SCAMMER TradeFortress P-T'ed my site without permission, no damage afaik. CLOSED - page 3.

MagicBit15

sr. member

Activity: 294

Merit: 250

Let's Start a Cryptolution!!

Quote from: MoneypakTrader.com on June 02, 2013, 04:29:38 PM

Quote from: MagicBit15 on June 02, 2013, 03:59:25 PM

Why are you getting hacked so much?
Social engineering or are you just coding that poorly and not debugging properly before you launch?

The site was hacked once due to shitty programmers.
I'm not a programmer, the exploited code was written by the coder I paid who delivered his final project in April at the site launch and is refusing to give updates or help anymore with the site since he already got paid.
This might also be a reason scammer TradeFortress tried to hack and steal the site's coins:

Quote from: MoneypakTrader.com on June 02, 2013, 01:23:03 PM

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

It's more like hundreds of BTC, but same difference.

Ah I see that sucks, No way you can contact him? Or is he not responding at all, email or skype or anything?

MoneypakTrader.com

sr. member

Activity: 472

Merit: 250

Never spend your money before you have it.

Quote from: wachtwoord on June 02, 2013, 04:25:45 PM

I PM'ed this but MPT asked to post it here instead:

Quote from: wachtwoord on June 02, 2013, 07:50:15 PM

Hey,
You asked to fix the following code:

Code:

while ($xyz = $mnop->fetch()) {
echo '
Message: '.$xyz['stuff'].'
';
      }

I'm not sure I get your exact problem. Usually with SQL injection you're scared of plainly using the input of a user. This can be secured against by (where $name is the input):

Code:

if (get_magic_quotes_gpc()) {
 $name = stripslashes($name);
}
$name = mysql_real_escape_string($name);
mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);

Your question seems to be different though as there is no input except for what you retrieve from the database ($xyz['stuff'] ). Doe you mean the content of your database is potentially not trustworthy? If so, I'd recommend not fixing it there but on every place where user code can potentially alter the database using a mechanism such as I proposed in the above code-block.
If I misunderstood and you mean something else altogether, please clarify

Regards

Looks like stripslashes doesn't block opening a line of code, does it?

MoneypakTrader.com

sr. member

Activity: 472

Merit: 250

Never spend your money before you have it.

Quote from: MagicBit15 on June 02, 2013, 03:59:25 PM

Why are you getting hacked so much?
Social engineering or are you just coding that poorly and not debugging properly before you launch?

The site was hacked once due to shitty programmers.
I'm not a programmer, the exploited code was written by the coder I paid who delivered his final project in April at the site launch and is refusing to give updates or help anymore with the site since he already got paid.
This might also be a reason scammer TradeFortress tried to hack and steal the site's coins:

Quote from: MoneypakTrader.com on June 02, 2013, 01:23:03 PM

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

It's more like hundreds of BTC, but same difference.

wachtwoord

legendary

Activity: 2324

Merit: 1125

I PM'ed this but MPT asked to post it here instead:

Quote from: wachtwoord on June 02, 2013, 07:50:15 PM

Hey,

You asked to fix the following code:

Code:

while ($xyz = $mnop->fetch()) {
echo '
Message: '.$xyz['stuff'].'
';
      }

I'm not sure I get your exact problem. Usually with SQL injection you're scared of plainly using the input of a user. This can be secured against by (where $name is the input):

Code:

if (get_magic_quotes_gpc()) {
 $name = stripslashes($name);
}
$name = mysql_real_escape_string($name);
mysql_query(“SELECT * FROM users WHERE name=’{$name}’”);

Your question seems to be different though as there is no input except for what you retrieve from the database ($xyz['stuff'] ). Doe you mean the content of your database is potentially not trustworthy? If so, I'd recommend not fixing it there but on every place where user code can potentially alter the database using a mechanism such as I proposed in the above code-block.

If I misunderstood and you mean something else altogether, please clarify

Regards

MagicBit15

sr. member

Activity: 294

Merit: 250

Let's Start a Cryptolution!!

Why are you getting hacked so much?

Social engineering or are you just coding that poorly and not debugging properly before you launch?

MoneypakTrader.com

sr. member

Activity: 472

Merit: 250

Never spend your money before you have it.

Here is his messages in the site that lead to the PHPSESSID HACK
Jun 1, 09:17:41 foobar
Message: So what do I do now? Do I get moneypak codes ? Do I get bitcoin? do I get balance to my debit card? what is your service
Jun 1, 09:16:29 foobar
Message:
Jun 1, 09:02:38 foobar
Message: foo
Jun 1, 09:02:29 foobar
Message: how does this work

mprep

global moderator

Activity: 3794

Merit: 2612

In a world of peaches, don't ask for apple sauce

Quote from: MoneypakTrader.com on June 02, 2013, 01:23:03 PM

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

Understood. I wish you good luck in your further pursuits if they are honorable and fair. I don't even want to get between the conflict (or dispute, whatever you call it) with you and TradeFortress.

MoneypakTrader.com

sr. member

Activity: 472

Merit: 250

Never spend your money before you have it.

I handle 10's of thousands of dollars for my clients as the hacked info will reveal. the link of the hack picture was posted by tradefortress.

mprep

global moderator

Activity: 3794

Merit: 2612

In a world of peaches, don't ask for apple sauce

Quote from: MoneypakTrader.com on June 02, 2013, 01:15:27 PM

Who made the other accusation? Links will help counter troll mprep

Dude, what's your problem? You seem to be full of hatred to everyone. And that's just my opinion that I'm not forcing on to you. I tell what I think and I don't give a damn if you like or care about it or not. You should sit down, relax and stop attacking everyone who's not with you. If I wanted to fight against you, I would've made a separate thread.

ironcross360

full member

Activity: 140

Merit: 100

Troll of the Fourth Reich.

Quote from: MoneypakTrader.com on June 02, 2013, 12:36:28 PM

As it goes, I need to block code from being executed and instead print the contents of the mysql block:
Fix this code:
while ($xyz = $mnop->fetch()) {
echo '
Message: '.$xyz['stuff'].'
';
}

Pay is $100 in BTC for complete functional substition blocking code execution from the msg fetched and instead display it as plaintext, no code allowed.

END OF REQUEST, BEGIN INFO:

Quote from: 🏰 TradeFortress 🏰 on June 01, 2013, 09:54:05 PM

Quote from: MoneypakTrader.com on June 01, 2013, 10:41:32 AM

Post *YOUR* code if I'm really using it dumass, you gave me shit, I paid another programmer to actually code the site since your code was non-functional.
Your ARE a scammer unless you can post your functional code, which you obviously can't b/c it doesn't exist.

Which programmer did you pay? [Either I didn't code that part of your site or my code really is shit], security vulnerability:

[I can't see the code, but did get read/write access to the db, but don't know how the new storage system is named so can't do the bitcoin redirection I attempted]

Scammer/Hacker wannabe attempted to divert deposits from the site, using an aparently custom address for the attempted theft:
Fortunately, he knew so little of the code, he only managed to rewrite his personal deposit address to: 1KentoeyU1VuoD4oCBsnTm3yTXksGRiWww
Account info: Created: 2013-06-01 09:01:04, accessed from: 58.111.143.105
User "foobar" : [email protected]
Password Hash was destroyed unfortunately in a hurried attempt to block the hacker.

People may presume the possibility that Scammer/Hacker accessed all the account info generally visible about user account.
Fortunately, none of the info required is too bad and this piece of shit might not invade the privacy of these users (lawsuits are valid against him if he does so).

UPDATE: It appears only limited, session information was stolen, could use help minimizing this damage in the future:
Code used:

Maybe you shouldnt have hacked him first.

MoneypakTrader.com

sr. member

Activity: 472

Merit: 250

Never spend your money before you have it.

Who made the other accusation? Links will help counter troll mprep

mprep

global moderator

Activity: 3794

Merit: 2612

In a world of peaches, don't ask for apple sauce

Quote from: The 4ner on June 02, 2013, 01:11:20 PM

Man this is a heavy accusation. Second accusation I've seen against TF since last month.

Yeah, I noticed too. It's kind of beginning to annoy me. He seems to have some kind of serious hatred for TradeFortress.

The 4ner

hero member

Activity: 602

Merit: 500

R.I.P Silk Road 1.0

Man this is a heavy accusation. Second accusation I've seen against TF since last month.

mprep

global moderator

Activity: 3794

Merit: 2612

In a world of peaches, don't ask for apple sauce

Quote from: MoneypakTrader.com on June 02, 2013, 01:01:54 PM

Quote from: mprep on June 02, 2013, 12:56:08 PM

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax. Undecided

Who do I give root access to my site to back the accusations?
Seems pretty clear cut, the scammer/hacker publicly posted some stolen info (the admin panel view).

You clearly are in rage (and in a lot of psychological pain I suppose). Relax because you're trying to tear down a building with a stick.

MoneypakTrader.com

sr. member

Activity: 472

Merit: 250

Never spend your money before you have it.

Quote from: mprep on June 02, 2013, 12:56:08 PM

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax. Undecided

Who do I give root access to my site to back the accusations?
Seems pretty clear cut, the scammer/hacker publicly posted some stolen info (the admin panel view).

mprep

global moderator

Activity: 3794

Merit: 2612

In a world of peaches, don't ask for apple sauce

Dude, it doesn't seem that you have the reputation (or trust) to back your accusations. Take a deep breath and relax. Undecided

MoneypakTrader.com

sr. member

Activity: 472

Merit: 250

Never spend your money before you have it.

UPDATE 6/3 SOLVED, no more entries will be reviewed.

As it goes, I need to block code from being executed and instead print the contents of the mysql block:
Fix this code:
while ($xyz = $mnop->fetch()) {
echo '
Message: '.$xyz['stuff'].'
';
}

Pay is $100 in BTC for complete functional substition blocking code execution from the msg fetched and instead display it as plaintext, no code allowed.
SOLVED

END OF REQUEST, BEGIN INFO:

Quote from: 🏰 TradeFortress 🏰 on June 01, 2013, 09:54:05 PM

Quote from: MoneypakTrader.com on June 01, 2013, 10:41:32 AM

Post *YOUR* code if I'm really using it dumass, you gave me shit, I paid another programmer to actually code the site since your code was non-functional.
Your ARE a scammer unless you can post your functional code, which you obviously can't b/c it doesn't exist.

[...]

Scammer/Hacker wannabe TF hijacked an admin session via a sql injection directing the admin cookie to his site (code at bottom of post).
His Account info: Created: 2013-06-01 09:01:04, accessed from: 58.111.143.105
User "foobar" : [email protected]

There was a few minutes that Scammer/Hacker TF had access to the admin panel.
Fortunately, none of the info there is too bad and this piece of shit might not invade the privacy of the users.

UPDATE: It appears only limited, session information was stolen:
Code used:

Topic: SCAMMER TradeFortress P-T'ed my site without permission, no damage afaik. CLOSED - page 3. (Read 5468 times)