What was your faucet and I will see if it is possible for me to access and duplicate what you are saying?
https://faucet.today
Topic: XAPO Script - Hacked - page 2. (Read 6073 times)
What was your faucet and I will see if it is possible for me to access and duplicate what you are saying?
https://faucet.today
The solution of blocking all proxies is still not a good solution at all. It blocks almost all proxies. With an advanced proxy is it possible to bypass the proxy detection.
Let me see if one of Xapo sites like you say where I can actually use the F5 and reclaim without a Captcha. BRB on that this one.
I have 2 Xapo Wallet sites open ( MoonBitco.in and Whalebitco.in ) and one none Xapo site open ( Claim BTC ) will run the F5 command in 2 minutes.
Ok I run the F5 command on all 3 sites and they give me the same results ( Incorrect Captcha )
Are we dealing with a weakess in the F5 Command for @Gifted's script. As I thought we had solved this previously and it was addressed by @Gifted.
I am old and sea-nile and I tend to forget what i just said so I maybe wrong.
I have this only testet at my faucet .. maybe i am the only with this phenomen ?
What was your faucet and I will see if it is possible for me to access and duplicate what you are saying?
Let me see if one of Xapo sites like you say where I can actually use the F5 and reclaim without a Captcha. BRB on that this one.
I have 2 Xapo Wallet sites open ( MoonBitco.in and Whalebitco.in ) and one none Xapo site open ( Claim BTC ) will run the F5 command in 2 minutes.
Ok I run the F5 command on all 3 sites and they give me the same results ( Incorrect Captcha )
Are we dealing with a weakess in the F5 Command for @Gifted's script. As I thought we had solved this previously and it was addressed by @Gifted.
I am old and sea-nile and I tend to forget what i just said so I maybe wrong.
I have this only testet at my faucet .. maybe i am the only with this phenomen ?
Its me again .. there are still one thing what i don't like ... i will try to explain as good as i can in english ...
Example:
Your Xapo Faucet has a Cooldown (Timer) of 15minutes until next claim is allowed.
OK here we go - a Visitor enter your Faucet solve the Captcha and Claim .. he stays on your really cool Site .. and after 15 minutes he can press F5 (Refresh) in browser .. a small window pops-up
and ask if you want to send the Formular again (dont know how it is called in english - see screenshot in German)
If you answer with Yes .. the Browserwindows reloads/refreshs .. and you have automaticly claimed - without enter the Captcha again...
Now if a Black-hat have found a way how to disable the timer (ok we dont allow rightclicks and so on now ) he has only press F5 press Enter all time long .. and is happy ..
I am not a hero in Webdesign nor php .. but maybe a solution is to set the cookielifetime to 5mins ? or has it something to do with the session ? .. any ideas ?
Example:
Your Xapo Faucet has a Cooldown (Timer) of 15minutes until next claim is allowed.
OK here we go - a Visitor enter your Faucet solve the Captcha and Claim .. he stays on your really cool Site .. and after 15 minutes he can press F5 (Refresh) in browser .. a small window pops-up
and ask if you want to send the Formular again (dont know how it is called in english - see screenshot in German)
If you answer with Yes .. the Browserwindows reloads/refreshs .. and you have automaticly claimed - without enter the Captcha again...
Now if a Black-hat have found a way how to disable the timer (ok we dont allow rightclicks and so on now ) he has only press F5 press Enter all time long .. and is happy ..
I am not a hero in Webdesign nor php .. but maybe a solution is to set the cookielifetime to 5mins ? or has it something to do with the session ? .. any ideas ?
Let me see if one of Xapo sites like you say where I can actually use the F5 and reclaim without a Captcha. BRB on that this one.
I have 2 Xapo Wallet sites open ( MoonBitco.in and Whalebitco.in ) and one none Xapo site open ( Claim BTC ) will run the F5 command in 2 minutes.
Ok I run the F5 command on all 3 sites and they give me the same results ( Incorrect Captcha )
Are we dealing with a weakess in the F5 Command for @Gifted's script. As I thought we had solved this previously and it was addressed by @Gifted.
I am old and sea-nile and I tend to forget what i just said so I maybe wrong.
Blocking Browsers is not the answer to your problem.
yes i am with you .. i just asked because i would like to know if there is a comfortabler way as baning a specific user-agent in htaccess ...
Its me again .. there are still one thing what i don't like ... i will try to explain as good as i can in english ...
Example:
Your Xapo Faucet has a Cooldown (Timer) of 15minutes until next claim is allowed.
OK here we go - a Visitor enter your Faucet solve the Captcha and Claim .. he stays on your really cool Site .. and after 15 minutes he can press F5 (Refresh) in browser .. a small window pops-up
and ask if you want to send the Formular again (dont know how it is called in english - see screenshot in German)
If you answer with Yes .. the Browserwindows reloads/refreshs .. and you have automaticly claimed - without enter the Captcha again...
Now if a Black-hat have found a way how to disable the timer (ok we dont allow rightclicks and so on now ) he has only press F5 press Enter all time long .. and is happy ..
I am not a hero in Webdesign nor php .. but maybe a solution is to set the cookielifetime to 5mins ? or has it something to do with the session ? .. any ideas ?
Example:
Your Xapo Faucet has a Cooldown (Timer) of 15minutes until next claim is allowed.
OK here we go - a Visitor enter your Faucet solve the Captcha and Claim .. he stays on your really cool Site .. and after 15 minutes he can press F5 (Refresh) in browser .. a small window pops-up
and ask if you want to send the Formular again (dont know how it is called in english - see screenshot in German)
If you answer with Yes .. the Browserwindows reloads/refreshs .. and you have automaticly claimed - without enter the Captcha again...
Now if a Black-hat have found a way how to disable the timer (ok we dont allow rightclicks and so on now ) he has only press F5 press Enter all time long .. and is happy ..
I am not a hero in Webdesign nor php .. but maybe a solution is to set the cookielifetime to 5mins ? or has it something to do with the session ? .. any ideas ?
Yeap, I got a lot of bot attack comming from Firefox, so I blocked it, sorry..
80%+ firefox access was bots.. don't know if it was the extensions(sql injection, proxys) or the bot use this plataform
Yeap, I tried to find something to block extensions.. however I think it can't be done..
You can easily find proxy/sql injection extensions on firefox.. and chrome too, however I don't blocked chrome(yet hahah)
I was thinking about make a custom browser wich users can visit faucets.. you know? without extensions, with a good faucet list/rotator.. well, I don't have knowledge to do this(and the other question is the ads clicks, maybe it can get a lower click rate)
Can you tell me/us please how you block a browser .. thanx in advance
Blocking Browsers is not the answer to your problem. All that shows is how many users that visit your site use that particular browser. I would think we are needing to look deeper into the way the browser is used once on your site. Cross reference Blacklist IP's against visitors and incorporate a lockout of those IP's. Anyone trying to use a BOT is going to try and use a fresh list of accepted Proxy's to access your site.
Say me for example I use my mobile phone as a hot spot or wifi hot spot. I am using the IP 205.197.242.169 and i ran a cross reference to Blacklist IP's. When I did that I tested my IP against a new tool called WebRTC and found that it was leaking my actual IP address. For more information on how these Thieves are stealing personal information read this post> http://whatismyipaddress.com/webrtc-test
And upon reading this article or post one may be able to use the WebRTC to find the actual IP behind the attacks and single them out. WebRTC is available for Chrome, FireFox, Opera and many more as it is the new and bestest thing going.
Happy Defending !!!!
Yeap, I got a lot of bot attack comming from Firefox, so I blocked it, sorry..
80%+ firefox access was bots.. don't know if it was the extensions(sql injection, proxys) or the bot use this plataform
Yeap, I tried to find something to block extensions.. however I think it can't be done..
You can easily find proxy/sql injection extensions on firefox.. and chrome too, however I don't blocked chrome(yet hahah)
I was thinking about make a custom browser wich users can visit faucets.. you know? without extensions, with a good faucet list/rotator.. well, I don't have knowledge to do this(and the other question is the ads clicks, maybe it can get a lower click rate)
Can you tell me/us please how you block a browser .. thanx in advance
k - i opened my faucet again https://faucet.today .. if something goes wrong i will send you the bill gifted 
-snip-
Like a glove! (I think).. My IP is blacklisted on a lot of services so I can't test at all.. and I can't renew lol
Thank you alfaboy!
I think it's working http://www.bitcoinamerica.com.br/faucet
anyone give me a feedback please
No problemo Like a glove! (I think).. My IP is blacklisted on a lot of services so I can't test at all.. and I can't renew lol
Thank you alfaboy!
I think it's working http://www.bitcoinamerica.com.br/faucet
anyone give me a feedback please
Anyway, your website says "Browser not supported". I'm using Firefox. Have you also block the Chrome?
If this is about the plug-ins/add-ons, then we should think of other way to block just the plug-in/add-ons and not the browser.
now this mesage comes and i cant acces -.- `?
iam using firefox ??
iam using firefox ??
Code:
Browser not supported!
Yeap, I got a lot of bot attack comming from Firefox, so I blocked it, sorry..
80%+ firefox access was bots.. don't know if it was the extensions(sql injection, proxys) or the bot use this plataform
Yeap, I tried to find something to block extensions.. however I think it can't be done..
You can easily find proxy/sql injection extensions on firefox.. and chrome too, however I don't blocked chrome(yet hahah)
I was thinking about make a custom browser wich users can visit faucets.. you know? without extensions, with a good faucet list/rotator.. well, I don't have knowledge to do this(and the other question is the ads clicks, maybe it can get a lower click rate)
-snip-
Like a glove! (I think).. My IP is blacklisted on a lot of services so I can't test at all.. and I can't renew lol
Thank you alfaboy!
I think it's working http://www.bitcoinamerica.com.br/faucet
anyone give me a feedback please
No problemo Like a glove! (I think).. My IP is blacklisted on a lot of services so I can't test at all.. and I can't renew lol
Thank you alfaboy!
I think it's working http://www.bitcoinamerica.com.br/faucet
anyone give me a feedback please
Anyway, your website says "Browser not supported". I'm using Firefox. Have you also block the Chrome?
If this is about the plug-ins/add-ons, then we should think of other way to block just the plug-in/add-ons and not the browser.
IMHO, we should totally blockout bad ISP and do not show anything to the users with bad ISPs since it is giving bad traffic to the network ads.
I have same thing but i still let them go to page just not claim.
Security Patch V1.2 :
Got to index.php in the main root and find this:
Put this code right underneath the one you find above:
This will stop proxies if they try to claim and throw a message as you can see in the picture
Security Patch V1.2 :
Got to index.php in the main root and find this:
Code:
$response = @file('http://verify.solvemedia.com/papi/verify?privatekey=' . $settings['solvemedia_verification_key'] . '&challenge=' . rawurlencode($captchaChallange) . '&response=' . rawurlencode($captchaResponse) . '&remoteip=' . $ip);
if (!isset($response[0]) || trim($response[0]) === 'false'){
$view['main']['result_html'] = 'Wrong captcha!
';
$message = "Wrong captcha";
}
$q = $sql->prepare("select * from users where LOWER(username) = LOWER(?) or ip = ? order by claimed_at desc");
$q->execute(array($username,$ip));
$row = $q->fetch();Put this code right underneath the one you find above:
Code:
//We do not allow proxy here
if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1))
{
$view['main']['result_html'] = '';Bots not allowed !! If you are not a bot and not on a proxy, i still cant help you !
$message = "Proxy";
goto error;
}
//end proxie check
This will stop proxies if they try to claim and throw a message as you can see in the picture
I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!
says im on a proxie and im notless the adblock one(got some bug here)
Thanks for all!
Yeap, other user tell me the same thing, I'm trying to fix it..
With this code I'm blocking everyone
Code:
IF(ISSET($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
DIE("Proxy servers not allowed.");
}
$proxy_headers = ARRAY(
'HTTP_VIA',
'HTTP_X_FORWARDED_FOR',
'HTTP_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_FORWARDED',
'HTTP_CLIENT_IP',
'HTTP_FORWARDED_FOR_IP',
'VIA',
'X_FORWARDED_FOR',
'FORWARDED_FOR',
'X_FORWARDED',
'FORWARDED',
'CLIENT_IP',
'FORWARDED_FOR_IP',
'HTTP_PROXY_CONNECTION'
);
FOREACH($proxy_headers AS $x){
IF (ISSET($_SERVER[$x])) DIE("You are using a proxy.");
EXIT;
}
?>
and with other script, any proxy can enter on the faucet..
well.. I go to sleep and try again tomorrowI'll try to help.
That proxy header from that code, try to put that in in your .htaccess file, then instead of that PHP code, try this and put it above in your template public_html/yourfaucet/style/template/index.php:
Like this:
Code:
if( @fsockopen( $_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1 ) )
{
echo "It appears that you are using a PROXY, please BE FAIR! " ;
exit;
}
?>
Then test it in boomproxy, then after accessing your site in boomproxy click the clear cookies link and see if proxy blocking is successful. It should result like this:
Hope that helps even a little.
Like a glove! (I think).. My IP is blacklisted on a lot of services so I can't test at all.. and I can't renew lol
Thank you alfaboy!
I think it's working http://www.bitcoinamerica.com.br/faucet
anyone give me a feedback please
I'm testing your scripts here Gifted http://www.bitcoinamerica.com.br/faucet
less the adblock one(got some bug here)
Thanks for all!
says im on a proxie and im notless the adblock one(got some bug here)
Thanks for all!
Yeap, other user tell me the same thing, I'm trying to fix it..
With this code I'm blocking everyone
Code:
IF(ISSET($_SERVER['HTTP_X_FORWARDED_FOR']) || ($_SERVER['HTTP_USER_AGENT']=='') || ($_SERVER['HTTP_VIA']!='')){
DIE("Proxy servers not allowed.");
}
$proxy_headers = ARRAY(
'HTTP_VIA',
'HTTP_X_FORWARDED_FOR',
'HTTP_FORWARDED_FOR',
'HTTP_X_FORWARDED',
'HTTP_FORWARDED',
'HTTP_CLIENT_IP',
'HTTP_FORWARDED_FOR_IP',
'VIA',
'X_FORWARDED_FOR',
'FORWARDED_FOR',
'X_FORWARDED',
'FORWARDED',
'CLIENT_IP',
'FORWARDED_FOR_IP',
'HTTP_PROXY_CONNECTION'
);
FOREACH($proxy_headers AS $x){
IF (ISSET($_SERVER[$x])) DIE("You are using a proxy.");
EXIT;
}
?>
and with other script, any proxy can enter on the faucet..
well.. I go to sleep and try again tomorrowI'll try to help.
That proxy header from that code, try to put that in in your .htaccess file, then instead of that PHP code, try this and put it above in your template public_html/yourfaucet/style/template/index.php:
Like this:
Code:
if( @fsockopen( $_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1 ) )
{
echo "It appears that you are using a PROXY, please BE FAIR! " ;
exit;
}
?>
Then test it in boomproxy, then after accessing your site in boomproxy click the clear cookies link and see if proxy blocking is successful. It should result like this:
Hope that helps even a little.
@Gifted,
I do apologize for pushing so hard. And I apologize for my impatience, as I understand your position and wanting to help others protect their sites and incomes from this script. I can not only be an idiot but also a pushy idiot.
My Apologies.....
ardodd
no, it was a good idea ...so dont worry I do apologize for pushing so hard. And I apologize for my impatience, as I understand your position and wanting to help others protect their sites and incomes from this script. I can not only be an idiot but also a pushy idiot.
My Apologies.....
ardodd
@Gifted,
I do apologize for pushing so hard. And I apologize for my impatience, as I understand your position and wanting to help others protect their sites and incomes from this script. I can not only be an idiot but also a pushy idiot.
My Apologies.....
ardodd
I do apologize for pushing so hard. And I apologize for my impatience, as I understand your position and wanting to help others protect their sites and incomes from this script. I can not only be an idiot but also a pushy idiot.
My Apologies.....
ardodd
The patch is in php server side they cant have access and this needs to be fixed right away . i can see your point but a lot of people downloaded my script and they need to know now. i started a security patch thread already
Yes sir you are 100% correct about them needing to know right now to close these backdoors. Do you have a problem with hosting a private membership section for those that do use your code for their website. One that would allow them access to a secure site where only they can have access to your details.
Most people may not worry about where or how they got the script to use on a faucet. Like I can a S2Membership plugin on wordpress that only allows members if I approve them. And it is hard to get into it since i verify that they are who they say they are. And yours could be adapted to verifying that they use your script and it come from you if they wish to get details from the updates.
More like a private support for your script since you modified and made it secure now.
The patch is in php server side they cant have access and this needs to be fixed right away . i can see your point but a lot of people downloaded my script and they need to know now. i started a security patch thread already
Yes sir you are 100% correct about them needing to know right now to close these backdoors. Do you have a problem with hosting a private membership section for those that do use your code for their website. One that would allow them access to a secure site where only they can have access to your details.
Most people may not worry about where or how they got the script to use on a faucet. Like I can a S2Membership plugin on wordpress that only allows members if I approve them. And it is hard to get into it since i verify that they are who they say they are. And yours could be adapted to verifying that they use your script and it come from you if they wish to get details from the updates.
More like a private support for your script since you modified and made it secure now.
Jump to: