Bitcoin Forum
November 13, 2024, 02:01:09 PM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: HELP NEEDED!! (0.5 btc bounty)  (Read 1603 times)
fffeee (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile WWW
June 01, 2012, 01:02:25 PM
 #1

Someone tries to cash me out.. There is a bug on my site and someone did try to steal my coins. He was able to order coins every 20 seconds via different proxies an with many different btcaddresses. If anyone can help me or will find this error, I would be very thankful. There is also a bounty on it (0.5)!

Edit: www.fiveminutecoin.com

Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 514


View Profile
June 01, 2012, 01:28:28 PM
 #2

Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
BinaryMage
Hero Member
*****
Offline Offline

Activity: 560
Merit: 500


Ad astra.


View Profile
June 01, 2012, 03:01:35 PM
 #3

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

-- BinaryMage -- | OTC | PGP
fffeee (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile WWW
June 01, 2012, 03:13:02 PM
 #4

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

fffeee (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile WWW
June 01, 2012, 03:45:53 PM
 #5

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 514


View Profile
June 01, 2012, 03:54:47 PM
 #6

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!
If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.
I'd start with a little math:
Captcha solving costs something between $1-$2 per 1000 captches.
1000 successful requests mean 2.5btc when you don't bother to wait.
Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit.

You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them.
Probably a good idea is to look around for a good real-time blacklist of proxies and block them.
Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
fffeee (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile WWW
June 01, 2012, 04:47:14 PM
 #7

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!
If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.
I'd start with a little math:
Captcha solving costs something between $1-$2 per 1000 captches.
1000 successful requests mean 2.5btc when you don't bother to wait.
Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit.

You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them.
Probably a good idea is to look around for a good real-time blacklist of proxies and block them.
Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.

I`ll keep that in mind and maybe I`m gonna implement this tomorrow if the site works fine again..

fffeee (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile WWW
June 01, 2012, 06:16:47 PM
 #8

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..

Nachtwind
Hero Member
*****
Offline Offline

Activity: 700
Merit: 507



View Profile
June 01, 2012, 06:37:51 PM
 #9

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink


Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion! Smiley

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..


Code:
function IsTorExitPoint(){
if (gethostbyname(ReverseIPOctets($_SERVER['REMOTE_ADDR']).".".$_SERVER['SERVER_PORT'].".".ReverseIPOctets($_SERVER['SERVER_ADDR']).".ip-port.exitlist.torproject.org")=="127.0.0.2") {
return true;
} else {
return false;
}
}
function ReverseIPOctets($inputip){
$ipoc = explode(".",$inputip);
return $ipoc[3].".".$ipoc[2].".".$ipoc[1].".".$ipoc[0];
}

Does that one work for you?
Bitsky
Hero Member
*****
Offline Offline

Activity: 576
Merit: 514


View Profile
June 01, 2012, 06:41:28 PM
 #10

Or he could just use rbls provided by sorbs, spamhaus and efnet.

Bounty: Earn up to 68.7 BTC
Like my post? Feel free to drop a tip to 1BitskyZbfR4irjyXDaGAM2wYKQknwX36Y
Vernon715
Full Member
***
Offline Offline

Activity: 182
Merit: 100



View Profile
June 04, 2012, 12:25:52 AM
 #11


Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..

I think you can find a list if you download the tor software.

Please donate: 1FfJzfpGCXD6saKqmMs8W1qt9wouhA98Mj

http://bitcoinpyramid.com/r/1642

100101011010100100101010010111001010010101010100101001000100101010101010101010
randomproof
Member
**
Offline Offline

Activity: 61
Merit: 10


View Profile
June 05, 2012, 07:59:58 PM
 #12

I've noticed that the timer was purely in javascript, so it was easy to override that with a Firefox extention that allows the user to execute any javascript.

Donations to me:   19599Y3PTRF1mNdzVjQzePr67ttMiBG5LS
Vernon715
Full Member
***
Offline Offline

Activity: 182
Merit: 100



View Profile
June 05, 2012, 11:30:50 PM
 #13

That is a pretty big hole...Is there a way to move the timer out of java?

Please donate: 1FfJzfpGCXD6saKqmMs8W1qt9wouhA98Mj

http://bitcoinpyramid.com/r/1642

100101011010100100101010010111001010010101010100101001000100101010101010101010
01BTC10
VIP
Hero Member
*
Offline Offline

Activity: 756
Merit: 503



View Profile
June 05, 2012, 11:36:40 PM
 #14

Script to block Tor exit nodes: https://unixd0rk.livejournal.com/128269.html

You can get CSV of Tor exit node here: http://torstatus.blutmagie.de/
nimda
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


0xFB0D8D1534241423


View Profile
June 05, 2012, 11:57:45 PM
 #15

Two vulnerabilities:
1. The user can change the countdown value via firefox extension or Chrome's developer console
2. The user can request a CAPTCHA, then send a POST request directly to the server.
fffeee (OP)
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile WWW
June 06, 2012, 10:31:18 AM
 #16

Thank you for this.. I`m gonna fix it Wink

drawoc
Full Member
***
Offline Offline

Activity: 168
Merit: 100

Firstbits: 175wn


View Profile
June 06, 2012, 08:20:14 PM
 #17

You can get a list of ip addresses for a ton of tor exit nodes like this:
Code:
curl http://exitlist.torproject.org/exit-addresses | grep -o -e "ExitAddress [^ ]*" | sed "s/ExitAddress //" > ipban.txt

If you run this in a bash terminal, it'll download a list of tor exit nodes from the tor project, format it in a nice, easy to use format, and save it to a file named ipban.txt.
You might want to set up, eg. a cron job to run this and update the file every once and a while.

Then, you just need to make your script deny anyone with one of these ip addresses. Then, nobody can access your site over tor.

This is what that command gives me at the moment:
http://pastebin.com/0iM6GrkM

Donate: 175WNXmJ1WVhFgVGKUqEhYtAQGRYAvqPA
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!