How did he do it?

Today we had a modder/hacker.
He used several mods/hacks, some of which were superjump and gm like powers.
He was able to ban and boot players, use system announcement and even somehow make non-existent weapons of immense power.
I did ban him in the end..by ip ...from firewall (ip tables).
Here is a screenshot of just a couple of things to show you his ability.

Attachment 111274
Attachment 111275
I have secured the machine to the best of my knowledge and i know he cannot access anything database orientated...but i suspect he may be using some kind of sql injection or exploit.
I know he had admin like control because he banned me lmao.
My question is appealing to your knowledge of such issues..how did he do it?
What is this exploit?
Thankfully the guy wasnt a nutter but more interested in his own ego being massaged with his magic tricks...giving me time to finish up searching and banning his ip range (Moldava)
Any thoughts would be appreciated.
Edit: im adding here that he was very insistent that it was phpmyadmin he loved and that he had access to it.
>> I dont know how as its locked to localhost...to which i dont believe he had GUI access but perhaps he was referring to his ability to inject via..

look your pm

Do you use PW CN 1.4.5 files or PWI 1.4.5 files?
If CN then you may be vunerable to some things.

http://forum.ragezone.com/f751/tutor...er-1-a-856783/
this release is PW CN or PWI?

thats PWCN

oh and how can I fix those problem?

to ADMZePekeno i can't send pm to you it's say you have exceeded their stored private messages quota and cannot accept further messages until they clear some space.

All things should have closure...so for me i used a firewall customised to my needs.
A port scan revealed my problem and so they were closed.
I did find a flaw in my port 8080 settings with jetty as well that was showing iweb..set jetty to localhost only and firewall to block all except local just to be sure.
Also in debian sytem cofiguration files i adjusted some settings to help with syn attacks.
Im still taking hits at port 8080 but at least they are being dropped silently now.
Learning more about ip tables now with security being first priority.
Ty all for your help.

well
okay .-.

Quote:

---

Originally Posted by argonaut

All things should have closure...so for me i used a firewall customised to my needs.
A port scan revealed my problem and so they were closed.
I did find a flaw in my port 8080 settings with jetty as well that was showing iweb..set jetty to localhost only and firewall to block all except local just to be sure.
Also in debian sytem cofiguration files i adjusted some settings to help with syn attacks.
Im still taking hits at port 8080 but at least they are being dropped silently now.
Learning more about ip tables now with security being first priority.
Ty all for your help.

---

every interface to administrative thing should be placed either on private network or localhost, you still can access this interface using tunnel if you need to remote your box. You have to double triple check on your java (jetty, tomcat, etc) config also, do not bind to external interface.

I have warned developers previously that the CN release (i.e the only public 1.4.5 released) has several large issues that allow players(with the knowledge) to use GM abilities, only PWI v62 files and other PWI files are currently safe from this vulnerability, hence why several of us use PWI files as opposed to the Chinese variant.

If your using cn files such as the v63 files and have a live server, best of luck to you as without serious patches to your daemons, you are at risk.

Quote:

---

Originally Posted by michae5k

I have warned developers previously that the CN release (i.e the only public 1.4.5 released) has several large issues that allow players(with the knowledge) to use GM abilities, only PWI v62 files and other PWI files are currently safe from this vulnerability, hence why several of us use PWI files as opposed to the Chinese variant.

If your using cn files such as the v63 files and have a live server, best of luck to you as without serious patches to your daemons, you are at risk.

---

i am not agree if only v62 safe from vulnerabilities, i am pretty sure that v63 that we self-generated (do not use from its original package and i already warn everyone) also secure, especially that we can convert from official release v66-v69 to v63 as well...

Plus you have to have enough knowledge how to run Linux in detail, you know how to bind the application into network device in secure way, know how to secure your server, your port, your database, etc...

That's why the public release only and only (100% secure) on your LAN and never try to bind your server on internet, all risk is in your hand. :D so Good Luck...

no he's saying the GS and other features have exploits

it has nothing to do with the elements.data

hmm i don't think his server has only 29000 port open public :), post what nmap says...

what client is native to these files? it's not world2, it's not w2i... is there another one I'm missing somewhere?

In the same way that V63 may be unsafe
the V62 also, just needs someone with good skills that will be doing

v62 is mostly the same, but China takes better care in v62 files

but I'm still wordring exactly what client these files are for. it's not W2I, so it's not a chinese client from what I can find

Quote:

---

Originally Posted by gunse

hmm i don't think his server has only 29000 port open public :), post what nmap says...

---

Without going into too much detail, the issue is not out-game but exploited via the client, therefore if you are using the CN release, anyone with a client (perhaps even client-less?) could in theory exploit the vulnerability.


The issue is not with port blah blah blah, but as i said the issue is with specific daemons within the game server.

Quote:

---

Originally Posted by michae5k

Without going into too much detail, the issue is not out-game but exploited via the client, therefore if you are using the CN release, anyone with a client (perhaps even client-less?) could in theory exploit the vulnerability.


The issue is not with port blah blah blah, but as i said the issue is with specific daemons within the game server.

---

Quote:

---

specific daemons within the game server

---

what do you mean? what daemon from game server? say it :D AFAIK there are 2 way to hack your server, firstly from inside and secondly from client, so which one? what do you think?

Quote:

---

Originally Posted by argonaut

Today we had a modder/hacker.
He used several mods/hacks, some of which were superjump and gm like powers.
He was able to ban and boot players, use system announcement and even somehow make non-existent weapons of immense power.
I did ban him in the end..by ip ...from firewall (ip tables).
Here is a screenshot of just a couple of things to show you his ability.

Attachment 111274
Attachment 111275
I have secured the machine to the best of my knowledge and i know he cannot access anything database orientated...but i suspect he may be using some kind of sql injection or exploit.
I know he had admin like control because he banned me lmao.
My question is appealing to your knowledge of such issues..how did he do it?
What is this exploit?
Thankfully the guy wasnt a nutter but more interested in his own ego being massaged with his magic tricks...giving me time to finish up searching and banning his ip range (Moldava)
Any thoughts would be appreciated.
Edit: im adding here that he was very insistent that it was phpmyadmin he loved and that he had access to it.
>> I dont know how as its locked to localhost...to which i dont believe he had GUI access but perhaps he was referring to his ability to inject via..

---

it is easy to create this modified weapon, no need to be GM, coz everyone can access this protocol from outside if you are not aware with your configs files :D that's why i ask your nmap result from your server :D

pwAdmin can mess with your database if you not protected it with good

Quote:

---

Originally Posted by michae5k

Without going into too much detail, the issue is not out-game but exploited via the client, therefore if you are using the CN release, anyone with a client (perhaps even client-less?) could in theory exploit the vulnerability.


The issue is not with port blah blah blah, but as i said the issue is with specific daemons within the game server.

---

I have much respect for you michae5k, but here is my issue with you and my only issue with you. If you are some super know it all when it come to what the problem is, than you need to either A) remember not everyone here is a professional, and B) not everyone know everything about everything.

The solution from which Ragezone was built upon?

Teach people. Tell them what is wrong with it exactly, not guesses or a "General Idea now go figure it out", or contribute to a fix's. Stop acting like just because you have pwi files it doesn't matter how many people get hacked and it doesnt concern you. because if thats the case, this 1 little flaw that you refuse to teach people on, will backfire. You have contributed a lot but not enough to sit there and act like you are king and god almighty. Either put out the info or shut up about it and let someone who wants to make a difference here do something about it. A comment that gets no one anywhere is a useless post.

Aside from that, I will look into this issue personally myself, and I will run several tests, over and over again, and see what I can't find out. I make no promises but at least I will give it a try.

God I wish ragezone would go back to the good ole days.


BTW ty gunse for being the only person here (and you to hrace) that is trying to help this gentleman out. You guys get a big +1 from me

Argo pm me with your skype i know how to fix this issue. Ill let michae5k tell everyone how to fix it since he knows its a deamon issue.

Quote:

---

Originally Posted by sxymxd84

I have much respect for you michae5k, but here is my issue with you and my only issue with you. If you are some super know it all when it come to what the problem is, than you need to either A) remember not everyone here is a professional, and B) not everyone know everything about everything.

The solution from which Ragezone was built upon?

Teach people. Tell them what is wrong with it exactly, not guesses or a "General Idea now go figure it out", or contribute to a fix's. Stop acting like just because you have pwi files it doesn't matter how many people get hacked and it doesnt concern you. because if thats the case, this 1 little flaw that you refuse to teach people on, will backfire. You have contributed a lot but not enough to sit there and act like you are king and god almighty. Either put out the info or shut up about it and let someone who wants to make a difference here do something about it. A comment that gets no one anywhere is a useless post.

Aside from that, I will look into this issue personally myself, and I will run several tests, over and over again, and see what I can't find out. I make no promises but at least I will give it a try.

God I wish ragezone would go back to the good ole days.


BTW ty gunse for being the only person here (and you to hrace) that is trying to help this gentleman out. You guys get a big +1 from me

---

Lol i must admit this made me laugh.
Firstly, the internet is not the best medium for conveying expression or emotion.
I do not suffer from a god complex which may surprise you.

now down to business, my issue surround these exploits (such as duping etc) is the fact that saying in black and white "do this do that, thats how hackers do it" or sometimes even mentioning the solution does help afew, yet i can assure you that the majority or people who read these pages will either use these exploits to put down the "competition" or for personal advancement within the server they play.
If you look back at the duping threads, you will see that early on, NOONE mentioned anything about the techniques used or a direct solution(one didn't exist at the time), this was to limit the attention drawn to the exploit.


So whats the tactic now? firstly as with most first leaked files(non-repacked) the configuration files leave alot open, thusly anyone who is not aware of what needs to be corrected etc may leave them selves open to being hacked or exploited via simple methods such as pwAdmin manipulation, exploiting open game ports etc etc.

The daemon related issue? whilst i personally do not know the whole extent of the vulnerability, several developers (firstly Russian devs i believe) found an exploit in which players can manipulate auth abilities to prove GM like powers. the files they found the exploit on is indeed the v63 cn files.

I am aware of several devs that are selling fixes to the issue, but as pwi files were not affected (pwi files are of a slightly lower version, v62 as opposed to the v63 varient) i personally have not had to dwell on the situation.

This is in no way a dig at those without pwi files, but instead a "i know something is wrong, but i cant provide support as i can not duplicating the exploit" kind of message.


so once again my apologizes for conveying some form of asshole-ness lol but i simply would rather not draw more attention to what could be a delicate issue.

:P thats what pm's are for. and had this of been said than we coulda avoided this. Ill fix argo tho so no probs there

So no hard feelings :P
As for this subject, i would treat it in the same manner as duping, if solutions are available, feel free to share them, however try to avoid discussing the details of how the exploits are carried out, otherwise many servers can be at a great disadvantage.

Furthermore any types of 'hacking' or 'cheats' aren't allowed on RZ by rules anyway. So if anyone should be brazen enough to post this you can be assured myself or one of my superiors will remove it anyway :wink:

To be specific, it would violate:

#20 HERE

and

#5 HERE

So yea, anyone who posts such info ("material") will not only get such info deleted, and infracted, but may also likely earn a vacation from RZ :wink:

And the problem is none of us are 100% sure about this, its mostly just rumors and theories.

so to some of us with closed servers (IE development and LAN-locked) passing some of these on for testing might be worth doing?

and everyone, i'm so sorry for being rush and using "forbidden" words and with humble to ask forgiveness...
ty...

lol gunse no need to apologize, your doing just fine ^^