Authd gold being compromised

[argonaut]

A few days ago we began to receive attacks on our server.
It started with one IP attacking repeatedly by trying to POST gold through our vote script, they were blocked with htaccess.
This IP was evident in its intentions with all POST logs showing in apache logs, and was able to be blocked successfully.
However the problem persists with authd logs showing two accounts are pushing gold through at a phenomenal rate...how i dont know.
The apache access logs show no IP POST..???
The vote script has been disabled but still it persists.
How are they doing this...ive spent 2 days trying all sorts of ideas but i cannot stop this intrusion.
The offending accounts 6016 and 5200 have been deleted from PW database and the vote script disabled but still it persists.
Still the authd logs show these two accounts pushing gold through.
Even when the server is down these 2 accounts are active...however obviously the gold is not being pushed through but the logs still show evidence of something trying to push this through.

gauthd: 22 Oct 2012 07:39:41,401  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12897
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:41,404  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12897
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:41,404  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:39:46,400  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10131,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:46,402  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=5200,zoneid=1,sn=9632
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:46,405  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=5200,zoneid=1,sn=9632
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:46,406  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=5200,zoneid=1
gauthd: 22 Oct 2012 07:39:51,401  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=5200,zoneid=1,sn=-586,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:51,404  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12898
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:51,406  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12898
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:51,407  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:39:56,403  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10130,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:56,405  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12899
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:56,407  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12899
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:39:56,408  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:01,404  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10129,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:01,406  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=5200,zoneid=1,sn=9633
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:01,409  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=5200,zoneid=1,sn=9633
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:01,410  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=5200,zoneid=1
gauthd: 22 Oct 2012 07:40:06,406  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=5200,zoneid=1,sn=-584,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:06,408  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12900
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:06,411  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12900
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:06,411  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:11,407  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10128,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:11,409  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12901
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:11,412  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12901
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:11,413  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:16,408  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10127,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:16,410  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=5200,zoneid=1,sn=9634
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:16,413  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=5200,zoneid=1,sn=9634
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:16,414  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=5200,zoneid=1
gauthd: 22 Oct 2012 07:40:21,410  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=5200,zoneid=1,sn=-583,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:21,412  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12902
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:21,414  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12902
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:21,415  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
Prepare procedure call:{call recordoffline(?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:24,300  INFO GAuthServer:? - UserLogout::User 6192 logout successfully.
gauthd: 22 Oct 2012 07:40:26,411  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10126,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:26,413  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12903
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:26,416  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12903
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:26,417  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:31,413  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10125,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:31,415  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12904
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:31,417  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12904
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:31,418  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
Prepare procedure call:{call recordoffline(?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:31,601  INFO GAuthServer:? - UserLogout::User 6096 logout successfully.
gauthd: 22 Oct 2012 07:40:36,414  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10124,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:36,416  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12905
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:36,419  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=6016,zoneid=1,sn=12905
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:36,420  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=6016,zoneid=1
gauthd: 22 Oct 2012 07:40:41,415  INFO GAuthServer:? - UseCashTimerTask: status=0,userid=6016,zoneid=1,sn=-10123,ret=0
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:41,418  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=5200,zoneid=1,sn=9635
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:41,420  INFO GAuthServer:? - AddCash_Re: retcode=0,userid=5200,zoneid=1,sn=9635
Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}
gauthd: 22 Oct 2012 07:40:41,421  INFO GAuthServer:? - SendUseCash_Re: retcode=0,userid=5200,zoneid=1

just a snippet, but as you can see these two accounts are pushing tons of gold through.
Apache access logs shows no logs/ip for offending accounts...very odd.
Id like to be able to at least block these entries and at the most put a stop to it...but first i must understand how this is happening.
So that is my question...how is this able to be pushed through?

Edit: Im fairly sure this attack is executed by a script of some sort as it is continuous.
When the server is down this behaviour persists however authd logs show only

"gauthd: 22 Oct 2012 07:39:41,401  INFO GAuthServer:? - GetAddCashSN Client: retcode=0,userid=6016,zoneid=1,sn=12897"

without the

"Prepare procedure call:{call usecash(?,?,?,?,?,?,?,?)}"

Which says to me it is a script of some sort that is hammering away at the server.
The sad thing is it is lagging out the genuine users who vote.
If i could understand how this is being executed then maybe it is able to be stopped.
I have so many questions...is it a script?, do they know my database password perhaps?
Is it a sql injection? How are they POSTing without apache showing this.
Any suggestions or help to illuminate would be greatly appreciated.

 

[DaMadBoy]

I don't have much knowledge about scripts but if you feel your database password might be compromised then change it now, better to be safe then sorry, then work on finding out the problem. Wish I could be more help. Only other suggestion is blocking their IPs that they are running the scripts from.

 

[argonaut]

Thats the problem..there are no IP's being shown...if only... then it would be easy to do.
Ive been toying with the idea of changing password...but its a bit of work to do which is cool...but may also not be needed.
I really need to understand how this is happening so i can stop it from re-occurring.
Thanks for the advice btw i agree.

 

[tgtk2012]

Try Empty usercashnow, start server but not for gamers logging in, then wait a few hours

 

[argonaut]

ty tgtk2012, i will try this now :
If it works you know i will have questions lol.
Let you know in about 3 hours or so how it goes.

Late Edit- Didn't want to double post.
This worked straight from the onset..immediately after emptying the usercash now i could tell from the logs that the problem had stopped.
Followed the process through and so far its working great again and so from this whole experience i know what to do in the future but all this still leaves me wondering why usercash now was the key to the problem.
Im thinking that even though these accounts were deleted there was still a record until they became inactive which meant the usercash now was so blocked up from being hammered that it kept these accounts in an active state!!??
Still finally is the question of what and how was done for this to occur in the first place...disturbing to the mind when you don't know how to block this to deter future problems.

 

[Bola]

sorry not respond soon
I had a problem similar of you
i just run TRUNCATE usercashnow; on mysql and are solved the problem

 

[saberghost]

I have the same problem but its on a 1.3.6 server so can i apply the same fix? and also sorry for being so noob but can i get a detailed explanation on how to "run TRUNCATE usercashnow; on mysql" or "empty usercashnow" Please and thank you. Sorry i'm new to pw developing only 1 month.

 

[Bola]

go to mysql
and run

use pw;
TRUNCATE usercashnow;

exit

 

[saberghost]

go to mysql
and run

use pw;
TRUNCATE usercashnow;

exit

Uhh what do you mean by "go to mysql and run" <- can this be done through navicat? ~ sorry im a noob

 

[saberghost]

go to mysql
and run

use pw;
TRUNCATE usercashnow;

exit

So like what do you mean by "go to mysql and run?" <--- this can be done using NaviCat for MYSQL? sorry i am noob

 

[Swoosh91]

So like what do you mean by "go to mysql and run?" <--- this can be done using NaviCat for MYSQL? sorry i am noob

Time for me to flame around again : Why are you here? Learn basics first!

This can be done via mysqld, navicat, phpmyadmin, adminer....

 

[leonara]

Thanks Bola , yours tutorial is working

 

[rbb138]

Remember to check all input data on everything!
You can also get apache2 modules which do this automatically

 

[gunse]

Time for me to flame around again : Why are you here? Learn basics first!

This can be done via mysqld, navicat, phpmyadmin, adminer....

i guess phpmyadmin has very nice interface rather than console ... i choose phpmyadmin!

go to mysql
and run

use pw;
TRUNCATE usercashnow;

exit

it is VERY easy task by phpmyadmin...so let me suggest: phpmyadmin is the best choice...

 

[leonara]

yes, you are right gunse
i have got trouble with this case and stuck some hours until i have found the thread
the cubi can't entered and now the cubi has been working