I need the help of kind individuals and generous faucet owners who have build security around their faucet to help me out with any available and working security measure that could be implemented to secure faucets from hack and bot activities.
On 1st of July 2016, it was just like a dream to me when I checked my balance and it was reading 456 satoshi whereas the night before i went to bed it was 4 337 968 satoshi: https://postimg.org/image/f99gg063r
Though I wish to continue, but I really worried at the moment. There is something I tried to understand in this whole issue. 2 weeks before this very hack, I experienced such attempt, 5, 600 000 satoshi disapeared from my balance, but immediately I reported the issue to faucet box not up to 5 minutes the balance was returned, and faucetbox did not return a mail to this effect till today.
When the second one happened, I was already sleeping but once I noticed it and mailed them, the same scenario happened agained. After 3 minutes of sending the mail to faucetbox, when I checked my faucet site, I discovered the balance was returned again. Then I logged into faucetbox account area, to confirm the balance, unfortunately it didn't reflect. I returned back to my faucet site, the balance returned to 456. I was on a confused state. Another mail to faucetbox returned a reply:
"Hello,
We cancel this payout and returned coins to you.
Kind regards
Marcin"
I returned another mail with explanation of what I noticed and informed him that the balance is back to 456 satoshi.
This was his reply againn on the second of July 2016
"Hello,
We're really sorry, but there's nothing we can do now. The 0.04340155 BTC which was claimed by 18aewAbuAoHwQ3icyng6ykYj1NfUH6bQnJ was payout before you send us a message.
It looks like someone have access to your faucet's admin panel or know your api key. Why don't you have ACL enabled? Have you set up Send Limits? If you're using our Faucet Script you can also disable admin panel i config.php.
Kind regards
Marcin"
He gave me some security tips and I tried all, but I am not comfortable with the response because my hosting company told me they saw some vulnerability in funcaptcha.php.
Hi there, After thorough analyzing the logs, our technicians didn't find any vulnerability or any suspicious activity on server from the given dates. But instead, vulnerability was found on the codes (in file /libs/funcaptcha.php => function => getIP( )). Please consider to check this from your end.
Best regards Michael
public function getIP() { if (isset($_SERVER["HTTP_X_FORWARDED_FOR"])) { return $_SERVER["HTTP_X_FORWARDED_FOR"]; } else if (isset($_SERVER["REMOTE_ADDR"])) { return $_SERVER["REMOTE_ADDR"]; } else if (isset($_SERVER["HTTP_CLIENT_IP"])) { return $_SERVER["HTTP_CLIENT_IP"]; }
Greetings, Thank you for contacting email support services. HTTP_X_FORWARDED_FOR should never be used as a means to validate the user’s IP and if the coder outputs this data then there would be a problem of attacker being able to fake their IP but the "safe" data becomes a XSS injection point. So filtration of all user supplied data including User-agent etc is needed. PHP code with just $_SERVER[‘HTTP_X_FORWARDED_FOR’] shouldn't be blindly trusted. You may try to do a Google search for "XSS injection point" for more information about this vulnerability. Please do not hesitate to contact us again via our chat or email support services as we are more than willing to assist you with any concern you may have regarding your account with us.
Best regards
I'm not a coder, I don't know much of this. This info was forwarded to faucetbox but uptil date they have not returned a mail with any detail.
This gives me so much worries, as I don't know what to hold on or even trust. I think of switching to another script.
I will appreciate if there are kind hearted faucet owners here that could help me with any security advice, general advice about switching to another script that is more secure if any, or just anything that could help me move on with this.
Thank you
