Openex hacked but coins recovered

[allyouracid]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

It also bothers me the elite developers keep inventing new crap like nodejs when we haven't learned the simplest of things.

Sorry, but that's nonsense. There's enough people understanding node.js and i can assure you that.
Also, i would consider someone who needs to visit tutorial sites being not in a good position to actually run a server.

Don't get me wrong, but it's not just about stolen Bitcoin, it's also about all those hundreds of thousands of spam machines who are all run by some kids who "can i haz server, pls?", which require me (and others) to constantly setup and finetune spam filters, watch spam folders and crap because they're just not able to secure a machine.
If people want to play, no problem. There's plenty of server software you can run on your local machine to try and test and become a pro one day. But please, keep the internet clean from those sloppily setup machines who bring a hell of an effort if they're being compromised again.

By the way, this is one of the points which literally cry for a regulation!

[1714246441]

1714246441

[1714246441]

1714246441

[1714246441]

1714246441

[r3wt]

I don't see how these people even get servers running. On tutorial sites I've seen comments such as "do I also type in the eg."

It also bothers me the elite developers keep inventing new crap like nodejs when we haven't learned the simplest of things.

Sorry, but that's nonsense. There's enough people understanding node.js and i can assure you that.
Also, i would consider someone who needs to visit tutorial sites being not in a good position to actually run a server.

Don't get me wrong, but it's not just about stolen Bitcoin, it's also about all those hundreds of thousands of spam machines who are all run by some kids who "can i haz server, pls?", which require me (and others) to constantly setup and finetune spam filters, watch spam folders and crap because they're just not able to secure a machine.
If people want to play, no problem. There's plenty of server software you can run on your local machine to try and test and become a pro one day. But please, keep the internet clean from those sloppily setup machines who bring a hell of an effort if they're being compromised again.

By the way, this is one of the points which literally cry for a regulation!

i clearly underestimated the role of a sysadmin.

[deepwex]

Wait did you use a password for your ssh login? Please use SSH Keys next time, they are the most secure way to do ssh. Also run bitcoind, under it's own user account. Disable root and use sudoers file instead, then you can ban bitcoind commands. Also cold storage should always be used.

+1

Passwords shouldn't be used for ssh logins.

But I would have taken it a longer step. The coin daemon shouldn't run at the exchange webserver at all, but instead be talked to via an security layer checking what type of RPC commands that are sent, and validate/discard them based on internal security routines. (Depends on the setup)

"Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2"

Please, for your own sake, never ever even boot a server with a ssh config simular to this: "PermitRootLogin yes"

[allyouracid]

i clearly underestimated the role of a sysadmin.

It's really a good thing that you see it this way. Nobody is free from errors and the importance is clearly: learning from them. And just to make it clear: my posts really are not about ranting or attacking someone blindly (because that's not productive). I just think it's important to know certain things when running a server.

[lonesoul]

As someone mentioned Fail2Ban   i use a similar program to protect my servers from brute force attacks - its called RDPGuard - when i downloaded it, it came with a 30 day trial. might be worth adding extra protection (It should work along side Fail2Ban I believe)

You could also blacklist all IP addresses from connecting to the server and whitelist your own IP (or other secure IPs)  I tend to do this for servers that have very little reason for anyone to ever log on to.


Sorry if these suggestions are a bit "nooby" but its often simple things that can throw a spanner in the works for an attacker. (especially if the attacker is just some kid trying his/her luck! normally they don't have enough knowledge to even change the dictionaries used for their attacks.)

[CatCoin]

I constantly see people saying "I installed fail2ban" as if that step instantly provides bulletproof security.  It doesn't.  It's just one layer of basic protection, and a thin one at that.

[r3wt]

I constantly see people saying "I installed fail2ban" as if that step instantly provides bulletproof security.  It doesn't.  It's just one layer of basic protection, and a thin one at that.

i would appreciate if you would enlighten us all a bit. give a crash course. i'll pay you for your time. i might even list catcoin if this works out good.

[CatCoin]

I constantly see people saying "I installed fail2ban" as if that step instantly provides bulletproof security.  It doesn't.  It's just one layer of basic protection, and a thin one at that.

i would appreciate if you would enlighten us all a bit. give a crash course. i'll pay you for your time. i might even list catcoin if this works out good.

I don't own any catcoin.  I was developing a "catcoin" a while ago, but the current one was suddenly "pre-announced" about a week before I was going to release mine.  The username was registered a while ago.  Also, I doubt it needs to even be said that I wouldn't be registering an account on your exchange any time soon.

You really don't need a crash course, and I'd be doing you and your users a disservice by providing one.  You need about 10 years of real world experience running servers that won't end up losing a bunch of peoples' money if they end up breached.  Otherwise, you need someone with a lot of experience securing a project like yours working for you full time, and you need them to be able to go over and help you secure your entire app, not just the sysadmin-type stuff.

This is something that should be tested thoroughly in an isolated environment before it ends up anywhere near the internet being used by actual people.  When I said what I said about it not being a good idea for someone without the experience to try to do something like this and skip every step in the middle, I wasn't kidding, and I wasn't saying it just to be a dick or crush your dreams.  You can't cut corners with something like this.

Start over, create a virtual machine and set it up as a server with your app on it.  Encrypt the filesystem on the VM.  Distribute that VM image to people and offer a bounty to anyone who can breach it.  Start over, do that again.  Repeat.  Once you feel confident with what you have, bring in a pro and see if they agree.  Test some more... etc.

Rushing into this is sure to end in tears for you and, more importantly, your users, every time.  There's nothing more dangerous than a cocky young web app developer who has absolutely no idea what they're getting into, and is playing with peoples' money.

[hypes]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

[r3wt]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

[vingaard]

I cancelled several Dimecoins sell orders and all those coins dosn't refund to my account... do you know what happen?

And, another thing, please... remove minimum withdraw limit in order to get all my founds... I know that they are small amounts but a lot of small amount make a big one....

Thanks

[hypes]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

I don't understand why it's not done MVC

[r3wt]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

I don't understand why it's not done MVC

it basically is. the pages do some work the system folder does some work which is not shared in the github, but the majority of it is handled through the objects in our various class files and the functions in the models folder.

we have our models and controllers in /models

our "view" is in /pages

while its not quite conformant yet, we tend to refactor the code into classes where possible and slowly remove them from the view.

[hypes]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

I don't understand why it's not done MVC

it basically is. the pages do some work the system folder does some work which is not shared in the github, but the majority of it is handled through the objects in our various class files and the functions in the models folder.

we have our models and controllers in /models

our "view" is in /pages

while its not quite conformant yet, we tend to refactor the code into classes where possible and slowly remove them from the view.

Right. I can see you've put a lot of work into it. I just don't like seeing queries in the views *shudder*

[hypes]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

[lonesoul]

Sorry to hear this happened r3wt

Yeah me too. back to the drawing board once more.

"Edison failed 10, 000 times before he made the electric light. Do not be discouraged if you fail a few times.”
– Napoleon Hill
 

“I’ve missed more than 9000 shots in my career. I’ve lost almost 300 games. 26 times, I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.”

– Michael Jordan

“I was set free because my greatest fear had been realized, and I still had a daughter who I adored, and I had an old typewriter and a big idea. And so rock bottom became a solid foundation on which I rebuilt my life.”

– J.K. Rowling

Many of Life's failures are People that didn't realize how close they were to success when they gave up

– Thomas Edison

If you want the Rainbow, you gotta put up with the rain

– Dolly Parton


And finally a chinese proverb my dad used to say.

Fall seven times
Stand up eight



Keep trying matey, You have put so much time and effort in You'll make it sooner or later!

Remember when ever you fail, you always learn what not to do next time!

[r3wt]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

[CatCoin]

Encouraging people to keep trying when their failures will ultimately cost other people money is incredibly irresponsible.

[r3wt]

Sorry to hear this happened r3wt

Yeah me too. back to the drawing board once more.

"Edison failed 10, 000 times before he made the electric light. Do not be discouraged if you fail a few times.”
– Napoleon Hill
 

“I’ve missed more than 9000 shots in my career. I’ve lost almost 300 games. 26 times, I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.”

– Michael Jordan

“I was set free because my greatest fear had been realized, and I still had a daughter who I adored, and I had an old typewriter and a big idea. And so rock bottom became a solid foundation on which I rebuilt my life.”

– J.K. Rowling

Many of Life's failures are People that didn't realize how close they were to success when they gave up

– Thomas Edison

If you want the Rainbow, you gotta put up with the rain

– Dolly Parton


And finally a chinese proverb my dad used to say.

Fall seven times
Stand up eight



Keep trying matey, You have put so much time and effort in You'll make it sooner or later!

Remember when ever you fail, you always learn what not to do next time!

thank you for the inspirational quotes and kind words. we are not giving up. #NeverYield

[hypes]

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

You're re-inventing the wheel though, really. 1000s of devs have colabed on frameworks for good reasons, don't write them off because you want to write it all yourself!

Being able to code in a framework isn't newb, it's considered more pro imo.