Hacked

[Xerxes7777]

There is serious problem here. I was very careful closed all open unused ports. I was hacked and hacker stole some BTC. The hacker or hackers attacked by signing up and somehow took control of open orders. They bought some small amount of the alternative coins. They then cancelled all open orders. They placed really high buy price of the altcoin somehow accessing other users BTC wallet in the exchange. They changed the minimum wallet reserve fee for blockchain to very small amount and they changed the minimum blockchain for confirmation for the coin to be available to 1. They immediately transferred BTC out quickly. The hackers sign up user id was never granted any administrative role. They did all of this through a back door?. No other explanation. All access to the Server was through secure trusted VPN on my site. Wallet server was kept separate from Opentrade server. I give up after year of problem solving getting it work with all the incomplete instructions . I got it to work then got hacked.

[cryptowhizzard]

Posting this here is not going to help. You responded to one of my threads in may, but as you could see there there are only people hanging around here with a big E-penis and high levels of testosterone telling how good they are.

I already figured out what happened back then. Consider adding some contact options in your profile so one can safely contact you to help you out.

[Xerxes7777]

appreciate the help but exposing email is not great idea for me creates hassle. Point me to your email on your profile and I will contact you.

Posting this here is not going to help. You responded to one of my threads in may, but as you could see there there are only people hanging around here with a big E-penis and high levels of testosterone telling how good they are.

I already figured out what happened back then. Consider adding some contact options in your profile so one can safely contact you to help you out.

[cryptowhizzard]

You can find me @ moondex.

https://discord.gg/AA9Sjym

[3s3s]

Just stay tuned if you don't want to lose money. I'm not doing this out of idleness https://github.com/3s3s/opentrade/commits/master/server/modules/api

[Xerxes7777]

Well I have already lost my money on this. My fault for trusting the program. So if you know the vulnerability what is it? The API module??

Further any update and change should include 1) ability to suspend or terminate the users who signed up 2) the administration function that looks up the last trade has little "x" side of the reported last trade. When you press this the trade is actually deleted from the data base leading to negative and screwed up user wallet balance as if the trades they made never happened. The exchange should have permanent record of all the users trade and this should not be easily deleted it serves no purpose except trouble. leading the users who have bought coin and transferred coin out of the exchange wallet (negative balance) then all of the transferred coin they brought to account goes back the original leading the user ability to double spend their transferred that is BTC money in the exchange. the "last trade " function of admin should have function for going back and forth through trade with user id etc for admin information purposes.

Just stay tuned if you don't want to lose money. I'm not doing this out of idleness https://github.com/3s3s/opentrade/commits/master/server/modules/api

[Xerxes7777]

Anyone knows how to disable the API . I suspect this is the way hackers got in to the system?

[cryptowhizzard]

Yes.

[Xerxes7777]

please explain how do you turn off the API?

[3s3s]

The simplest way is just removing this folder: opentrade/server/modules/api/

[cryptowhizzard]

A better way would be to isolate the server and put a WAF in front, preventing SQL injections and other rogue stuff. They come free of charge these days.

[Xerxes7777]

The simplest way is just removing this folder: opentrade/server/modules/api/

This method I tried already. It causes error when cd ~/opentrade/server [sudo] forever start main.js

run. Note utilities.js in cd ~/opentrade/server
refers heavily to api function

[Xerxes7777]

A better way would be to isolate the server and put a WAF in front, preventing SQL injections and other rogue stuff. They come free of charge these days.

If you done please instruct how to do it?

[cryptowhizzard]

A better way would be to isolate the server and put a WAF in front, preventing SQL injections and other rogue stuff. They come free of charge these days.

If you done please instruct how to do it?

You can't ask me this. It should be part of your default skills as server administrator. I asked you to contact me but you want to communicate here, so here you go.

Go google and study WAF ( web application firewall ). Try cloudflare ( includes WAF ) and put it in front of your server. Isolate your webserver with UFW ( again google to study how that works ) and only allow ssh from your ip only and cloudflare IP's for web traffic.

Sorry to put it this way, but if you don't understand above you should not be running opentrade of any other application that requires security.

[Xerxes7777]

A better way would be to isolate the server and put a WAF in front, preventing SQL injections and other rogue stuff. They come free of charge these days.

If you done please instruct how to do it?

You can't ask me this. It should be part of your default skills as server administrator. I asked you to contact me but you want to communicate here, so here you go.

Go google and study WAF ( web application firewall ). Try cloudflare ( includes WAF ) and put it in front of your server. Isolate your webserver with UFW ( again google to study how that works ) and only allow ssh from your ip only and cloudflare IP's for web traffic.

Sorry to put it this way, but if you don't understand above you should not be running opentrade of any other application that requires security.

Well thank you for your instruction. Yes you are right. I don't have formal training in this. What I have is self taught. I am not trying to get rich running the exchange platform. I running this on this side to support an altcoin block chain. I got hacked and lost some BTC but I even paid my users out of my own money. I learn as I go along. I don't have the luxury to quit my job and learn it the regular way. Sorry for not contacting me since I was being very careful after I was hacked more than likely the hackers are part of or access this Opentrade get hub since they had good knowledge and knew the hack. I will update my profile with email now please see you can email me

[ShorelineCrypto]

A better way would be to isolate the server and put a WAF in front, preventing SQL injections and other rogue stuff. They come free of charge these days.

If you done please instruct how to do it?

You can't ask me this. It should be part of your default skills as server administrator. I asked you to contact me but you want to communicate here, so here you go. Go google and study WAF ( web application firewall ). Try cloudflare ( includes WAF ) and put it in front of your server. Isolate your webserver with UFW ( again google to study how that works ) and only allow ssh from your ip only and cloudflare IP's for web traffic. Sorry to put it this way, but if you don't understand above you should not be running opentrade of any other application that requires security.

Well thank you for your instruction. Yes you are right. I don't have formal training in this. What I have is self taught. I am not trying to get rich running the exchange platform. I running this on this side to support an altcoin block chain. I got hacked and lost some BTC but I even paid my users out of my own money. I learn as I go along. I don't have the luxury to quit my job and learn it the regular way. Sorry for not contacting me since I was being very careful after I was hacked more than likely the hackers are part of or access this Opentrade get hub since they had good knowledge and knew the hack. I will update my profile with email now please see you can email me

Did your opentrade server before the hack patched up all the commit history on api file? It is a bit concerning that a new hack happened on this software. Sounds like another SQL injection that a hacker created a fake balance in the account probably through SQL, then buy and sell and use exchange BTC to steal money.

[ShorelineCrypto]

My read on the hack history from OP is that the hacker got hacked into order book first through SQL injection first. Then cancel the order, the obtain all the BTC from the cancelled orders. When withdraw and steal the BTC from the exchange.

[Xerxes7777]

Did your opentrade server before the hack patched up all the commit history on api file?

Which patch for API ?? I downloaded a latest code from this site under code menu on or about April 3, 2020. I was not aware of any patch or patch update to apply. Could you please clarify. Thanks

[Xerxes7777]

My read on the hack history from OP is that the hacker got hacked into order book first through SQL injection first. Then cancel the order, the obtain all the BTC from the cancelled orders. When withdraw and steal the BTC from the exchange.

Most Likely it is SQL injection. but how is it done? is it through the API functionality?

I am restating the hack sequence based on what I could observe and find out again stated a little differently. Note the hack changed the minimum confirmation to withdrawal from the exchange wallet and minimum amount reserved for each wallet too:

hacker waits for admin to sign on after creating account. Then some how uses API function or another vulnerability most likely to control the admin function.

change min coins confirmation or reserve to lowest to allow quickly steal the BTC once it has control of it via exchange wallet

buy small amount of alt coin cheap cancel all active order to buy the alt coin. put its own sell alt coin at ridiculously high price sells the alt-coin gets BTC deposited to its own exchange wallet.

withdrawal the BTC quickly out of exchange before it can be stopped.

[ShorelineCrypto]

Did your opentrade server before the hack patched up all the commit history on api file?

Which patch for API ?? I downloaded a latest code from this site under code menu on or about April 3, 2020. I was not aware of any patch or patch update to apply. Could you please clarify. Thanks

There are many security updates commits after April 3, 2020. For example, this commit on May 27, 2020 specifically said to PREVENT SQL INJECTION: https://github.com/3s3s/opentrade/commit/05ccb05a67ccc705701af5e67e5c061556b9d2ea

[ShorelineCrypto]

My read on the hack history from OP is that the hacker got hacked into order book first through SQL injection first. Then cancel the order, the obtain all the BTC from the cancelled orders. When withdraw and steal the BTC from the exchange.

Most Likely it is SQL injection. but how is it done? is it through the API functionality?

I am restating the hack sequence based on what I could observe and find out again stated a little differently. Note the hack changed the minimum confirmation to withdrawal from the exchange wallet and minimum amount reserved for each wallet too:

hacker waits for admin to sign on after creating account. Then some how uses API function or another vulnerability most likely to control the admin function.

change min coins confirmation or reserve to lowest to allow quickly steal the BTC once it has control of it via exchange wallet

buy small amount of alt coin cheap cancel all active order to buy the alt coin. put its own sell alt coin at ridiculously high price sells the alt-coin gets BTC deposited to its own exchange wallet.

withdrawal the BTC quickly out of exchange before it can be stopped.

I am not convinced that the hacker had control on admin account. Most likely no. Admin has coupon feature that can create USD dollar out of thin air. SQL INJECTION hack can change the internal database. The minimum withdraw amount on BTC or altcoins are just record in database that SQL INJECTION can change on v1 api code without control of admin account. SQL INJECTION essentially can change a lot of things, but of course is limited to what it can change on v1 api loop hole.