Topic: HELP NEEDED!! (0.5 btc bounty) (Read 1603 times)

Quote from: fffeee on June 01, 2012, 10:45:53 AM

Quote from: BinaryMage on June 01, 2012, 10:01:35 AM

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink

Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion!

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..

Code:

function IsTorExitPoint(){
if (gethostbyname(ReverseIPOctets($_SERVER['REMOTE_ADDR']).".".$_SERVER['SERVER_PORT'].".".ReverseIPOctets($_SERVER['SERVER_ADDR']).".ip-port.exitlist.torproject.org")=="127.0.0.2") {
return true;
} else {
return false;
} 
}
function ReverseIPOctets($inputip){
$ipoc = explode(".",$inputip);
return $ipoc[3].".".$ipoc[2].".".$ipoc[1].".".$ipoc[0];
}

Does that one work for you?

fffeee

member

Activity: 70

Merit: 10

Quote from: fffeee on June 01, 2012, 10:45:53 AM

Quote from: BinaryMage on June 01, 2012, 10:01:35 AM

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink

Quote from: Bitsky on June 01, 2012, 10:54:47 AM

Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion!

Also make sure your scripts can only be accessed from other scripts like it sounds like you just allowed anyone to execute it, you need to use .htaccess file to make sure only scripts and your site can execute those files individually

Can you tell me where to find some information about detecting tor exit nodes? I tried it with google but there is no useful info..

fffeee

member

Activity: 70

Merit: 10

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.
I'd start with a little math:
Captcha solving costs something between $1-$2 per 1000 captches.
1000 successful requests mean 2.5btc when you don't bother to wait.
Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit.

You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them.
Probably a good idea is to look around for a good real-time blacklist of proxies and block them.
Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.

I`ll keep that in mind and maybe I`m gonna implement this tomorrow if the site works fine again..

Bitsky

hero member

Activity: 576

Merit: 514

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

If I understand your site correctly, I can request 0.0025btc instantly without having to wait the 5 minutes. If I wait, I can get 0.005btc instead.
I'd start with a little math:
Captcha solving costs something between $1-$2 per 1000 captches.
1000 successful requests mean 2.5btc when you don't bother to wait.
Assuming ~$5/btc, you make $12.50 while paying $2, resulting in a $10.50 profit.

You can always try to change the captcha, although I think that won't be much of a success since solvers offer a professional service dealing with them.
Probably a good idea is to look around for a good real-time blacklist of proxies and block them.
Or, instead of blocking, accept the request but don't send it out. That costs whoever does that money.

fffeee

member

Activity: 70

Merit: 10

Quote from: BinaryMage on June 01, 2012, 10:01:35 AM

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink

Quote from: BinaryMage on June 01, 2012, 10:01:35 AM

Are you checking if the 300 seconds passed in your backend?
Because if not, then it's simple to create an automated tool.
You just need to look at the request that gets send out.

Yes,of course I do check it on the backend.. so I dont know how this could even be possible!?
I use a ip blacklist now.. maybe it works!?!

I bet the guy was using tor so ip blacklist will not work on that, cause the user can change the ip and there is so many nodes, so look into blocking the whole tor network, I know there a way to do that.

ok.. I`m gonna implement that too.. thanks for your suggestion!

fffeee

member

Activity: 70

Merit: 10

I'm not clear what you're asking here. Are you giving us permission to pentest your website?

(And BTW, it returns a 404 right now.)

I know this because I`m uploading the new Version right now.. Wink