Bitcoin Forum
December 03, 2016, 02:30:16 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: HELP NEEDED!! (0.5 btc bounty)  (Read 1349 times)
fffeee
Member
**
Offline Offline

Activity: 70


View Profile WWW
June 01, 2012, 01:02:25 PM
 #1

Someone tries to cash me out.. There is a bug on my site and someone did try to steal my coins. He was able to order coins every 20 seconds via different proxies an with many different btcaddresses. If anyone can help me or will find this error, I would be very thankful. There is also a bounty on it (0.5)!

Edit: www.fiveminutecoin.com

1480732216
Hero Member
*
Offline Offline

Posts: 1480732216

View Profile Personal Message (Offline)

Ignore
1480732216
Reply with quote  #2

1480732216
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480732216
Hero Member
*
Offline Offline

Posts: 1480732216

View Profile Personal Message (Offline)

Ignore
1480732216
Reply with quote  #2

1480732216
Report to moderator
1480732216
Hero Member
*
Offline Offline

Posts: 1480732216

View Profile Personal Message (Offline)

Ignore
1480732216
Reply with quote  #2

1480732216
Report to moderator
1480732216
Hero Member
*
Offline Offline

Posts: 1480732216

View Profile Personal Message (Offline)

Ignore
1480732216
Reply with quote  #2

1480732216
Report to moderator
Bitsky
Hero Member
*****
Offline Offline

Activity: 542


View Profile
June 01, 2012, 01:28:28 PM
 #2

Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
BinaryMage
Hero Member
*****
Offline Offline

Activity: 546


Ad astra.


View Profile
June 01, 2012, 03:01:35 PM
 #3

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

-- BinaryMage -- | OTC | PGP
fffeee
Member
**
Offline Offline

Activity: 70


View Profile WWW
June 01, 2012, 03:13:02 PM
 #4

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
June 01, 2012, 03:43:59 PM
 #5

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
fffeee
Member
**
Offline Offline

Activity: 70


View Profile WWW
June 01, 2012, 03:45:53 PM
 #6

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

gweedo
Legendary
*
Offline Offline

Activity: 1246


Java, PHP, HTML/CSS Programmer for Hire!


View Profile WWW
June 01, 2012, 03:53:12 PM
 #7

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Want to earn 2500 SATOSHIS per hour? Come Chat and Chill in https://goseemybits.com/lobby
Bitsky
Hero Member
*****
Offline Offline

Activity: 542


View Profile
June 01, 2012, 03:54:47 PM
 #8

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!
If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.
I'd start with a little math:
Captcha solving costs something between $1-$2 per 1000 captches.
1000 successful requests mean 2.5btc when you don't bother to wait.
Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit.

You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them.
Probably a good idea is to look around for a good real-time blacklist of proxies and block them.
Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
fffeee
Member
**
Offline Offline

Activity: 70


View Profile WWW
June 01, 2012, 04:47:14 PM
 #9

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!
If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.
I'd start with a little math:
Captcha solving costs something between $1-$2 per 1000 captches.
1000 successful requests mean 2.5btc when you don't bother to wait.
Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit.

You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them.
Probably a good idea is to look around for a good real-time blacklist of proxies and block them.
Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.

I`ll keep that in mind and maybe I`m gonna implement this tomorrow if the site works fine again..

fffeee
Member
**
Offline Offline

Activity: 70


View Profile WWW
June 01, 2012, 06:16:47 PM
 #10

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..

Nachtwind
Hero Member
*****
Offline Offline

Activity: 700



View Profile
June 01, 2012, 06:37:51 PM
 #11

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..


Code:
function IsTorExitPoint(){
if (gethostbyname(ReverseIPOctets($_SERVER['REMOTE_ADDR']).".".$_SERVER['SERVER_PORT'].".".ReverseIPOctets($_SERVER['SERVER_ADDR']).".ip-port.exitlist.torproject.org")=="127.0.0.2") {
return true;
} else {
return false;
}
}
function ReverseIPOctets($inputip){
$ipoc = explode(".",$inputip);
return $ipoc[3].".".$ipoc[2].".".$ipoc[1].".".$ipoc[0];
}

Does that one work for you?
Bitsky
Hero Member
*****
Offline Offline

Activity: 542


View Profile
June 01, 2012, 06:41:28 PM
 #12

Or he could just use rbls provided by sorbs, spamhaus and efnet.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
Vernon715
Full Member
***
Offline Offline

Activity: 182



View Profile
June 04, 2012, 12:25:52 AM
 #13


Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..

I think you can find a list if you download the tor software.

Please donate: 1FfJzfpGCXD6saKqmMs8W1qt9wouhA98Mj

http://bitcoinpyramid.com/r/1642

100101011010100100101010010111001010010101010100101001000100101010101010101010
randomproof
Member
**
Offline Offline

Activity: 61


View Profile
June 05, 2012, 07:59:58 PM
 #14

I've noticed that the timer was purely in javascript, so it was easy to override that with a Firefox extention that allows the user to execute any javascript.

Donations to me:   19599Y3PTRF1mNdzVjQzePr67ttMiBG5LS
Vernon715
Full Member
***
Offline Offline

Activity: 182



View Profile
June 05, 2012, 11:30:50 PM
 #15

That is a pretty big hole...Is there a way to move the timer out of java?

Please donate: 1FfJzfpGCXD6saKqmMs8W1qt9wouhA98Mj

http://bitcoinpyramid.com/r/1642

100101011010100100101010010111001010010101010100101001000100101010101010101010
01BTC10
VIP
Hero Member
*
Offline Offline

Activity: 742



View Profile
June 05, 2012, 11:36:40 PM
 #16

Script to block Tor exit nodes: https://unixd0rk.livejournal.com/128269.html

You can get CSV of Tor exit node here: http://torstatus.blutmagie.de/
nimda
Hero Member
*****
Offline Offline

Activity: 784


0xFB0D8D1534241423


View Profile
June 05, 2012, 11:57:45 PM
 #17

Two vulnerabilities:
1. The user can change the countdown value via firefox extension or Chrome's developer console
2. The user can request a CAPTCHA, then send a POST request directly to the server.

I recommend asking me for a signature from my GPG key before doing a trade. I will NEVER deny such a request.
fffeee
Member
**
Offline Offline

Activity: 70


View Profile WWW
June 06, 2012, 10:31:18 AM
 #18

Thank you for this.. I`m gonna fix it Wink

drawoc
Full Member
***
Offline Offline

Activity: 168

Firstbits: 175wn


View Profile
June 06, 2012, 08:20:14 PM
 #19

You can get a list of ip addresses for a ton of tor exit nodes like this:
Code:
curl http://exitlist.torproject.org/exit-addresses | grep -o -e "ExitAddress [^ ]*" | sed "s/ExitAddress //" > ipban.txt

If you run this in a bash terminal, it'll download a list of tor exit nodes from the tor project, format it in a nice, easy to use format, and save it to a file named ipban.txt.
You might want to set up, eg. a cron job to run this and update the file every once and a while.

Then, you just need to make your script deny anyone with one of these ip addresses. Then, nobody can access your site over tor.

This is what that command gives me at the moment:
http://pastebin.com/0iM6GrkM

Donate: 175WNXmJ1WVhFgVGKUqEhYtAQGRYAvqPA
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!