Openex shares are for sale. Please pm your offer
https://bitcointalksearch.org/topic/selling-openexpw-exchange-feeshares-522424
Topic: OpenEx to be shut down[Hacked] - page 3. (Read 14875 times)
well, finally found it. sql injection from trade pages. someone else who had been running the script on their site with cloudflare installed found many of these in their cloudflare logs.
page=trade&market=27+%252F*%252130000and%2528select+1+from%2528select+count%2528*%2529%252Cconcat%2528%2528select+%2528md5%25281165272%2529%2529+from+%2560information_schema%2560.tables+limit+0%252C1%2529%252Cfloor%2528rand%25280%2529*2%2529%2529x+from+%2560information_schema%2560.tables+group+by+x%2529a%2529+and+1%253D1*%252F
page=trade&market=27+%252F*%252130000and%2528select+1+from%2528select+count%2528*%2529%252Cconcat%2528%2528select+%2528md5%25281165272%2529%2529+from+%2560information_schema%2560.tables+limit+0%252C1%2529%252Cfloor%2528rand%25280%2529*2%2529%2529x+from+%2560information_schema%2560.tables+group+by+x%2529a%2529+and+1%253D1*%252F
you didn't use prepared statements and PDO. SERIOUSLY! It's 2014 dude!!
I am working with r3wt to find out exactly how much BTC was stolen. Yes, we are still unsure of the exact amount and no amount of trolling is going to change this, the only thing we can do at this point is keep plugging away at working on the site.
ATTENTION:
If you have an account at OpenEX which had coins in it, PLEASE Login and attempt a withdrawal of any coins which are in your account. There are still many coins in wallets.
looks like some trolls trying really hard to discredit me.
If you made both of those post in which one claim coins were stolen and the other denies it, then which ever one you own up to, the other proves you to be a liar. How is that being a troll? Sounds like solid and legitimate question to me.
First of all, I'm sorry for the attitude i have been giving people. this is a very stressful people for everyone involved with OpenEx, customers included. We are working on sorting out exactly how much coin left the exchange which was not supposed to. This is where the confusion lies. We are not going anywhere, and we fully plan on paying all customers which have been wronged. Once again, i apologize for this entire mess. It appears that less coin than originally we thought has been stolen, but there has been coin stolen. It just wasn't as cut and dry as a straight up server break in or RPC vulnerability.
We will post an update on 3/27/14.
Wait so is the coin stolen or not? Because you posted this yesterday, clearly stating that it was not. Yet your most recent post indicates otherwise.
Either way, you are a liar.
34 BTC
Called out on it, cannot provide any evidence.
Some amount, I'm not sure how much.
Called out on it, cannot provide any evidence.
Less than one bitcoin.
Pretty sure tomorrow he'll say nothing was lost. If we hadn't kept up the pressure he would have just walked away with everyone's funds. Amazing.
Edit: Oh, and this thread was started 11 days ago. 11 days to figure out whether any BTC was stolen? What a joke. This guy is the most incompetent scammer I've ever seen. Can't even make his thefts look believable. Everyone please give him a negative trust review on here.
looks like some trolls trying really hard to discredit me.
You have discredited yourself.
No one has to try. You make it easy.
looks like some trolls trying really hard to discredit me.
If you made both of those post in which one claim coins were stolen and the other denies it, then which ever one you own up to, the other proves you to be a liar. How is that being a troll? Sounds like solid and legitimate question to me.
First of all, I'm sorry for the attitude i have been giving people. this is a very stressful people for everyone involved with OpenEx, customers included. We are working on sorting out exactly how much coin left the exchange which was not supposed to. This is where the confusion lies. We are not going anywhere, and we fully plan on paying all customers which have been wronged. Once again, i apologize for this entire mess. It appears that less coin than originally we thought has been stolen, but there has been coin stolen. It just wasn't as cut and dry as a straight up server break in or RPC vulnerability.
We will post an update on 3/27/14.
Wait so is the coin stolen or not? Because you posted this yesterday, clearly stating that it was not. Yet your most recent post indicates otherwise.
Either way, you are a liar.
looks like some trolls trying really hard to discredit me.
If you made both of those post in which one claim coins were stolen and the other denies it, then which ever one you own up to, the other proves you to be a liar. How is that being a troll? Sounds like solid and legitimate question to me.
First of all, I'm sorry for the attitude i have been giving people. this is a very stressful people for everyone involved with OpenEx, customers included. We are working on sorting out exactly how much coin left the exchange which was not supposed to. This is where the confusion lies. We are not going anywhere, and we fully plan on paying all customers which have been wronged. Once again, i apologize for this entire mess. It appears that less coin than originally we thought has been stolen, but there has been coin stolen. It just wasn't as cut and dry as a straight up server break in or RPC vulnerability.
We will post an update on 3/27/14.
looks like some trolls trying really hard to discredit me.
r3wt has yet to show ANY proof whatsoever that there was a theft. He claims 34 BTC were taken. So, where are the transactions in the blockchain? Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions. If there was a theft, there are transactions. Period.
there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off.
I'm confused, r3wt.
Your original OP:
Here's what really bugs me. r3wt said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals. His system apparently strips the zeros.
Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much.
Also, the withdrawal portion is missing from the pastbin r3wt has provided.
Here is a link http://pastebin.com/vzZN6eQu
Looks like an inside job to me.
Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much.
Also, the withdrawal portion is missing from the pastbin r3wt has provided.
Here is a link http://pastebin.com/vzZN6eQu
Looks like an inside job to me.
justin gillet wrote that particular part. why don't you ask him.
here's the code in question:
Code:
if(isset($_POST["fchk"])) {
if(isUserAdmin($id00)) {
if($_POST["Transaction_Id"] != NULL && $_POST["Coin"] != NULL) {
$tid = mysql_real_escape_string(trim($_POST["Transaction_Id"]));
$coin = mysql_real_escape_string(trim($_POST["Coin"]));
$sql = mysql_query("SELECT * FROM Wallets WHERE `Acronymn`='$coin'");
$id = @mysql_result($sql,0,"Id");
$sql2 = @mysql_query("SELECT * FROM deposits WHERE `Transaction_Id`='$tid' AND `Coin`='$coin'");
$id2 = @mysql_result($sql2,0,"id");
$paid = @mysql_result($sql2,0,"Paid");
$wallet = new Wallet($id);
$trans = @$wallet->gettransaction($tid);
echo '
if($trans != null) {
if(is_array($trans)) {
if(in_array("Invalid or non-wallet transaction id", $trans,true)) {
echo "non wallet transaction id or invalid tx";
}else{
$account = $trans["details"][0]["account"];
$category = $trans["details"][0]["category"];
$confirms = $trans["confirmations"];
$amount = $trans["amount"];
if($id2 != NULL) {
if($paid == 0) {
if($category == "receive" && $confirms > 3 && $account != "")
{
mysql_query("UPDATE deposits SET `Paid`='1' WHERE `id`='$id2'");
AddMoney($amount, $account, $coin);
echo $amount." ".$coin." was credited to your account";
}
}else{
echo $amount." ".$coin." was already credited to the account.";
}
}else{
if($category == "receive" && $account != "") {
if($confirms > 5) {
mysql_query("INSERT INTO deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','1','$account');");
AddMoney($amount, $account, $coin);
echo $amount." ".$coin." was successfully credited to the account";
}else{
mysql_query("INSERT INTO deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','0','$account');");
echo "This Deposit is unconfirmed. Current confirmations:" . $confirms .". Required : 6.";
}
}else{
echo "transaction is not a deposit or account is invalid.";
}
}
}
}else{
echo "Contact the admin. Error Code: 35-1a";
/* ERROR CODE INFORMATION
Error Code 35-la
the result wasn't an array. so its probably invalid. inform customer to disregard.
*/
}
}
}
}
}
}
if(isUserAdmin($id00)) {
if($_POST["Transaction_Id"] != NULL && $_POST["Coin"] != NULL) {
$tid = mysql_real_escape_string(trim($_POST["Transaction_Id"]));
$coin = mysql_real_escape_string(trim($_POST["Coin"]));
$sql = mysql_query("SELECT * FROM Wallets WHERE `Acronymn`='$coin'");
$id = @mysql_result($sql,0,"Id");
$sql2 = @mysql_query("SELECT * FROM deposits WHERE `Transaction_Id`='$tid' AND `Coin`='$coin'");
$id2 = @mysql_result($sql2,0,"id");
$paid = @mysql_result($sql2,0,"Paid");
$wallet = new Wallet($id);
$trans = @$wallet->gettransaction($tid);
echo '
';';
print_r($trans);
echo '
if($trans != null) {
if(is_array($trans)) {
if(in_array("Invalid or non-wallet transaction id", $trans,true)) {
echo "non wallet transaction id or invalid tx";
}else{
$account = $trans["details"][0]["account"];
$category = $trans["details"][0]["category"];
$confirms = $trans["confirmations"];
$amount = $trans["amount"];
if($id2 != NULL) {
if($paid == 0) {
if($category == "receive" && $confirms > 3 && $account != "")
{
mysql_query("UPDATE deposits SET `Paid`='1' WHERE `id`='$id2'");
AddMoney($amount, $account, $coin);
echo $amount." ".$coin." was credited to your account";
}
}else{
echo $amount." ".$coin." was already credited to the account.";
}
}else{
if($category == "receive" && $account != "") {
if($confirms > 5) {
mysql_query("INSERT INTO deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','1','$account');");
AddMoney($amount, $account, $coin);
echo $amount." ".$coin." was successfully credited to the account";
}else{
mysql_query("INSERT INTO deposits (`Transaction_Id`,`Amount`,`Coin`,`Paid`,`Account`) VALUES ('$tid','$amount','$coin','0','$account');");
echo "This Deposit is unconfirmed. Current confirmations:" . $confirms .". Required : 6.";
}
}else{
echo "transaction is not a deposit or account is invalid.";
}
}
}
}else{
echo "Contact the admin. Error Code: 35-1a";
/* ERROR CODE INFORMATION
Error Code 35-la
the result wasn't an array. so its probably invalid. inform customer to disregard.
*/
}
}
}
}
}
}
Any idea why it wouldn't strip the zeros(since they are obviously in the database?)
Here's what really bugs me. Hydroponica said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals. His system apparently strips the zeros.
Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much.
Also, the withdrawal portion is missing from the pastbin Hydroponica has provided.
Here is a link http://pastebin.com/vzZN6eQu
Looks like an inside job to me.
Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much.
Also, the withdrawal portion is missing from the pastbin Hydroponica has provided.
Here is a link http://pastebin.com/vzZN6eQu
Looks like an inside job to me.
Hey, Hey, watch it....
Hydroponica is an honest scammer.
~BCX~
I agree. As honest as scammers get!
Here's what really bugs me. r3wt said that whoever stole the btc basically just added 0's to the txid's, allowing for multiple withdrawals. His system apparently strips the zeros.
Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much.
Also, the withdrawal portion is missing from the pastbin r3wt has provided.
Here is a link http://pastebin.com/vzZN6eQu
Looks like an inside job to me.
Why did it not check for duplicate txid's AFTER the 0's were stripped? This wouldn't take much.
Also, the withdrawal portion is missing from the pastbin r3wt has provided.
Here is a link http://pastebin.com/vzZN6eQu
Looks like an inside job to me.
WTF did you run an exchange on open source you got from github ?
FUCK SAKES......
anyone / everyone could of hacked you, they had all the keys.
FUCK SAKES......
anyone / everyone could of hacked you, they had all the keys.
r3wt: Could you help me please? I withdrew 128486.197386680 EBT couple of days ago, never appeared on my wallet. Filled a ticket but got no response. User hoju2k2.
Thank you.
Thank you.
yes i will look into it
Any news on this? Now I can't even access the website "ip address is banned. You can appeal this decision by contacting an administrator at [email protected]"
as i said i will look into it. i'm in the process of removing that ban since it only seems to catch legitimate users anyway.
Hi, did you have the time to look at it? Thanks.
Damnit, no i forgot again. have you tried to login again? you've been unbanned a long time
EBT received, thank you.
r3wt has yet to show ANY proof whatsoever that there was a theft. He claims 34 BTC were taken. So, where are the transactions in the blockchain? Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions. If there was a theft, there are transactions. Period.
there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off.
r3wt... theft is theft
r3wt has yet to show ANY proof whatsoever that there was a theft. He claims 34 BTC were taken. So, where are the transactions in the blockchain? Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions. If there was a theft, there are transactions. Period.
there wasn't a theft of 34 btc, nor did i ever claim it. just a 34 btc discrepancy. fuck off.
r3wt has yet to show ANY proof whatsoever that there was a theft. He claims 34 BTC were taken. So, where are the transactions in the blockchain? Not some internal accounting, not a copy+paste on pastebin, actual verifiable transactions. If there was a theft, there are transactions. Period.
And by the way, r3wt has plenty of btc to pay you all out of his own pocket.
He's just not that kind of guy.
He's just not that kind of guy.
And
I know firsthand how horrible it can be to lose your coins. You guys can put 2 and 2 together on your own. r3wt said himself that he was once a bottomfeeder and "knows" a scam when he sees one.
I wish the best to all of you.
I've been trading at Atomic-Trade recently. They have an extended SSL certificate. Coinbase doesn't even have one.
The owner is actually a nice/honest guy too, and he has regular security audits done to ensure his customer's safety. Here is the most recent one:
It's time for exchanges to take a security-first approach to ensure this doesn't keep happening.
Jump to: