to working with former NSA on the new exchange.. WTF if he beleives this hes a moron. Worse yet he would work with a FED!


2: R3wt  Begs Justin to build him a trade engine because he doesn't know how to.... It looks like R3wt is trying to hide Justin under the name mBlanchard.

Please refresh my memory isn't Justin the same (Cat) R3wt tried to pin the bad code and hack on ?  Yes it is, WTFF !


3: R3wt  Openly admits hes going to build another half ass trade engine Using python he knows nothing about.

Doing more searching  haha https://twitter.com/_LuaPod_ Rewt wants Justins code. Looks like a internal dispute going on.
You know its bad when Justin doesn't even want anything to do with R3wt.
Theres some real f%CKED uped stuff going on here maybe one of you guys can figure it out.....

Make sure you guys spread this on other forums so no one else get screwed on this new pos he cooking up.

Ohhh wait there is more I copied the full conversation to a .txt file just encase they try to wipe the log.   http://snk.to/f-cdhfbilj

here are links to the full screen caps  http://imgur.com/iDV9jHL /  http://imgur.com/WLTeWzz / http://imgur.com/l7oHqxQ


https://i.imgur.com/kNKxGXE.jpg
https://i.imgur.com/mtYwgFv.jpg
https://i.imgur.com/mbbea02.jpg

[r3wt]

ladies and gentleman, the poster above me is justin maybe not justin but a definite troll. i know you're all so shocked.

[TheD0ct0r]

Umm dude you are sad man you are just gnawing at the bit. You have accused me of being everyone under the sun.

Could it be that i am just a pissed off user or investor you moron ..... OHHH noooo i forget everyone loves openex and hopes you come back!

hop on more of your alts and flame me some more , tell everyone how happy you are with openex with your fake alts.

I would love to see how you lie your way out of this one ...

I told you i would be back when i had more proof..



~TheD0ct0r

[milly6]

Umm dude you are sad man you are just gnawing at the bit. You have accused me of being everyone under the sun.

Could it be that i am just a pissed off user or investor you moron ..... OHHH noooo i forget everyone loves openex and hopes you come back!

hop on more of your alts and flame me some more , tell everyone how happy you are with openex with your fake alts.

I would love to see how you lie your way out of this one ...

I told you i would be back when i had more proof..



~TheD0ct0r

^ LOL

[milly6]

Umm dude you are sad man you are just gnawing at the bit. You have accused me of being everyone under the sun.

Could it be that i am just a pissed off user or investor you moron ..... OHHH noooo i forget everyone loves openex and hopes you come back!

hop on more of your alts and flame me some more , tell everyone how happy you are with openex with your fake alts.

I would love to see how you lie your way out of this one ...

I told you i would be back when i had more proof..



~TheD0ct0r

Everyone under the sun? Dude you just made this account... think you just threw yourself under the bus there.

[TheD0ct0r]

Hurry round up all your employee's damage control damage control !

I guess your thinking maybe you can bury this post in your BS....

[jmlindn]

r3wt is a trusted man, so, dont blame anything before he repay to all of your lost, so in this time, we must patient

[mr_random]

I went to login Openex.pw today and found this Disturbing conversation in chat. I am still Loz.. OOops looks like some one forgot to clear logs...

1: R3wt openly admits to working with former NSA on the new exchange.. WTF if he beleives this hes a moron. Worse yet he would work with a FED!


2: R3wt  Begs Justin to build him a trade engine because he doesn't know how to.... It looks like R3wt is trying to hide Justin under the name mBlanchard.

Please refresh my memory isn't Justin the same (Cat) R3wt tried to pin the bad code and hack on ?  Yes it is, WTFF !


3: R3wt  Openly admits hes going to build another half ass trade engine Using python he knows nothing about.

Doing more searching  haha https://twitter.com/_LuaPod_ Rewt wants Justins code. Looks like a internal dispute going on.
You know its bad when Justin doesn't even want anything to do with R3wt.
Theres some real f%CKED uped stuff going on here maybe one of you guys can figure it out.....

Make sure you guys spread this on other forums so no one else get screwed on this new pos he cooking up.

Ohhh wait there is more I copied the full conversation to a .txt file just encase they try to wipe the log.   http://snk.to/f-cdhfbilj

here are links to the full screen caps  http://imgur.com/iDV9jHL /  http://imgur.com/WLTeWzz / http://imgur.com/l7oHqxQ

Interesting.

[kev7112001]

lol i told everyone this site was garbage

[Hannah faeos]

Your suggestion is feasible, but must to protect the interests of the users

[r3wt]

Be patient, it is coming

[Hollowman338]

What is coming?  Zombie thread.