OpenEx to be shut down[Hacked]

[dbt1033]

looks like some trolls trying really hard to discredit me.

If you made both of those post in which one claim coins were stolen and the other denies it, then which ever one you own up to, the other proves you to be a liar.  How is that being a troll? Sounds like solid and legitimate question to me.

First of all, I'm sorry for the attitude i have been giving people. this is a very stressful people for everyone involved with OpenEx, customers included. We are working on sorting out exactly how much coin left the exchange which was not supposed to. This is where the confusion lies. We are not going anywhere, and we fully plan on paying all customers which have been wronged. Once again, i apologize for this entire mess. It appears that less coin than originally we thought has been stolen, but there has been coin stolen. It just wasn't as cut and dry as a straight up server break in or RPC vulnerability.

We will post an update on 3/27/14.

Wait so is the coin stolen or not?  Because you posted this yesterday, clearly stating that it was not.  Yet your most recent post indicates otherwise.  

Either way, you are a liar.

[dbt1033]

looks like some trolls trying really hard to discredit me.

You have discredited yourself.

No one has to try.  You make it easy.

[coiner8]

looks like some trolls trying really hard to discredit me.

If you made both of those post in which one claim coins were stolen and the other denies it, then which ever one you own up to, the other proves you to be a liar.  How is that being a troll? Sounds like solid and legitimate question to me.

First of all, I'm sorry for the attitude i have been giving people. this is a very stressful people for everyone involved with OpenEx, customers included. We are working on sorting out exactly how much coin left the exchange which was not supposed to. This is where the confusion lies. We are not going anywhere, and we fully plan on paying all customers which have been wronged. Once again, i apologize for this entire mess. It appears that less coin than originally we thought has been stolen, but there has been coin stolen. It just wasn't as cut and dry as a straight up server break in or RPC vulnerability.

We will post an update on 3/27/14.

Wait so is the coin stolen or not?  Because you posted this yesterday, clearly stating that it was not.  Yet your most recent post indicates otherwise.  

Either way, you are a liar.

34 BTC
Called out on it, cannot provide any evidence.

Some amount, I'm not sure how much.
Called out on it, cannot provide any evidence.

Less than one bitcoin.

Pretty sure tomorrow he'll say nothing was lost.  If we hadn't kept up the pressure he would have just walked away with everyone's funds.  Amazing.

Edit: Oh, and this thread was started 11 days ago.  11 days to figure out whether any BTC was stolen?  What a joke.  This guy is the most incompetent scammer I've ever seen.  Can't even make his thefts look believable.  Everyone please give him a negative trust review on here.

[milly6]

I am working with r3wt to find out exactly how much BTC was stolen. Yes, we are still unsure of the exact amount and no amount of trolling is going to change this, the only thing we can do at this point is keep plugging away at working on the site.
ATTENTION:
If you have an account at OpenEX which had coins in it, PLEASE Login and attempt a withdrawal of any coins which are in your account. There are still many coins in wallets.

[g4c]

well, finally found it. sql injection from trade pages. someone else who had been running the script on their site with cloudflare installed found many of these in their cloudflare logs.

page=trade&market=27+%252F*%252130000and%2528select+1+from%2528select+count%2528*%2529%252Cconcat%2528%2528select+%2528md5%25281165272%2529%2529+from+%2560information_schema%2560.tables+limit+0%252C1%2529%252Cfloor%2528rand%25280%2529*2%2529%2529x+from+%2560information_schema%2560.tables+group+by+x%2529a%2529+and+1%253D1*%252F

you didn't use prepared statements and PDO. SERIOUSLY! It's 2014 dude!!

[wtman]

Openex shares are for sale. Please pm your offer

https://bitcointalk.org/index.php?topic=522424

[g4c]

Wasn't the code just the UI, not the trade engine?

The injection query was entered in the UI form. A form is a form.

The problem happened because the backend php code just took that malicious query and ran it.

The database code was written unsafely, the door was left wide open,  I'm suprised it didn't get taken sooner.

It should have been coded using PDO prepared statements.

If they used old school straight sql queries then I would think that many other doors and windows were open. I'll bet the sessions weren't safe from fixation etc.

[sumantso]

Wanted to mention here that my withdrawls have gone through and I haven't lost anything.

[milly6]

Wasn't the code just the UI, not the trade engine?

The injection query was entered in the UI form. A form is a form.

The problem happened because the backend php code just took that malicious query and ran it.

The database code was written unsafely, the door was left wide open,  I'm suprised it didn't get taken sooner.

It should have been coded using PDO prepared statements.

If they used old school straight sql queries then I would think that many other doors and windows were open. I'll bet the sessions weren't safe from fixation etc.

Live and learn.

[sumantso]

Openex shares are for sale. Please pm your offer

https://bitcointalk.org/index.php?topic=522424

This is the worst time for you to try and sell those shares. I think the exchange is finished anyway. Even if they come back I doubt anybody will trust it.

[g4c]

Wasn't the code just the UI, not the trade engine?

The injection query was entered in the UI form. A form is a form.

The problem happened because the backend php code just took that malicious query and ran it.

The database code was written unsafely, the door was left wide open,  I'm suprised it didn't get taken sooner.

It should have been coded using PDO prepared statements.

If they used old school straight sql queries then I would think that many other doors and windows were open. I'll bet the sessions weren't safe from fixation etc.

Live and learn.

Yes and in a way it was a relatively cheap lesson, this dev WILL produce a harder system next time.

My condolences to the dev. don't be disuaded, come back harder, what you've learned is worth more than your loss.

And my hat off to you for trying to make all accounts as whole as possible. A true gentleman!

[g4c]

...This guy is the most incompetent scammer I've ever seen.  Can't even make his thefts look believable.  Everyone please give him a negative trust review on here.

IMHO I think you made an incorrect call here.

If it were a scam then you wouldn't be in discourse with him, the line would be dead. Scammers don't hang around expending energy to placate their marks.

We have seen (since your post) that @sumantso has withdrawn and regained his coin.

[silverj]

Wasn't the code just the UI, not the trade engine?

The injection query was entered in the UI form. A form is a form.

The problem happened because the backend php code just took that malicious query and ran it.

The database code was written unsafely, the door was left wide open,  I'm suprised it didn't get taken sooner.

It should have been coded using PDO prepared statements.

If they used old school straight sql queries then I would think that many other doors and windows were open. I'll bet the sessions weren't safe from fixation etc.

Live and learn.

Yes and in a way it was a relatively cheap lesson, this dev WILL produce a harder system next time.

My condolences to the dev. don't be disuaded, come back harder, what you've learned is worth more than your loss.

And my hat off to you for trying to make all accounts as whole as possible. A true gentleman!

Isn't this at least the second time? If so, please don't open it again, you're only putting more people's coins at risk.

[dbt1033]

I thought this was funny too: 

Someone tried to warn r3wt 4 days before it was hacked.  r3wt acted like his normal self:

[unbalanced]

Wanted to mention here that my withdrawls have gone through and I haven't lost anything.

Mine too. My ATC ( therealaltcoin.org ) withdrawal went through quickly back when we were first told to withdraw funds. My BTC withdrawal, made at the same time, at first didn't go through. It eventually showed up on the 18th -- I just noticed it today.

I don't think r3wt is a scammer, and I appreciate getting my money out, but I would not trust funds to this site or his future sites because of the way this one was compromised. For ATC-BTC trading (and Litecoin and Namecoin), I've switched to and recommend x-bt.com which has been solid so far and seems to have better technology/skills behind it. Discussion on IRC at #altcoin and #x-bt.

[Nxtblg]

If you didnt insured your business...

As far as I know, there's no-one offering insurance for cyber exchanges.

But now that you mention it...any security whizzes here are looking at a real business opportunity. Long-term, of course, because the real money won't be made unless the mega-exchanges sign on for "Good Housekeeping Seal Of Approval" PR purposes...

[r3wt]

THIS IS  A FINAL NOTICE WITHDRAW YOUR COINS IMMEDIATELY(BEFORE 3/27/14 11pm UTC) OR YOU WILL FORFEIT THEM. Take note of any debt repayment codes credited to you in the "funds owed" tab of your account page. These will be redeemable when the new exchange is launched.

Thanks,
         Garrett

[Thusith]

Do not trade your coins in the small exchange like OpenEx. 

[CrazyLoaf]

null

[felment]

If you got your coins back they must have come out of the owners pocket. I have dealt with worse exchanges.