Pages:
Author

Topic: bitfloor needs your help! - page 40. (Read 177467 times)

hero member
Activity: 742
Merit: 500
September 04, 2012, 01:18:56 PM
#50
ignore button engaged

man, that was easy
legendary
Activity: 3374
Merit: 4738
diamond-handed zealot
September 04, 2012, 01:16:50 PM
#49
ignore button engaged
hero member
Activity: 952
Merit: 1009
September 04, 2012, 01:15:34 PM
#48
I think what Bilaal here is trying to imply is that he thinks there was no hacker at all and it was a inside job (another mybitcoin/zhoutong situation). Which is the only way a non-public facing system could be compromised.
legendary
Activity: 1904
Merit: 1002
September 04, 2012, 01:12:57 PM
#47
Quote

No shit sherlock, but that's is irrelevant to my question.  He claims "this box was not public facing", then provides an ip that the attacker connected from.  So which is it?  How did the attacker connect to a box that was not accessible?


there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hacking

Still irrelevant.  Maybe try understanding the question.  It still won't help though since the question isn't directed to you and you don't know the answer.  A system, holding an unencrypted copy of the keys was hacked.  He claims this system was not public facing, yet he also claims that the attacker connected from a specific IP.  If the system was not public facing, how did the attacker connect to it?
hero member
Activity: 574
Merit: 500
September 04, 2012, 01:12:02 PM
#46
Quote

No shit sherlock, but that's is irrelevant to my question.  He claims "this box was not public facing", then provides an ip that the attacker connected from.  So which is it?  How did the attacker connect to a box that was not accessible?


there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hacking

So did you hack fastcash4bitcoins yet? No? Then STFU script kiddo. The server is properly configured not to display errors, and that what I do when someone tries to exploits the normal operation of the site - display a generic error page and log the attacker's information.
legendary
Activity: 1022
Merit: 1001
I'd fight Gandhi.
September 04, 2012, 01:11:34 PM
#45
Shtylman, thanks for coming clean rather then pulling an MtGox and leaving everyone in the dark for weeks.

I have a question for you, I'll PM it.
sr. member
Activity: 431
Merit: 251
September 04, 2012, 01:11:27 PM
#44
1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.


fastcash4bitcoins.com lOl javascript 1njection lOL

Quote


All this shows is that you managed to create a server-side error and he doesn't have any custom error pages.  

As a matter of fact, the server side error generated was probably because of your attempt at Javascript injection (caught harmlessly by ASP.NET)

So what exactly are you trying to show with this?
legendary
Activity: 1652
Merit: 1128
September 04, 2012, 01:08:38 PM
#43
Quote

No shit sherlock, but that's is irrelevant to my question.  He claims "this box was not public facing", then provides an ip that the attacker connected from.  So which is it?  How did the attacker connect to a box that was not accessible?


there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hacking

Are you even reading what you're replying to?

And stop with the bold, there's no reason to bold everything you say since it's nonsense anyway.
legendary
Activity: 3374
Merit: 4738
diamond-handed zealot
September 04, 2012, 01:07:07 PM
#42
fucks sake 1nject0r

at least turn off the bold
newbie
Activity: 28
Merit: 0
September 04, 2012, 01:04:00 PM
#41
Quote

No shit sherlock, but that's is irrelevant to my question.  He claims "this box was not public facing", then provides an ip that the attacker connected from.  So which is it?  How did the attacker connect to a box that was not accessible?


there are no proof that hacker hack his site maybe some other problem he faced but hacker didnot hack his website no record of hacker or hacking
legendary
Activity: 1904
Merit: 1002
September 04, 2012, 01:01:25 PM
#40
I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?

hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP

No shit sherlock, but that's is irrelevant to my question.  He claims "this box was not public facing", then provides an ip that the attacker connected from.  So which is it?  How did the attacker connect to a box that was not accessible?
newbie
Activity: 28
Merit: 0
September 04, 2012, 01:00:58 PM
#39
1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.


fastcash4bitcoins.com lOl javascript 1njection lOL

Quote
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. This tag should then have its "mode" attribute set to "Off".




    
        
    




Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.




    
        
    

[/B]
newbie
Activity: 28
Merit: 0
September 04, 2012, 12:55:40 PM
#38
1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.

Secure your website first then bark in front of us u fucking k1d u really cant compare us Cheesy so grew up and secure all bitcoins site then bark here
hero member
Activity: 952
Merit: 1009
September 04, 2012, 12:54:54 PM
#37
1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.

He's amusing. He's like what we would see if Phinn went into the "h4x0ring" business instead of fruitlessly doxing in all the wrong places.  Grin
donator
Activity: 1218
Merit: 1079
Gerald Davis
September 04, 2012, 12:52:27 PM
#36
1nject0r,

The grown ups are talking please STFU!  The nonsensical ramblings of a 2bit warez seller are not welcome or needed.
newbie
Activity: 28
Merit: 0
September 04, 2012, 12:50:55 PM
#35
I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?

hackers were using vpn not real those are proxy not the ip we can track the ip address which he listed here then we can see is this vpn if yes what was the ISP
legendary
Activity: 1904
Merit: 1002
September 04, 2012, 12:48:54 PM
#34
I never store keys on a webserver for a project involving customer funds.  If all monies belong to the site operator that's their business, but if there are customer accounts I refuse to write code for someone who isn't willing to put the keys on a separate, heavily locked down server (preferably with no public ip).

I don't wish to go into too many details on this thread about it, but this box was not public facing.

So someone with physical access got in.  If that's the case you should absolutely file a police report.  $250,000 is way past misdemeanor level and there are a limited number of people with physical access.

But wait, you listed the IP address the attacker connected from in the other thread so maybe it wasn't physical access.  So which was it?  Was it accessible from the internet, or was it not?
hero member
Activity: 574
Merit: 500
September 04, 2012, 12:47:48 PM
#33
Bitfloor lost about 25k BTC, or ~250k USD... It's somewhat hard to get these funds now. Even if it was sold, the evaluation is less than 25k USD (2k * 12 months).

Its pretty much bankruptcy for bitfloor.
legendary
Activity: 1904
Merit: 1002
September 04, 2012, 12:45:42 PM
#32
Could you secure some investor funds to pay back losses to customers now, and payback the investor after your business picks back up?

This would be a possibility if investors interested in helping continue operations show interest. It is certainly something I am thinking about.

Perhaps a GLBSE offering could help make up the difference.  But first you need to develop and publish a better security model and have the community scrutinize it.
newbie
Activity: 28
Merit: 0
September 04, 2012, 12:45:29 PM
#31
check your ssl certificate next time and i am thinking tht u are using vps instead of shared right ?
Pages:
Jump to: