Openex hacked but coins recovered

[emu]

atm I'm waiting for 10k SKC, they are said to be pending, let's see

[XCASH]

The openEx website currently says

"Please withdraw all coins by 1/15/2014".

After that it's anyone's guess what will happen to them.

[r3wt]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

Oh I don't know, the topic of this thread you fucking idiot comes to mind.  Also whatever double cancel bug you had that allowed people to gives themselves coins.

And then of course there's always this one:

https://openex.pw/index.php?page=trade&market='';alert('You%20are%20an%20idiot.');

I'm sure you have no idea why that's a problem though.  I don't understand why anyone in this thread is cutting you slack at all.  What you did is the equivalent of opening a bank, taking people's deposits, and then leaving the doors unlocked and the vault wide open.  Your code is the quality of what I made in middle school, and your attitude fits that age range as well.  I'm done with this thread, but a warning for anyone reading it:

Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk!  His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.

When his next site gets hacked, don't say I didn't tell you so.

hey cock server, the application is extremely secure. it was the server that was compromised. also i didn't write any of the trade engine code, if you want to talk shit, perhaps you want to talk to justin?

[Zeke_Vermillion]

r3wt, thanks for processing my withdrawal request. just putting that on record.

[Slingshot]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk!  His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.

When his next site gets hacked, don't say I didn't tell you so.

+1


 Innocent yet foolish Delusions of Grandeur rings a loud bell.


Caveat emptor - let the buyer beware

[Millicent]

I was hoping things would go well for this exchange since it was open source. but having it open source before security auditing may have given some clue about its insecurity unfortunately. hope you will have better luck next time or at least hire someone reputable to help with security.

also, I was wondering if username/passwords where stolen, or any other coins? was the hack only affecting btc wallet?

0.14203175btc @ 1PFo41TnkogkD1DJWxFwMWc5ShMn1tJxhN

whoever it was only in the server for 6 minutes before i found out.

How long do you think it would take this to ruin your life? 6 seconds?    root@openex #rm -rf /

Whatever you do, don't try to use this server again.  Format and re install whatever your OS of choice is...

Are you using hard iron or in the cloud?  For what you are trying to do I suggest hard iron with a separate firewall (at least 1) located at a secure datacenter with backup.

Start a thread asking about preferred methods of security and layout a plan.  As it's been said before this is no joke and you got WAAAAAAAAAAAAAAAAy lucky.

Plenty of people have offered help, take them up on it.  Find a trusted admin that you can share their insight with and make a plan.  Don't rush to bring this back.  Get it right and implement features slowly and methodically.

Good luck with your venture

[CatCoin]

hey cock server, the application is extremely secure.

Based on what?  The fact that you couldn't think of any ways in which it wasn't secure?  Look at your track record and total lack of experience, then consider thinking twice before making statements you can't back up.  You have the technical knowledge of a best buy employee.

it was the server that was compromised. also i didn't write any of the trade engine code

Then how is it, exactly, that you can claim it's secure?

You look worse every time you continue to try to act like you have this under control.  It's painfully obvious that you are completely clueless.

[hypes]

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design.

There is nothing genius about the code, and nothing genius about you.

other than the queries, i'd say its pretty secure.

Your opinion means nothing and is apparently given out without any thought.  That code is some of the worst I've seen in years.  WTF makes total amateurs think they can launch an exchange that's responsible for handling people's money?  Based on that code you're about 5 years of programming experience away from being able to, possibly, code securely enough.  Don't even think about relaunching with anything but a play site.

lets have an example there bud.

Oh I don't know, the topic of this thread you fucking idiot comes to mind.  Also whatever double cancel bug you had that allowed people to gives themselves coins.

And then of course there's always this one:

https://openex.pw/index.php?page=trade&market='';alert('You%20are%20an%20idiot.');

I'm sure you have no idea why that's a problem though.  I don't understand why anyone in this thread is cutting you slack at all.  What you did is the equivalent of opening a bank, taking people's deposits, and then leaving the doors unlocked and the vault wide open.  Your code is the quality of what I made in middle school, and your attitude fits that age range as well.  I'm done with this thread, but a warning for anyone reading it:

Do not, do not, DO NOT use any site built by r3wt that puts any of your property at risk!  His understanding of web security is nonexistent, his code is crap, and his attitude is reckless and irresponsible.

When his next site gets hacked, don't say I didn't tell you so.

I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.

[bzyzny]

I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.

We all underestimated just how "open" OpenEx.PW was, I don't think r3wt meant it so literally. My question is, regardless of his ability to code, didn't he TEST it before launching? Some of these bugs were painfully obvious. Just from using the sites functionality as intended, ppl were getting double credits and such.

[r3wt]

I'm glad it isn't just me who thought its iffy. This guys already demonstrated XSS. I cba to look at the php again but it does look really open to SQL Injection.

We all underestimated just how "open" OpenEx.PW was, I don't think r3wt meant it so literally. My question is, regardless of his ability to code, didn't he TEST it before launching? Some of these bugs were painfully obvious. Just from using the sites functionality as intended, ppl were getting double credits and such.

yes we tested. attacker was in and out of the server fucking with the trade engine code. it took us a while to catch on that someone was changing our code besides us.

lessons learned:

hire a server admin

don't use mysql functions and real escape string.

i found a tutorial on devshed that teaches how to use pdo. i've been practicing all morning and i can't believe its so easy. we'll be back as soon as we've addressed the issues with the server and fixed the flaws in the application. though your intent was to humiliate, i thank you for being blatantly honest. you're helping make openex better though you're trying to fud it to death.

[surfer43]

Can you send me my 50 SKC? address in sig 

[kev7112001]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

[r3wt]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

[bzyzny]

R3wt, I'm glad that you have learned a lot from this, and I hope your exchange is successful in the future. Its unfortunate that you had to learn at such great expense, but those are the lessons most taken to heart. Some people may be bashing you harder than u deserve, but its true you were not ready to launch a site which handles money. I was not referring to that 6min hack though, but the order cancel, txid-000, and other bugs that where alledgedly there prior to the hack. Did u not test for such scenarios as what would happen if a person tried to sell to them self? Or if copy/paste txid from wallet which includes the -000. All I'm saying is that it was not necessary to try to find these bugs, they occurred from using the site as a normal customer would. Perhaps next time you should have a more thorough  testing period.

[kev7112001]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

wow you are crap hope your shit goes down again u and your premined coins lol

[Nullu]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

wow you are crap hope your shit goes down again u and your premined coins lol

Your friend's advice isn't worth 4 dollars. Let alone 400. Get a grip.

[kev7112001]

what noob you have no idea what your talking about

[kev7112001]

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

wow you are crap hope your shit goes down again u and your premined coins lol

Your friend's advice isn't worth 4 dollars. Let alone 400. Get a grip.

u must be apart of his premine scam lol

[kev7112001]

atleast i dont try to open a exchange with no coding skills and lose people coins

[Nullu]

what noob you have no idea what your talking about

Something doesn't go your way, so you trash talk people? If you want to have any credibility on this forum, you might want to consider acting with a little sense of decorum. Just some advice from a "noob".

this guy is horrible he asked for a reward my friend helps him by PMing him on what to do it works and he says he figured it out himself bullshit second this guy has made premined coins for people so what a scam artist gascoin lol

bullshit. your friend was trying to get me to give him 400 dollars for basically pming me and telling me to use some recovery program

wow you are crap hope your shit goes down again u and your premined coins lol

Your friend's advice isn't worth 4 dollars. Let alone 400. Get a grip.

u must be apart of his premine scam lol

I don't even know him. But your wild accusations are just fantastic.