Bitcoin Forum
November 18, 2024, 08:27:59 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 [26] 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 »
  Print  
Author Topic: [ANN] | freshmarket.co.in - Closed. Refunds till 10/02/14  (Read 41800 times)
r3wt
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
February 05, 2014, 09:52:06 AM
 #501

I'm really sorry to say this, but it seems that our security system wasn't enough.
Just now i received a message from someone that he has hacked our exchange, and if we want to stop this, we have to pay 10 BTC. Obviously, we are not going to pay our users' money, and we temporarily closed the exchange. We have made an secutity audit to see what's missing, and found ~1200 LTC stolen (nearly 40% of all LTC),  nearly ~50% of LEAFcoins, and ~20% NYANcoins. All other currencies remained nearly unchanged.
Just now we deciding what refund can we make (dev team has nearly 200 LTC on their own, and i can give up some too). We will make a message after we have an agreement. We will 100% refund all other (not-leaf, nyan or LTC) currencies, and try to refund as much ltc as we can.
As i see, it was sql-injection, but it doesn't helped him much - all passwords are stored as hashed ones. So he just brute-forced all low-security passwords to steal their money. So if you haven't got email auth - it is possible that your account was just jacked.

I also have possible ideas about openex malware in source code, but without proofs i can't do anything.

i told you to upgrade to our latest code, you wouldn't listen.

also there is not malware in the source. you clearly have no idea what you are talking about, and its not sql injection either, unless its something arbirtrary you and your "devs" added to your source.Now before you try and blame me, i want you to open our github readme and read the very first sentence, aloud to yourself.
"THIS IS BETA SOFTWARE. USE AT YOUR OWN RISK"

It was never our intension for a handful of greedy people to clone our repo and start up fly by night exchanges, but hey they did and now you are paying the price for it. you need to check auth.log to make sure it wasn't ssh. or chech your mysql configuration. its possible you had mysql listening on something other than localhost and they bruteforced your db.

finally check your ufw configuration or whatever other firewall you use.

other than that the only possible entry for sql injection was newticket.php, and you said you fixed it when i tweeted you about it. in the end, it is very likely the attacker was simply bruteforcing accounts then draining the accounts. similar thing was happening at openex, probably same hacker, so we reacted by upping the security.

i think i even mentioned to you about the need to tighten down bruteforce protection on all the forms. this is the risk you run cloning my repo while we are still in beta. this is the exact reason openex doesn't allow withdrawals without admin approval, and ip bans on 3 strikes on all forms where  apassword is required. it is imperative to stay ahead of the game, and cloning my repo in beta is the equivalent of jumping off a cliff with a backpack.

the point is, not that you are stupid. but this is a cat and mouse game and you cna't be running one of these things if you are prepared to fight with the hackers to defend your site. they are smart and if they cna't find a crack to exploit, they will make one.
>you need to check auth.log to make sure it wasn't ssh
No logins on ssh, it's certificate-proven and listening to only one port from only one ip-adress.
>other than that the only possible entry for sql injection was newticket.php,
Fixed it.
>bruteforcing accounts then draining the accounts
We have fail2ban to unable bruteforce.

Man, we used all security features i know, and i want to hear from hacker how this was done.
Also, i still don't see what i have to do to to prove this cryptsy account belongs to me.
1. all ssh is only on one port. you cant have sshdaemon running on multiple ports
2.fail2ban is for ssh, i'm talking about account logins from your site. i made an emergency update last night to patch the login page, withdraw page and account preferences pages to tiighten down the security.
3.thats clearly what the hacker just said he did. draining your accounts.
4.did you even setup a firewall at all?
5.did you have mysql listening on anything other than localhost, ie an outward faceing mysql connection. was this sql port firewalled?
ex: way to properly secure mysql server port
Code:
ufw allow from 127.0.0.1 to 127.0.0.1 port 3306 proto tcp

if your db server is on external device, then you can tunnel it with haproxy or similar proxy software. this protects your mysql server from getting hacked.

i can't stress enough, you ahve to have a firewall rule for every single service on the server, otherwise you are a sitting duck.

also, login to your mysql server. select permissions from the options. its towards the end on the right at the top of phpmyadmin. if any of the users are allowed anywhere other than localhost, it is a security vulnerability.

My negative trust rating is reflective of a personal vendetta by someone on default trust.
def_ender (OP)
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
February 05, 2014, 09:56:12 AM
 #502

R3wt,
>4
EC2 AWS Amazon security groups preferencies
>5
Base is available only from server.

I'm still waiting for hacker move.
r3wt
Hero Member
*****
Offline Offline

Activity: 686
Merit: 504


always the student, never the master.


View Profile
February 05, 2014, 10:02:40 AM
 #503

R3wt,
>4
EC2 AWS Amazon security groups preferencies
>5
Base is available only from server.

I'm still waiting for hacker move.

AWS is about the last place in the world you should host an exchange. FFS man!

My negative trust rating is reflective of a personal vendetta by someone on default trust.
DarkHunter04
Member
**
Offline Offline

Activity: 126
Merit: 11


View Profile
February 05, 2014, 10:03:02 AM
 #504

Get we our LTC/other coins back? Or are they stolen? :/
def_ender (OP)
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
February 05, 2014, 10:04:50 AM
 #505

Get we our LTC/other coins back? Or are they stolen? :/
As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.
Mika67
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
February 05, 2014, 10:06:26 AM
Last edit: February 06, 2014, 11:07:36 AM by Mika67
 #506

Get we our LTC/other coins back? Or are they stolen? :/

Partly solved!!

DarkHunter04
Member
**
Offline Offline

Activity: 126
Merit: 11


View Profile
February 05, 2014, 10:07:38 AM
 #507

Get we our LTC/other coins back? Or are they stolen? :/
As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.
Oh nice Smiley ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him
def_ender (OP)
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
February 05, 2014, 10:14:38 AM
 #508

Get we our LTC/other coins back? Or are they stolen? :/
As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.
Oh nice Smiley ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him
Just now we have ~75% of all money needed and looking for sponsors to help us refund customers money.
We will start refunds in a few hours, i will make a message.
DarkHunter04
Member
**
Offline Offline

Activity: 126
Merit: 11


View Profile
February 05, 2014, 10:18:44 AM
 #509

Get we our LTC/other coins back? Or are they stolen? :/
As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.
Oh nice Smiley ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him
Just now we have ~75% of all money needed and looking for sponsors to help us refund customers money.
We will start refunds in a few hours, i will make a message.
Very nice good job Smiley just 75% .. but better than nothing.
Stupid hackers, stupid retards, they should do good things .. but no theyre stupid : Cheesy
herbitcoins
Member
**
Offline Offline

Activity: 78
Merit: 10


View Profile
February 05, 2014, 10:22:28 AM
 #510

Get we our LTC/other coins back? Or are they stolen? :/
As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.
Oh nice Smiley ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him
Just now we have ~75% of all money needed and looking for sponsors to help us refund customers money.
We will start refunds in a few hours, i will make a message.

Anyway, it is not clear ! Who lost what ? which users ? Injection ? brute or not?

My password is strong as hell , full of number and alphanum so ....

Any Adress to trace?
Mika67
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
February 05, 2014, 10:23:49 AM
 #511

Get we our LTC/other coins back? Or are they stolen? :/
As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.
Oh nice Smiley ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him
Just now we have ~75% of all money needed and looking for sponsors to help us refund customers money.
We will start refunds in a few hours, i will make a message.

If you have sponsors and IF for any reason these sponsors should have UTC > I'll accept utc instead of my (framed/lost) Ltc

Wink
filipej
Newbie
*
Offline Offline

Activity: 15
Merit: 0


View Profile
February 05, 2014, 10:24:29 AM
 #512

If you give money I will continue exchange  in frashmarket but please raise your level of safety.
flex65
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
February 05, 2014, 10:25:04 AM
 #513

36.64902892 Litecoins from my address were sent here:
http://ltc.block-explorer.com/tx/5050b8d57c7e1ef560ba19fcb48b4721b91d108dccd00db224507f2d44d17920

send me, please
Mika67
Newbie
*
Offline Offline

Activity: 31
Merit: 0


View Profile
February 05, 2014, 10:36:28 AM
Last edit: February 06, 2014, 11:12:01 AM by Mika67
 #514

36.64902892 Litecoins from my address were sent here:
http://ltc.block-explorer.com/tx/5050b8d57c7e1ef560ba19fcb48b4721b91d108dccd00db224507f2d44d17920

send me, please

rze
Full Member
***
Offline Offline

Activity: 194
Merit: 100


View Profile
February 05, 2014, 10:40:07 AM
 #515

How soon will a refund?
iliya08
Newbie
*
Offline Offline

Activity: 3
Merit: 0


View Profile
February 05, 2014, 10:41:52 AM
 #516

i also lost 640000 batcoins
def_ender (OP)
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
February 05, 2014, 10:44:57 AM
 #517

i also lost 640000 batcoins
Please, guys, read messages. I'm really tired now, and can't repeat them.
Only currency lost is LTC and LEAF now. Other currencies will be refunded fully.
DarkHunter04
Member
**
Offline Offline

Activity: 126
Merit: 11


View Profile
February 05, 2014, 10:45:45 AM
 #518

Changed 6000 Nyancoins to LTC (~6,5)
TransactionID: abaee040e052ad1ae20e143270dad813d5020338a013ed443153fd36ed3fbbae
and 8440887bccf794099752634cb9020c585d01590225921ac26cad3cefcb66a934

But i think you can see it in your history how much LTC exactly - and I had ~ 100k Nutcoins last night, before I go to bed
def_ender (OP)
Full Member
***
Offline Offline

Activity: 140
Merit: 100


View Profile
February 05, 2014, 10:49:54 AM
 #519

5/02: thanks to the unknown hacker, we're closing. Please email at support@freshmarket.co.in for partial refund of LTC/leaf/nyan and full refund of other currencies. You need to email from mail y used for registraion, with amount of coins and adress to withdraw for every currency

Also, i have to say, that site now is still in BETA, so use it on your own risk.
That's the OP-post quote. Please, don't make me repeat more.
flex65
Full Member
***
Offline Offline

Activity: 224
Merit: 100


View Profile
February 05, 2014, 10:50:38 AM
 #520

Quote
Please, guys, read messages. I'm really tired now, and can't repeat them.
Only currency lost is LTC and LEAF now. Other currencies will be refunded fully.

How will you return LTC?Huh
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 [26] 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!