ignore button engaged
man, that was easy
Topic: bitfloor needs your help! - page 40. (Read 177459 times)
ignore button engaged
I think what Bilaal here is trying to imply is that he thinks there was no hacker at all and it was a inside job (another mybitcoin/zhoutong situation). Which is the only way a non-public facing system could be compromised.
Quote
No shit sherlock, but that's is irrelevant to my question. He claims "this box was not public facing", then provides an ip that the attacker connected from. So which is it? How did the attacker connect to a box that was not accessible?
there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hacking
Still irrelevant. Maybe try understanding the question. It still won't help though since the question isn't directed to you and you don't know the answer. A system, holding an unencrypted copy of the keys was hacked. He claims this system was not public facing, yet he also claims that the attacker connected from a specific IP. If the system was not public facing, how did the attacker connect to it?
Quote
No shit sherlock, but that's is irrelevant to my question. He claims "this box was not public facing", then provides an ip that the attacker connected from. So which is it? How did the attacker connect to a box that was not accessible?
there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hacking
So did you hack fastcash4bitcoins yet? No? Then STFU script kiddo. The server is properly configured not to display errors, and that what I do when someone tries to exploits the normal operation of the site - display a generic error page and log the attacker's information.
Shtylman, thanks for coming clean rather then pulling an MtGox and leaving everyone in the dark for weeks.
I have a question for you, I'll PM it.
I have a question for you, I'll PM it.
1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
fastcash4bitcoins.com lOl javascript 1njection lOL
Quote
All this shows is that you managed to create a server-side error and he doesn't have any custom error pages.
As a matter of fact, the server side error generated was probably because of your attempt at Javascript injection (caught harmlessly by ASP.NET)
So what exactly are you trying to show with this?
Quote
No shit sherlock, but that's is irrelevant to my question. He claims "this box was not public facing", then provides an ip that the attacker connected from. So which is it? How did the attacker connect to a box that was not accessible?
there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hacking
Are you even reading what you're replying to?
And stop with the bold, there's no reason to bold everything you say since it's nonsense anyway.
fucks sake 1nject0r
at least turn off the bold
at least turn off the bold
Quote
No shit sherlock, but that's is irrelevant to my question. He claims "this box was not public facing", then provides an ip that the attacker connected from. So which is it? How did the attacker connect to a box that was not accessible?
there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hacking
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I don't wish to go into too many details on this thread about it, but this box was not public facing.
So someone with physical access got in. If that's the case you should absolutely file a police report. $250,000 is way past misdemeanor level and there are a limited number of people with physical access.
But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access. So which was it? Was it accessible from the internet, or was it not?
hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP
No shit sherlock, but that's is irrelevant to my question. He claims "this box was not public facing", then provides an ip that the attacker connected from. So which is it? How did the attacker connect to a box that was not accessible?
1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
fastcash4bitcoins.com lOl javascript 1njection lOL
Quote
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.
Details: To enable the details of this specific error message to be viewable on remote machines, please create a
Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's
1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
Secure your website first then bark in front of us u fucking k1d u really cant compare us
so grew up and secure all bitcoins site then bark here 1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
He's amusing. He's like what we would see if Phinn went into the "h4x0ring" business instead of fruitlessly doxing in all the wrong places.
1nject0r,
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
The grown ups are talking please STFU! The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I don't wish to go into too many details on this thread about it, but this box was not public facing.
So someone with physical access got in. If that's the case you should absolutely file a police report. $250,000 is way past misdemeanor level and there are a limited number of people with physical access.
But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access. So which was it? Was it accessible from the internet, or was it not?
hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP
I never store keys on a webserver for a project involving customer funds. If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).
I don't wish to go into too many details on this thread about it, but this box was not public facing.
So someone with physical access got in. If that's the case you should absolutely file a police report. $250,000 is way past misdemeanor level and there are a limited number of people with physical access.
But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access. So which was it? Was it accessible from the internet, or was it not?
Bitfloor lost about 25k BTC, or ~250k USD... It's somewhat hard to get these funds now. Even if it was sold, the evaluation is less than 25k USD (2k * 12 months).
Its pretty much bankruptcy for bitfloor.
Its pretty much bankruptcy for bitfloor.
Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?
This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about.
Perhaps a GLBSE offering could help make up the difference. But first you need to develop and publish a better security model and have the community scrutinize it.
check your ssl certificate next time and i am thinking tht u are using vps instead of shared right ?
Jump to: