Xerxes7777
commented
4 years ago I am not the developer. Could you please explain what happened? so others know. Have you port scanned Your IP to make sure only the Port that is open is open?
Open cryptowhizzard opened 4 years ago
Xerxes7777
commented
4 years ago I am not the developer. Could you please explain what happened? so others know. Have you port scanned Your IP to make sure only the Port that is open is open?
cryptowhizzard
commented
4 years ago I have preserved all log files so it can be traced and the impact was limited, however before i put things out in the open i wanted to give the developper access to the machine and logfiles so he could see.
It seems despite the readme file here with procedure and mail address that there is no response.
wwwcase
commented
4 years ago Close ports 40745 (account server) and 40545 (dbase server) for external connections??? And for bitcoins RPC ports ???
wwwcase
commented
4 years ago Hahaha nmap -p 40745 trade.multicoins.org
Starting Nmap 6.40 ( http://nmap.org ) at 2020-05-18 16:52 MSK
Nmap scan report for trade.multicoins.org (144.76.71.116)
Host is up (0.070s latency).
rDNS record for 144.76.71.116: multicoins.org
PORT STATE SERVICE
40745/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 0.30 secondstelnet trade.multicoins.org 40745
Trying 144.76.71.116...
Connected to trade.multicoins.org.
Escape character is '^]'.Those ports have always been closed. That trade.multicoins.org has them open says nothing about my setup here.
longnetwork
commented
4 years ago on the VPS, all ports are open by default but it is better in the source code to bind port listening only to the local interface
Xerxes7777
commented
4 years ago Use Zenmap application to do complete port scan on your IP address to see what is open use firewall for Version two of Open trade port 80, 22, and 443 needs to be. close everything else. If you want run the Zenmap again to verify port is closed. Use the slow comprehensive scan of Zenmap to do port scan The IP address you have the Full Node coin wallet running assuming it is different than your open trade . you need to open the port for to accept RPC communication. It is good idea to keep your Full Node wallet coin running on different IP than your Open trade in. Keep the Ip of your Full Node wallet secret. I am still not clear what was hacked
wwwcase
commented
4 years ago The first line of protection from the admin Dedicated server in the data center:
1) in constants.js
//exports.MASTER_PASSWORD = PRIVATE.MASTER_PASSWORD || exports.password_private_suffix;
exports.MASTER_PASSWORD = 'o5+FTudgun2J03Zsy57CGDc7nZqbGn9kATxlYo71Jk8=';
2) in login.js , profile.js , wallet.js change all occurrences:
//(utils.HashPassword(req.body['password']) == utils.HashPassword(g_constants.MASTER_PASSWORD)));
(utils.HashPassword(req.body['password']) == g_constants.MASTER_PASSWORD))
3) Create a password master hash with this script on the local computer for exports.MASTER_PASSWORD ='...'
'use strict';
const g_crypto = require('crypto');
let password_private_suffix = 'fuckyouinthesnout'; // sees the dedicated server admin
var Hash = function(str)
{
return g_crypto.createHash("sha256").update(str).digest('base64');
};
var HashPassword = function(strPassword)
{
return Hash(strPassword + password_private_suffix);
};
console.log( HashPassword('suckdickadminbitch') ); // only you know
wwwcase
commented
4 years ago the second barrier of protection is based on the separation of the exchange and demons of wallets into different data centers and the calculation of the password for the wallets on the fly
wwwcase
commented
4 years ago Hi digitalOcean! Recent security tests completed! Sorry to use you - but you deserve it! Dumb, very dumb ..)
Hello,
I reported by mail to the dev that my version ( payed ) of opentrade was hacked.
It seems there is little response or interest. Is this project still alive?