Thanks Air Bourne. That works nice, and would stop people from getting automatic level 1. Don't know if it helps against the cross server exploit though, it should due to diff server hotuk though.
Printable View
Thanks Air Bourne. That works nice, and would stop people from getting automatic level 1. Don't know if it helps against the cross server exploit though, it should due to diff server hotuk though.
####NOTE: MY SUGGESTIONS ARE FOR BOTH CROSS-SERVER LINKING AND FOR HOTUK MISUSE.####
There are several things you can do in this situation. Firstly, if the person doing the cross-exploiting is a novice, then change the port of your server. This would require the attacker to do some work, which they may or may not want to bother doing.
Secondly, you can try CHANGING the commands so that even if they do manage to get on your server with the hotuk working, they will be UNABLE to use any valid commands (for the most part). This means that only your staff members will know the commands (and it will require re-memorizing them). You could simply alter the prefix even.
Another option is using the program I released called PT PROTECTOR. You can have it trigger a ban on any staff member who does not have your IP address or the IP address of a different staff member. This works only if you have static IP addresses that do not change. Alternatively, you could have it ban every username that uses an admin command that is NOT one of your staff members. This is less effective though because with cross-server connecting you can use any name you want. Simply have PT protector watch the admin logs and add admin commands to the "error log" catcher in PT Protector (even though this isn't an error). Making it very general helps, i.e. have it ban any weird IP or name that causes the word "AdminLv" to show up. One problem with this though is that it only bans accounts and not IPs (didn't get around to implementing that one yet), but the source code is designed so that you can EASILY implement banning IP addresses via "BlackUser". In fact, 99% of the code to do it I've already written within the program. You'd use the function I labeled "SaveFileFromTB" and integrate it into the procedure I some reason labeled as "porky". This area is commented a bit so that it's easy to tell what each line does. You could add the code after the "If Check4.Value = 1 Then: Beep" piece so that IP exceptions and username exceptions are dealt with first and the IP itself is already parsed using the variable "IP" so...yeah...Pretty easy.
Also, a correctly configured server Hotuk is suppose to help prevent cross-server connecting. Specify ALL IP addresses using all the functions you can. It's been awhile since I've dabbled in this stuff so I don't remember the specific functions to ensure are being used, but here are some--
Note: I do not recall the flags for all of these commands. Assume that some of them do NOT require any flags, or that some require more than one.Code:*DEBUG_ID 127.0.0.1
*DEBUG_IP 127.0.0.1
*ADMIN_IP 127.0.0.1
*ADMINISTRATOR_IP 127.0.0.1
*GAME_SERVER Name ip ip ip
*SERVER_LINK_IP
*AREA_SERVER ip
*TT_DATA_SERVER ip
*LOGIN_SERVER_IP
*SYSTEM_IP
*CL_PROTECT
*DISCONNECT_CLSAFE_CODE
*LAN_SERVER ip
*CONNECT_SERVER ip
Obviously a lot of those aren't needed. Specify as much as you can in your hotuk.
Removing the hotuk from the game.exe's released is also easy. You can null it out through a hex editor (ctrl+f "hotuk", 00's) or even rename it. This doesn't prevent someone from using a different exe (or even an older one of yours) so a CRC check would be recommended.
ALSO, Quantumfusion made a program to help prevent cross-server linking. A trial version was floating around, but it was CRACKED. You can find it on the net. How does it work -- is something you may be wondering. Well, it simply connects to your SQL database and checks one of the tables (I honestly do not remember which one, it's been so long...) and then blocks the IP using a firewall OCX or DLL (included, don't remember which it was). The program was called Excalibur and there was an alternate one by him called Ultimate Defense (or something like that). I don't support stealing these, but as I said...they are on the net.
YET another option, which would require lengthy programming, would be to make a local proxy for your server so that it can inspect everything easily. This CAN be done with a packet sniffer (the inspecting part), but then your left without the ability to manipulate the packets to their fullest extent (doing so without a local proxy is a BITCH!). You can watch all commands this way -- so woot. Simply say "no" to bad IP's or usernames that try to use admin commands.
ANOTHER method, though this one is aimed at server linking (and people using other clients to connect to your server), would be to change the encryption of your client. I've never done this before, but Shagpub certainly has (making PTV connect to KPT). I believe RPT did it and so did UPT.
Anyway, my post has official reached the size of one of bobsobol's posts :P: So that's enough out of me!
Awesome. This should go into a tutorial.
I have connected the current PTV client to KPT ET 2.2. I wouldn't call it encryption... but I can guide that too... don't know if that wouldn't make it too easy for hackers though. What do the regulars say?
Sooner or later my Mod-PT server will have that externalised in a DLL so you can add a real encryption to your servers, right now I just have DLLs for EPT, jPT, KPT & PTV... and some are more successful than others.
That sounds like it'd be an awesome guide. It may sacrifice some security, but overall it would be beneficial for when working with other clients and having them connect elsewhere. I'll probably move this thread when it becomes inactive and direct it to the tutorials area.
External DLL's would be great. Looking forward to it!
WOW how much i missed while i was sleeping,
1. i am happy to notice that i didnt got hacked in the night
2. i am going to secure my pt when i get back from school
good job guys really thanks, ill update you how its going.