OpenEx to be shut down[Hacked]

[smeagol]

Yes, we sent you a portion of what you are owed. this means you are still owed .42

in case you aren't aware, we were hacked, so its impossible for us to payout everyones withdrawals at this time, but we make an effort not to cheat anyone

Has anyone heard from the OP lately? Thanks

Yes, i'm still here. if you need to contact me directly, send me an email at admin@openex.pw for a way to contact me directly via Skype.

This is really sad, there seems to have been alot of work put into OpenEX. It's like every day there is an exchange hacked.

So far only these 3 seem to be secure enough to not be hacked:

-Bistamp
-Cryptsy
-MCxNow

yeah there was. the accusations being thrown about me in this thread are ridiculous, and not rooted in fact at all.

@r3wt, may I see the source code?  PM me please

What are your intentions for the source code?

i would like to see the engine so i can write my own exchange software

[r3wt]

Yes, we sent you a portion of what you are owed. this means you are still owed .42

in case you aren't aware, we were hacked, so its impossible for us to payout everyones withdrawals at this time, but we make an effort not to cheat anyone

Has anyone heard from the OP lately? Thanks

Yes, i'm still here. if you need to contact me directly, send me an email at admin@openex.pw for a way to contact me directly via Skype.

This is really sad, there seems to have been alot of work put into OpenEX. It's like every day there is an exchange hacked.

So far only these 3 seem to be secure enough to not be hacked:

-Bistamp
-Cryptsy
-MCxNow

yeah there was. the accusations being thrown about me in this thread are ridiculous, and not rooted in fact at all.

@r3wt, may I see the source code?  PM me please

What are your intentions for the source code?

i would like to see the engine so i can write my own exchange software

its nothing special about 12 lines of code really. here' ill get it for you.

Code:

/**(c)2013-14 Justin Gillett, OpenEx.pw -- All Rights Reserved.**/
require_once("../models/config.php");
include("../models/class.trade.php");
$sell = mysql_query("SELECT * FROM trades WHERE `From`<>`Type` LIMIT 1000000000000");
$num = mysql_num_rows($sell);
echo $num;
for ($i = 0; $i < $num; $i++) {
   $id = mysql_result($sell,$i,"Id");
   if($id != 0)
   {
                //the actual trade execution
		$trade = new Trade($id);
		$trade->GetEquivalentTrade();
		$trade->ExecuteTrade();
   }
}

to run it, simply use a shell script(this example runs on 1 second intervals @ roughly 280 mb/s):

Code:

#!/bin/bash
while :

do
sleep 1
 wget http://127.0.0.1/path/to/system/cronjob1.php -O Temp --delete-after

done

[hoju2k]

r3wt: Could you help me please? I withdrew 128486.197386680 EBT couple of days ago, never appeared on my wallet. Filled a ticket but got no response. User hoju2k2.
Thank you.

yes i will look into it

Any news on this? Now I can't even access the website "ip address is banned. You can appeal this decision by contacting an administrator at admin@openex.pw"

as i said i will look into it. i'm in the process of removing that ban since it only seems to catch legitimate users anyway.

Hi, did you have the time to look at it? Thanks.

[r3wt]

r3wt: Could you help me please? I withdrew 128486.197386680 EBT couple of days ago, never appeared on my wallet. Filled a ticket but got no response. User hoju2k2.
Thank you.

yes i will look into it

Any news on this? Now I can't even access the website "ip address is banned. You can appeal this decision by contacting an administrator at admin@openex.pw"

as i said i will look into it. i'm in the process of removing that ban since it only seems to catch legitimate users anyway.

Hi, did you have the time to look at it? Thanks.

Damnit, no i forgot again. have you tried to login again? you've been unbanned a long time

[hoju2k]

Yes, I can login now, but the ETB are still missing.

[r3wt]

ATTENTION:

my cellphone quit working, and i cannot login to my normal email account(the one used for support) which is protected by 2fa. so in the meantime,if you need to contact with me about anything support related, please use the following email address


admin @ openex.pw

[dbt1033]

And



I know firsthand how horrible it can be to lose your coins.  You guys can put 2 and 2 together on your own.  r3wt said himself that he was once a bottomfeeder and "knows" a scam when he sees one. 

I wish the best to all of you.

I've been trading at Atomic-Trade recently.  They have an extended SSL certificate.  Coinbase doesn't even have one.

The owner is actually a nice/honest guy too, and he has regular security audits done to ensure his customer's safety.  Here is the most recent one:



It's time for exchanges to take a security-first approach to ensure this doesn't keep happening.

[dbt1033]

And by the way, r3wt has plenty of btc to pay you all out of his own pocket. 

He's just not that kind of guy.

[coiner8]

r3wt has yet to show ANY proof whatsoever that there was a theft.  He claims 34 BTC were taken.  So, where are the transactions in the blockchain?  Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions.  If there was a theft, there are transactions.  Period.

[r3wt]

r3wt has yet to show ANY proof whatsoever that there was a theft.  He claims 34 BTC were taken.  So, where are the transactions in the blockchain?  Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions.  If there was a theft, there are transactions.  Period.

there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off.

[milly6]

r3wt has yet to show ANY proof whatsoever that there was a theft.  He claims 34 BTC were taken.  So, where are the transactions in the blockchain?  Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions.  If there was a theft, there are transactions.  Period.

there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off.

r3wt... theft is theft 

[hoju2k]

r3wt: Could you help me please? I withdrew 128486.197386680 EBT couple of days ago, never appeared on my wallet. Filled a ticket but got no response. User hoju2k2.
Thank you.

yes i will look into it

Any news on this? Now I can't even access the website "ip address is banned. You can appeal this decision by contacting an administrator at admin@openex.pw"

as i said i will look into it. i'm in the process of removing that ban since it only seems to catch legitimate users anyway.

Hi, did you have the time to look at it? Thanks.

Damnit, no i forgot again. have you tried to login again? you've been unbanned a long time

EBT received, thank you.

[triplef]

WTF did you run an exchange on open source you got from github ?

FUCK SAKES......

anyone / everyone could of hacked you, they had all the keys.

[dbt1033]

Here's what really bugs me.  r3wt said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals.  His system apparently strips the zeros.

Why did it not check for duplicate txid's AFTER the 0's were stripped?  This wouldn't take much.

Also, the withdrawal portion is missing from the pastbin r3wt has provided.

Here is a link http://pastebin.com/vzZN6eQu

Looks like an inside job to me.

[dbt1033]

Here's what really bugs me.  Hydroponica said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals.  His system apparently strips the zeros.

Why did it not check for duplicate txid's AFTER the 0's were stripped?  This wouldn't take much.

Also, the withdrawal portion is missing from the pastbin Hydroponica has provided.

Here is a link http://pastebin.com/vzZN6eQu

Looks like an inside job to me.

Hey, Hey, watch it....

Hydroponica is an honest scammer.


~BCX~

I agree.  As honest as scammers get!

[r3wt]

Here's what really bugs me.  r3wt said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals.  His system apparently strips the zeros.

Why did it not check for duplicate txid's AFTER the 0's were stripped?  This wouldn't take much.

Also, the withdrawal portion is missing from the pastbin r3wt has provided.

Here is a link http://pastebin.com/vzZN6eQu

Looks like an inside job to me.

justin gillet wrote that particular part. why don't you ask him.

here's the code in question:

Code:

if(isset($_POST["fchk"])) {
		if(isUserAdmin($id00)) {
			if($_POST["Transaction_Id"] != NULL && $_POST["Coin"] != NULL) {
				$tid = mysql_real_escape_string(trim($_POST["Transaction_Id"]));
				$coin = mysql_real_escape_string(trim($_POST["Coin"]));
				$sql = mysql_query("SELECT * FROM Wallets WHERE `Acronymn`='$coin'");
				$id = @mysql_result($sql,0,"Id");
				
				$sql2 = @mysql_query("SELECT * FROM deposits WHERE `Transaction_Id`='$tid' AND `Coin`='$coin'");
				$id2 = @mysql_result($sql2,0,"id");
				$paid = @mysql_result($sql2,0,"Paid");
				$wallet = new Wallet($id);
				$trans = @$wallet->gettransaction($tid);
				echo '<pre>';
				print_r($trans);
				echo '</pre>';
				if($trans != null) {
					if(is_array($trans)) {
						if(in_array("Invalid or non-wallet transaction id", $trans,true)) {
							
							echo "non wallet transaction id or invalid tx";
						}else{
							$account = $trans["details"][0]["account"];
							$category = $trans["details"][0]["category"];
							$confirms = $trans["confirmations"];
							$amount = $trans["amount"];
							if($id2 != NULL) {
								if($paid == 0) {
									if($category == "receive" && $confirms > 3 && $account != "")
									{
										mysql_query("UPDATE deposits SET `Paid`='1' WHERE `id`='$id2'");
										AddMoney($amount, $account, $coin);
										echo $amount." ".$coin." was credited to your account";
									}
								}else{
									echo $amount." ".$coin." was already credited to the account.";
								}
							}else{
								if($category == "receive" && $account != "") {
									if($confirms > 5) {
										mysql_query("INSERT INTO  deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','1','$account');");
										AddMoney($amount, $account, $coin);
										echo $amount." ".$coin." was successfully credited to the account";
									}else{
										mysql_query("INSERT INTO  deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','0','$account');");
										echo "This Deposit is unconfirmed. Current confirmations:" . $confirms .". Required : 6.";
									}
								}else{
									echo "transaction is not a deposit or account is invalid.";
								}
							}	
						}
					}else{
						echo "Contact the admin. Error Code: 35-1a"; 
						/* ERROR CODE INFORMATION 
							
							Error Code 35-la
							the result wasn't an array. so its probably invalid. inform customer to disregard.
						 */
					}
				}
			}	
		}	
	}
}

Any idea why it wouldn't strip the zeros(since they are obviously in the database?)

[dbt1033]

Here's what really bugs me.  r3wt said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals.  His system apparently strips the zeros.

Why did it not check for duplicate txid's AFTER the 0's were stripped?  This wouldn't take much.

Also, the withdrawal portion is missing from the pastbin r3wt has provided.

Here is a link http://pastebin.com/vzZN6eQu

Looks like an inside job to me.

justin gillet wrote that particular part. why don't you ask him.

here's the code in question:

Code:

if(isset($_POST["fchk"])) {
		if(isUserAdmin($id00)) {
			if($_POST["Transaction_Id"] != NULL && $_POST["Coin"] != NULL) {
				$tid = mysql_real_escape_string(trim($_POST["Transaction_Id"]));
				$coin = mysql_real_escape_string(trim($_POST["Coin"]));
				$sql = mysql_query("SELECT * FROM Wallets WHERE `Acronymn`='$coin'");
				$id = @mysql_result($sql,0,"Id");
				
				$sql2 = @mysql_query("SELECT * FROM deposits WHERE `Transaction_Id`='$tid' AND `Coin`='$coin'");
				$id2 = @mysql_result($sql2,0,"id");
				$paid = @mysql_result($sql2,0,"Paid");
				$wallet = new Wallet($id);
				$trans = @$wallet->gettransaction($tid);
				echo '<pre>';
				print_r($trans);
				echo '</pre>';
				if($trans != null) {
					if(is_array($trans)) {
						if(in_array("Invalid or non-wallet transaction id", $trans,true)) {
							
							echo "non wallet transaction id or invalid tx";
						}else{
							$account = $trans["details"][0]["account"];
							$category = $trans["details"][0]["category"];
							$confirms = $trans["confirmations"];
							$amount = $trans["amount"];
							if($id2 != NULL) {
								if($paid == 0) {
									if($category == "receive" && $confirms > 3 && $account != "")
									{
										mysql_query("UPDATE deposits SET `Paid`='1' WHERE `id`='$id2'");
										AddMoney($amount, $account, $coin);
										echo $amount." ".$coin." was credited to your account";
									}
								}else{
									echo $amount." ".$coin." was already credited to the account.";
								}
							}else{
								if($category == "receive" && $account != "") {
									if($confirms > 5) {
										mysql_query("INSERT INTO  deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','1','$account');");
										AddMoney($amount, $account, $coin);
										echo $amount." ".$coin." was successfully credited to the account";
									}else{
										mysql_query("INSERT INTO  deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','0','$account');");
										echo "This Deposit is unconfirmed. Current confirmations:" . $confirms .". Required : 6.";
									}
								}else{
									echo "transaction is not a deposit or account is invalid.";
								}
							}	
						}
					}else{
						echo "Contact the admin. Error Code: 35-1a"; 
						/* ERROR CODE INFORMATION 
							
							Error Code 35-la
							the result wasn't an array. so its probably invalid. inform customer to disregard.
						 */
					}
				}
			}	
		}	
	}
}

Any idea why it wouldn't strip the zeros(since they are obviously in the database?)

That's not my problem.

[MysticalPotato]

r3wt has yet to show ANY proof whatsoever that there was a theft.  He claims 34 BTC were taken.  So, where are the transactions in the blockchain?  Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions.  If there was a theft, there are transactions.  Period.

there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off.

I'm confused, r3wt.

Your original OP:

[r3wt]

looks like some trolls trying really hard to discredit me.

[r3wt]

looks like some trolls trying really hard to discredit me.

If you made both of those post in which one claim coins were stolen and the other denies it, then which ever one you own up to, the other proves you to be a liar.  How is that being a troll? Sounds like solid and legitimate question to me.

First of all, I'm sorry for the attitude i have been giving people. this is a very stressful people for everyone involved with OpenEx, customers included. We are working on sorting out exactly how much coin left the exchange which was not supposed to. This is where the confusion lies. We are not going anywhere, and we fully plan on paying all customers which have been wronged. Once again, i apologize for this entire mess. It appears that less coin than originally we thought has been stolen, but there has been coin stolen. It just wasn't as cut and dry as a straight up server break in or RPC vulnerability.

We will post an update on 3/27/14.