Topic: Openex hacked but coins recovered - page 7. (Read 14287 times)

on the same token though, i can scrutinize the code i write to a great degree of certainty, where as with a framework i have to worry about my code and that of the framework.

You're re-inventing the wheel though, really. 1000s of devs have colabed on frameworks for good reasons, don't write them off because you want to write it all yourself!

Being able to code in a framework isn't newb, it's considered more pro imo.

thank you for the inspirational quotes and kind words. we are not giving up. #NeverYield

Encouraging people to keep trying when their failures will ultimately cost other people money is incredibly irresponsible.

I honeslty feel like it would dimish the accomplishment. when you write your own stuff, you have a more intimate knowledge of it than you would with a framework.

it certainly doesn't mean frameworks aren't useful. i just don't use them(yet). i don't have much experience so that will probably change. for now i'm reading as much as i can and applying it to everything i do.

"Edison failed 10, 000 times before he made the electric light. Do not be discouraged if you fail a few times.”
– Napoleon Hill
 

“I’ve missed more than 9000 shots in my career. I’ve lost almost 300 games. 26 times, I’ve been trusted to take the game winning shot and missed. I’ve failed over and over and over again in my life. And that is why I succeed.”

– Michael Jordan

“I was set free because my greatest fear had been realized, and I still had a daughter who I adored, and I had an old typewriter and a big idea. And so rock bottom became a solid foundation on which I rebuilt my life.”

– J.K. Rowling

Many of Life's failures are People that didn't realize how close they were to success when they gave up

– Thomas Edison

If you want the Rainbow, you gotta put up with the rain

– Dolly Parton


And finally a chinese proverb my dad used to say.

Fall seven times
Stand up eight



Keep trying matey, You have put so much time and effort in You'll make it sooner or later!

Remember when ever you fail, you always learn what not to do next time!

What I was really getting at is why not use a framework, it gives a fair amount of security if used correctly.

Right. I can see you've put a lot of work into it. I just don't like seeing queries in the views *shudder*

it basically is. the pages do some work the system folder does some work which is not shared in the github, but the majority of it is handled through the objects in our various class files and the functions in the models folder.

we have our models and controllers in /models

our "view" is in /pages

while its not quite conformant yet, we tend to refactor the code into classes where possible and slowly remove them from the view.

I don't understand why it's not done MVC

I cancelled several Dimecoins sell orders and all those coins dosn't refund to my account... do you know what happen?

And, another thing, please... remove minimum withdraw limit in order to get all my founds... I know that they are small amounts but a lot of small amount make a big one....

Thanks

to the casual observer, yes it appears pretty insecure. once you try to hack it, then you see the genius of the design. other than the queries, i'd say its pretty secure.

Jesus your PHP looks pretty risky too bro. Correct me if im wrong.

https://github.com/r3wt/openex/tree/master/pages

I don't own any catcoin.  I was developing a "catcoin" a while ago, but the current one was suddenly "pre-announced" about a week before I was going to release mine.  The username was registered a while ago.  Also, I doubt it needs to even be said that I wouldn't be registering an account on your exchange any time soon.

You really don't need a crash course, and I'd be doing you and your users a disservice by providing one.  You need about 10 years of real world experience running servers that won't end up losing a bunch of peoples' money if they end up breached.  Otherwise, you need someone with a lot of experience securing a project like yours working for you full time, and you need them to be able to go over and help you secure your entire app, not just the sysadmin-type stuff.

This is something that should be tested thoroughly in an isolated environment before it ends up anywhere near the internet being used by actual people.  When I said what I said about it not being a good idea for someone without the experience to try to do something like this and skip every step in the middle, I wasn't kidding, and I wasn't saying it just to be a dick or crush your dreams.  You can't cut corners with something like this.

Start over, create a virtual machine and set it up as a server with your app on it.  Encrypt the filesystem on the VM.  Distribute that VM image to people and offer a bounty to anyone who can breach it.  Start over, do that again.  Repeat.  Once you feel confident with what you have, bring in a pro and see if they agree.  Test some more... etc.

Rushing into this is sure to end in tears for you and, more importantly, your users, every time.  There's nothing more dangerous than a cocky young web app developer who has absolutely no idea what they're getting into, and is playing with peoples' money.

i would appreciate if you would enlighten us all a bit. give a crash course. i'll pay you for your time. i might even list catcoin if this works out good.

I constantly see people saying "I installed fail2ban" as if that step instantly provides bulletproof security.  It doesn't.  It's just one layer of basic protection, and a thin one at that.

As someone mentioned Fail2Ban   i use a similar program to protect my servers from brute force attacks - its called RDPGuard - when i downloaded it, it came with a 30 day trial. might be worth adding extra protection (It should work along side Fail2Ban I believe)

You could also blacklist all IP addresses from connecting to the server and whitelist your own IP (or other secure IPs)  I tend to do this for servers that have very little reason for anyone to ever log on to.


Sorry if these suggestions are a bit "nooby" but its often simple things that can throw a spanner in the works for an attacker. (especially if the attacker is just some kid trying his/her luck! normally they don't have enough knowledge to even change the dictionaries used for their attacks.)

It's really a good thing that you see it this way. Nobody is free from errors and the importance is clearly: learning from them. And just to make it clear: my posts really are not about ranting or attacking someone blindly (because that's not productive). I just think it's important to know certain things when running a server.

+1

Passwords shouldn't be used for ssh logins.

But I would have taken it a longer step. The coin daemon shouldn't run at the exchange webserver at all, but instead be talked to via an security layer checking what type of RPC commands that are sent, and validate/discard them based on internal security routines. (Depends on the setup)

"Jan 12 08:26:23 server sshd[154626]: Accepted password for root from 66.87.92.21 port 33172 ssh2"

Please, for your own sake, never ever even boot a server with a ssh config simular to this: "PermitRootLogin yes"

i clearly underestimated the role of a sysadmin.