|
r3wt (OP)
|
 |
March 19, 2014, 06:11:18 PM |
|
An update on the situation. found account attempting to withdraw a small sum of btc. checking the account showed the following information(balance of 16+ btc, but deposit of only .05. this means the vuln was probably the tx id bug, just a dormant account the hacker planned to drain at a later date in time. there still was a separate attack of the withdrawal queue with fictious withdrawals that occurred the day i announced closing the exchange. it looks like that was an isolated incident now, but i'm still not 100% sure yet: http://pastebin.com/vzZN6eQuvideos screenshots, whatever you like i will post them. it is not my worth my time to argue with ignorant trolls. i'll just prove you wrong instead, which is what i do. i prove people wrong. have a great day. #HONESTY #HARDWORK #NEVERYIELD |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
smeagol
Legendary
 Offline
Activity: 1008
Merit: 1005
|
|
March 19, 2014, 07:48:11 PM |
|
Yes, we sent you a portion of what you are owed. this means you are still owed .42 in case you aren't aware, we were hacked, so its impossible for us to payout everyones withdrawals at this time, but we make an effort not to cheat anyone Has anyone heard from the OP lately? Thanks  Yes, i'm still here. if you need to contact me directly, send me an email at admin@openex.pw for a way to contact me directly via Skype. This is really sad, there seems to have been alot of work put into OpenEX. It's like every day there is an exchange hacked.
So far only these 3 seem to be secure enough to not be hacked:
-Bistamp
-Cryptsy
-MCxNow
yeah there was. the accusations being thrown about me in this thread are ridiculous, and not rooted in fact at all. @r3wt, may I see the source code? PM me please What are your intentions for the source code? i would like to see the engine so i can write my own exchange software |
|
|
|
|
|
r3wt (OP)
|
|
March 19, 2014, 07:55:53 PM |
|
Yes, we sent you a portion of what you are owed. this means you are still owed .42 in case you aren't aware, we were hacked, so its impossible for us to payout everyones withdrawals at this time, but we make an effort not to cheat anyone Has anyone heard from the OP lately? Thanks Yes, i'm still here. if you need to contact me directly, send me an email at admin@openex.pw for a way to contact me directly via Skype. This is really sad, there seems to have been alot of work put into OpenEX. It's like every day there is an exchange hacked.
So far only these 3 seem to be secure enough to not be hacked:
-Bistamp
-Cryptsy
-MCxNow
yeah there was. the accusations being thrown about me in this thread are ridiculous, and not rooted in fact at all. @r3wt, may I see the source code? PM me please What are your intentions for the source code? i would like to see the engine so i can write my own exchange software its nothing special about 12 lines of code really. here' ill get it for you. /**(c)2013-14 Justin Gillett, OpenEx.pw -- All Rights Reserved.**/
require_once("../models/config.php");
include("../models/class.trade.php");
$sell = mysql_query("SELECT * FROM trades WHERE `From`<>`Type` LIMIT 1000000000000");
$num = mysql_num_rows($sell);
echo $num;
for ($i = 0; $i < $num; $i++) {
$id = mysql_result($sell,$i,"Id");
if($id != 0)
{
//the actual trade execution
$trade = new Trade($id);
$trade->GetEquivalentTrade();
$trade->ExecuteTrade();
}
}
to run it, simply use a shell script(this example runs on 1 second intervals @ roughly 280 mb/s): #!/bin/bash
while :
do
sleep 1
wget http://127.0.0.1/path/to/system/cronjob1.php -O Temp --delete-after
done
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
|
hoju2k
|
|
March 20, 2014, 01:57:23 AM |
|
r3wt: Could you help me please? I withdrew 128486.197386680 EBT couple of days ago, never appeared on my wallet. Filled a ticket but got no response. User hoju2k2.
Thank you.
yes i will look into it Any news on this? Now I can't even access the website "ip address is banned. You can appeal this decision by contacting an administrator at admin@openex.pw" as i said i will look into it. i'm in the process of removing that ban since it only seems to catch legitimate users anyway. Hi, did you have the time to look at it? Thanks. |
|
|
|
|
|
r3wt (OP)
|
|
March 20, 2014, 02:52:14 AM |
|
r3wt: Could you help me please? I withdrew 128486.197386680 EBT couple of days ago, never appeared on my wallet. Filled a ticket but got no response. User hoju2k2.
Thank you.
yes i will look into it Any news on this? Now I can't even access the website "ip address is banned. You can appeal this decision by contacting an administrator at admin@openex.pw" as i said i will look into it. i'm in the process of removing that ban since it only seems to catch legitimate users anyway. Hi, did you have the time to look at it? Thanks. Damnit, no i forgot again. have you tried to login again? you've been unbanned a long time |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
|
hoju2k
|
|
March 20, 2014, 06:57:30 AM |
|
Yes, I can login now, but the ETB are still missing.
|
|
|
|
|
|
r3wt (OP)
|
|
March 20, 2014, 09:02:08 AM |
|
ATTENTION:
my cellphone quit working, and i cannot login to my normal email account(the one used for support) which is protected by 2fa. so in the meantime,if you need to contact with me about anything support related, please use the following email address
admin @ openex.pw
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
dbt1033
Legendary
Offline
Activity: 1274
Merit: 1000
|
|
March 20, 2014, 09:43:15 AM |
|
 And  I know firsthand how horrible it can be to lose your coins. You guys can put 2 and 2 together on your own. r3wt said himself that he was once a bottomfeeder and "knows" a scam when he sees one. I wish the best to all of you. I've been trading at Atomic-Trade recently. They have an extended SSL certificate. Coinbase doesn't even have one. The owner is actually a nice/honest guy too, and he has regular security audits done to ensure his customer's safety. Here is the most recent one:  It's time for exchanges to take a security-first approach to ensure this doesn't keep happening. |
|
|
|
|
dbt1033
Legendary
Offline
Activity: 1274
Merit: 1000
|
|
March 20, 2014, 09:47:01 AM |
|
And by the way, r3wt has plenty of btc to pay you all out of his own pocket.
He's just not that kind of guy.
|
|
|
|
|
coiner8
Member
Offline
Activity: 65
Merit: 10
|
|
March 20, 2014, 12:38:38 PM |
|
r3wt has yet to show ANY proof whatsoever that there was a theft. He claims 34 BTC were taken. So, where are the transactions in the blockchain? Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions. If there was a theft, there are transactions. Period.
|
|
|
|
|
|
r3wt (OP)
|
|
March 20, 2014, 12:40:29 PM |
|
r3wt has yet to show ANY proof whatsoever that there was a theft. He claims 34 BTC were taken. So, where are the transactions in the blockchain? Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions. If there was a theft, there are transactions. Period.
there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off. |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
milly6
Legendary
Offline
Activity: 1632
Merit: 1010
|
|
March 20, 2014, 11:35:54 PM |
|
r3wt has yet to show ANY proof whatsoever that there was a theft. He claims 34 BTC were taken. So, where are the transactions in the blockchain? Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions. If there was a theft, there are transactions. Period.
there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off. r3wt... theft is theft  |
|
|
|
|
hoju2k
|
|
March 21, 2014, 12:05:09 AM |
|
r3wt: Could you help me please? I withdrew 128486.197386680 EBT couple of days ago, never appeared on my wallet. Filled a ticket but got no response. User hoju2k2.
Thank you.
yes i will look into it Any news on this? Now I can't even access the website "ip address is banned. You can appeal this decision by contacting an administrator at admin@openex.pw" as i said i will look into it. i'm in the process of removing that ban since it only seems to catch legitimate users anyway. Hi, did you have the time to look at it? Thanks. Damnit, no i forgot again. have you tried to login again? you've been unbanned a long time EBT received, thank you. |
|
|
|
|
triplef
Full Member
Offline
Activity: 338
Merit: 100
https://eloncity.io/
|
|
March 21, 2014, 01:20:46 AM |
|
WTF did you run an exchange on open source you got from github ?
FUCK SAKES......
anyone / everyone could of hacked you, they had all the keys.
|
|
|
|
dbt1033
Legendary
Offline
Activity: 1274
Merit: 1000
|
|
March 21, 2014, 02:11:46 AM |
|
Here's what really bugs me. r3wt said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals. His system apparently strips the zeros. Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much. Also, the withdrawal portion is missing from the pastbin r3wt has provided. Here is a link http://pastebin.com/vzZN6eQuLooks like an inside job to me. |
|
|
|
|
dbt1033
Legendary
Offline
Activity: 1274
Merit: 1000
|
|
March 21, 2014, 02:19:51 AM |
|
Here's what really bugs me. Hydroponica said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals. His system apparently strips the zeros. Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much. Also, the withdrawal portion is missing from the pastbin Hydroponica has provided. Here is a link http://pastebin.com/vzZN6eQuLooks like an inside job to me. Hey, Hey, watch it.... Hydroponica is an honest scammer. ~BCX~ I agree. As honest as scammers get! |
|
|
|
|
|
r3wt (OP)
|
|
March 21, 2014, 02:59:43 AM |
|
Here's what really bugs me. r3wt said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals. His system apparently strips the zeros. Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much. Also, the withdrawal portion is missing from the pastbin r3wt has provided. Here is a link http://pastebin.com/vzZN6eQuLooks like an inside job to me. justin gillet wrote that particular part. why don't you ask him. here's the code in question: if(isset($_POST["fchk"])) {
if(isUserAdmin($id00)) {
if($_POST["Transaction_Id"] != NULL && $_POST["Coin"] != NULL) {
$tid = mysql_real_escape_string(trim($_POST["Transaction_Id"]));
$coin = mysql_real_escape_string(trim($_POST["Coin"]));
$sql = mysql_query("SELECT * FROM Wallets WHERE `Acronymn`='$coin'");
$id = @mysql_result($sql,0,"Id");
$sql2 = @mysql_query("SELECT * FROM deposits WHERE `Transaction_Id`='$tid' AND `Coin`='$coin'");
$id2 = @mysql_result($sql2,0,"id");
$paid = @mysql_result($sql2,0,"Paid");
$wallet = new Wallet($id);
$trans = @$wallet->gettransaction($tid);
echo '<pre>';
print_r($trans);
echo '</pre>';
if($trans != null) {
if(is_array($trans)) {
if(in_array("Invalid or non-wallet transaction id", $trans,true)) {
echo "non wallet transaction id or invalid tx";
}else{
$account = $trans["details"][0]["account"];
$category = $trans["details"][0]["category"];
$confirms = $trans["confirmations"];
$amount = $trans["amount"];
if($id2 != NULL) {
if($paid == 0) {
if($category == "receive" && $confirms > 3 && $account != "")
{
mysql_query("UPDATE deposits SET `Paid`='1' WHERE `id`='$id2'");
AddMoney($amount, $account, $coin);
echo $amount." ".$coin." was credited to your account";
}
}else{
echo $amount." ".$coin." was already credited to the account.";
}
}else{
if($category == "receive" && $account != "") {
if($confirms > 5) {
mysql_query("INSERT INTO deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','1','$account');");
AddMoney($amount, $account, $coin);
echo $amount." ".$coin." was successfully credited to the account";
}else{
mysql_query("INSERT INTO deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','0','$account');");
echo "This Deposit is unconfirmed. Current confirmations:" . $confirms .". Required : 6.";
}
}else{
echo "transaction is not a deposit or account is invalid.";
}
}
}
}else{
echo "Contact the admin. Error Code: 35-1a";
/* ERROR CODE INFORMATION
Error Code 35-la
the result wasn't an array. so its probably invalid. inform customer to disregard.
*/
}
}
}
}
}
}Any idea why it wouldn't strip the zeros(since they are obviously in the database?) |
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
dbt1033
Legendary
Offline
Activity: 1274
Merit: 1000
|
|
March 21, 2014, 03:25:20 AM |
|
Here's what really bugs me. r3wt said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals. His system apparently strips the zeros. Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much. Also, the withdrawal portion is missing from the pastbin r3wt has provided. Here is a link http://pastebin.com/vzZN6eQuLooks like an inside job to me. justin gillet wrote that particular part. why don't you ask him. here's the code in question: if(isset($_POST["fchk"])) {
if(isUserAdmin($id00)) {
if($_POST["Transaction_Id"] != NULL && $_POST["Coin"] != NULL) {
$tid = mysql_real_escape_string(trim($_POST["Transaction_Id"]));
$coin = mysql_real_escape_string(trim($_POST["Coin"]));
$sql = mysql_query("SELECT * FROM Wallets WHERE `Acronymn`='$coin'");
$id = @mysql_result($sql,0,"Id");
$sql2 = @mysql_query("SELECT * FROM deposits WHERE `Transaction_Id`='$tid' AND `Coin`='$coin'");
$id2 = @mysql_result($sql2,0,"id");
$paid = @mysql_result($sql2,0,"Paid");
$wallet = new Wallet($id);
$trans = @$wallet->gettransaction($tid);
echo '<pre>';
print_r($trans);
echo '</pre>';
if($trans != null) {
if(is_array($trans)) {
if(in_array("Invalid or non-wallet transaction id", $trans,true)) {
echo "non wallet transaction id or invalid tx";
}else{
$account = $trans["details"][0]["account"];
$category = $trans["details"][0]["category"];
$confirms = $trans["confirmations"];
$amount = $trans["amount"];
if($id2 != NULL) {
if($paid == 0) {
if($category == "receive" && $confirms > 3 && $account != "")
{
mysql_query("UPDATE deposits SET `Paid`='1' WHERE `id`='$id2'");
AddMoney($amount, $account, $coin);
echo $amount." ".$coin." was credited to your account";
}
}else{
echo $amount." ".$coin." was already credited to the account.";
}
}else{
if($category == "receive" && $account != "") {
if($confirms > 5) {
mysql_query("INSERT INTO deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','1','$account');");
AddMoney($amount, $account, $coin);
echo $amount." ".$coin." was successfully credited to the account";
}else{
mysql_query("INSERT INTO deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','0','$account');");
echo "This Deposit is unconfirmed. Current confirmations:" . $confirms .". Required : 6.";
}
}else{
echo "transaction is not a deposit or account is invalid.";
}
}
}
}else{
echo "Contact the admin. Error Code: 35-1a";
/* ERROR CODE INFORMATION
Error Code 35-la
the result wasn't an array. so its probably invalid. inform customer to disregard.
*/
}
}
}
}
}
}Any idea why it wouldn't strip the zeros(since they are obviously in the database?) That's not my problem. |
|
|
|
|
MysticalPotato
Member
Offline
Activity: 91
Merit: 10
Stop the potato genocide!
|
|
March 21, 2014, 05:39:08 AM |
|
r3wt has yet to show ANY proof whatsoever that there was a theft. He claims 34 BTC were taken. So, where are the transactions in the blockchain? Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions. If there was a theft, there are transactions. Period.
there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off. I'm confused, r3wt. Your original OP:  |
"Politeness induces morality. Serenity of manners requires serenity of mind.” - Julia Ward Howe
Signature space available for a worthy cause
|
|
|
|
r3wt (OP)
|
|
March 21, 2014, 05:52:44 AM |
|
looks like some trolls trying really hard to discredit me.
|
My negative trust rating is reflective of a personal vendetta by someone on default trust.
|
|
|
|
