[ANN] | freshmarket.co.in - Closed. Refunds till 10/02/14

[r3wt]

I'm really sorry to say this, but it seems that our security system wasn't enough.
Just now i received a message from someone that he has hacked our exchange, and if we want to stop this, we have to pay 10 BTC. Obviously, we are not going to pay our users' money, and we temporarily closed the exchange. We have made an secutity audit to see what's missing, and found ~1200 LTC stolen (nearly 40% of all LTC),  nearly ~50% of LEAFcoins, and ~20% NYANcoins. All other currencies remained nearly unchanged.
Just now we deciding what refund can we make (dev team has nearly 200 LTC on their own, and i can give up some too). We will make a message after we have an agreement. We will 100% refund all other (not-leaf, nyan or LTC) currencies, and try to refund as much ltc as we can.
As i see, it was sql-injection, but it doesn't helped him much - all passwords are stored as hashed ones. So he just brute-forced all low-security passwords to steal their money. So if you haven't got email auth - it is possible that your account was just jacked.

I also have possible ideas about openex malware in source code, but without proofs i can't do anything.

i told you to upgrade to our latest code, you wouldn't listen.

also there is not malware in the source. you clearly have no idea what you are talking about, and its not sql injection either, unless its something arbirtrary you and your "devs" added to your source.Now before you try and blame me, i want you to open our github readme and read the very first sentence, aloud to yourself.
"THIS IS BETA SOFTWARE. USE AT YOUR OWN RISK"

It was never our intension for a handful of greedy people to clone our repo and start up fly by night exchanges, but hey they did and now you are paying the price for it. you need to check auth.log to make sure it wasn't ssh. or chech your mysql configuration. its possible you had mysql listening on something other than localhost and they bruteforced your db.

finally check your ufw configuration or whatever other firewall you use.

other than that the only possible entry for sql injection was newticket.php, and you said you fixed it when i tweeted you about it. in the end, it is very likely the attacker was simply bruteforcing accounts then draining the accounts. similar thing was happening at openex, probably same hacker, so we reacted by upping the security.

i think i even mentioned to you about the need to tighten down bruteforce protection on all the forms. this is the risk you run cloning my repo while we are still in beta. this is the exact reason openex doesn't allow withdrawals without admin approval, and ip bans on 3 strikes on all forms where  apassword is required. it is imperative to stay ahead of the game, and cloning my repo in beta is the equivalent of jumping off a cliff with a backpack.

the point is, not that you are stupid. but this is a cat and mouse game and you cna't be running one of these things if you are prepared to fight with the hackers to defend your site. they are smart and if they cna't find a crack to exploit, they will make one.

>you need to check auth.log to make sure it wasn't ssh
No logins on ssh, it's certificate-proven and listening to only one port from only one ip-adress.
>other than that the only possible entry for sql injection was newticket.php,
Fixed it.
>bruteforcing accounts then draining the accounts
We have fail2ban to unable bruteforce.

Man, we used all security features i know, and i want to hear from hacker how this was done.
Also, i still don't see what i have to do to to prove this cryptsy account belongs to me.

1. all ssh is only on one port. you cant have sshdaemon running on multiple ports
2.fail2ban is for ssh, i'm talking about account logins from your site. i made an emergency update last night to patch the login page, withdraw page and account preferences pages to tiighten down the security.
3.thats clearly what the hacker just said he did. draining your accounts.
4.did you even setup a firewall at all?
5.did you have mysql listening on anything other than localhost, ie an outward faceing mysql connection. was this sql port firewalled?
ex: way to properly secure mysql server port

Code:

ufw allow from 127.0.0.1 to 127.0.0.1 port 3306 proto tcp

if your db server is on external device, then you can tunnel it with haproxy or similar proxy software. this protects your mysql server from getting hacked.

i can't stress enough, you ahve to have a firewall rule for every single service on the server, otherwise you are a sitting duck.

also, login to your mysql server. select permissions from the options. its towards the end on the right at the top of phpmyadmin. if any of the users are allowed anywhere other than localhost, it is a security vulnerability.

[1714866591]

1714866591

[1714866591]

1714866591

[1714866591]

1714866591

[def_ender]

R3wt,
>4
EC2 AWS Amazon security groups preferencies
>5
Base is available only from server.

I'm still waiting for hacker move.

[r3wt]

R3wt,
>4
EC2 AWS Amazon security groups preferencies
>5
Base is available only from server.

I'm still waiting for hacker move.

AWS is about the last place in the world you should host an exchange. FFS man!

[DarkHunter04]

Get we our LTC/other coins back? Or are they stolen? :/

[def_ender]

Get we our LTC/other coins back? Or are they stolen? :/

As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.

[Mika67]

Get we our LTC/other coins back? Or are they stolen? :/

Partly solved!!

[DarkHunter04]

Get we our LTC/other coins back? Or are they stolen? :/

As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.

Oh nice ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him

[def_ender]

Get we our LTC/other coins back? Or are they stolen? :/

As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.

Oh nice ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him

Just now we have ~75% of all money needed and looking for sponsors to help us refund customers money.
We will start refunds in a few hours, i will make a message.

[DarkHunter04]

Get we our LTC/other coins back? Or are they stolen? :/

As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.

Oh nice ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him

Just now we have ~75% of all money needed and looking for sponsors to help us refund customers money.
We will start refunds in a few hours, i will make a message.

Very nice good job just 75% .. but better than nothing.
Stupid hackers, stupid retards, they should do good things .. but no theyre stupid :

[herbitcoins]

Get we our LTC/other coins back? Or are they stolen? :/

As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.

Oh nice ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him

Just now we have ~75% of all money needed and looking for sponsors to help us refund customers money.
We will start refunds in a few hours, i will make a message.

Anyway, it is not clear ! Who lost what ? which users ? Injection ? brute or not?

My password is strong as hell , full of number and alphanum so ....

Any Adress to trace?

[Mika67]

Get we our LTC/other coins back? Or are they stolen? :/

As i said, you can get all currencies esle leaf/ltc in full (we found some sponsor of NYAN so we will fully refund it too). Leaf and ltc will be partially refunded.

Oh nice ok and when?

Didnt read your posts, because I think its just an troll and you should ignore him

Just now we have ~75% of all money needed and looking for sponsors to help us refund customers money.
We will start refunds in a few hours, i will make a message.

If you have sponsors and IF for any reason these sponsors should have UTC > I'll accept utc instead of my (framed/lost) Ltc

[filipej]

If you give money I will continue exchange  in frashmarket but please raise your level of safety.

[flex65]

36.64902892 Litecoins from my address were sent here:
http://ltc.block-explorer.com/tx/5050b8d57c7e1ef560ba19fcb48b4721b91d108dccd00db224507f2d44d17920

send me, please

[Mika67]

36.64902892 Litecoins from my address were sent here:
http://ltc.block-explorer.com/tx/5050b8d57c7e1ef560ba19fcb48b4721b91d108dccd00db224507f2d44d17920

send me, please

[rze]

How soon will a refund?

[iliya08]

i also lost 640000 batcoins

[def_ender]

i also lost 640000 batcoins

Please, guys, read messages. I'm really tired now, and can't repeat them.
Only currency lost is LTC and LEAF now. Other currencies will be refunded fully.

[DarkHunter04]

Changed 6000 Nyancoins to LTC (~6,5)
TransactionID: abaee040e052ad1ae20e143270dad813d5020338a013ed443153fd36ed3fbbae
and 8440887bccf794099752634cb9020c585d01590225921ac26cad3cefcb66a934

But i think you can see it in your history how much LTC exactly - and I had ~ 100k Nutcoins last night, before I go to bed

[def_ender]

5/02: thanks to the unknown hacker, we're closing. Please email at support@freshmarket.co.in for partial refund of LTC/leaf/nyan and full refund of other currencies. You need to email from mail y used for registraion, with amount of coins and adress to withdraw for every currency

Also, i have to say, that site now is still in BETA, so use it on your own risk.

That's the OP-post quote. Please, don't make me repeat more.

[flex65]

Please, guys, read messages. I'm really tired now, and can't repeat them.
Only currency lost is LTC and LEAF now. Other currencies will be refunded fully.

How will you return LTC?