New Admin Mode Hack?

[luistorres]

What i am doing wrong?

If i connect with IP and it isnt listed on HOTUK i get DC.

BUT there is people getting access to admin mode, how they doing it?

And what is wrong in my hotuk?

 

[quantumfusion]

there is something known as cross server exploitation. Only few servers are not vulnerable to it , they are CELESPT,SGPt, RPT, PYEPT

 

[SiK]

Theres no need for:
*ADMIN_IP
*ADMINISTRATOR_LOGIN

and if one of your red'd out fields is *DEBUG_IP with a variable of 127.0.0.1, thats how.

 

[luistorres]

there is something known as cross server exploitation. Only few servers are not vulnerable to it , they are CELESPT,SGPt, RPT, PYEPT

Oh nice to know it.. Thank you to remind me i am not from leet crew and i still gonna suffer. :clap_1:

SiK, thank you for answer but that isnt the problem. I know about IP 127.* and already removed it months ago.

I gonna comment those "admin" lines you have said. Thank you again.

Forgot to add these lines, i dont know if they are relevant:

*ENABLE_PARTYITEM
*PERMIT_EXP 0
*EVENT_EXPUP 0
*ENABLE_SERVER_EXP 0

My server is running ok with these options. What is your configuration for these option?

 

[limpamesa]

Try this part in your hotuk.ini
//*LOGIN_SERVER_IP
//*SERVER_LOGIN_IP
//*SYSTEM_IP


//*DEBUG_IP 222.22.222.222 222.22.222.222 222.22.222.222
//*XXBUG_IP 222.22.222.222 222.22.222.222 222.22.222.222
//*ADMINISTRATOR_IP 222.22.222.222
//*ADMIN_IP 222.22.222.222
//*GMSSS_IP 222.22.222.222
//*ADMIN_LOGIN "notneeded"

//true accs in database:
*DEBUG_ID gm1 gm2 gm3 gm4 gm5

*ADMIN_NAME "somepassword"

*ADMIN_COMMAND "passgmlvl1"
*ADMIN_COMMAND "passgmlvl2"
*ADMIN_COMMAND "passgmlvl3"

 

[SiK]

What pray tell is *GMSSS_IP and *XXBUG_IP, and he already knows how to set it up to grant GM powers, that wasn't the issue at hand.

 

[limpamesa]

What pray tell is *GMSSS_IP and *XXBUG_IP, and he already knows how to set it up to grant GM powers, that wasn't the issue at hand.

Well, I just put the right commands that really is important to prevent anyone to log as gm.

*DEBUG_ID accgm1 accgm2 accgm3 accgm4 accgm5

*ADMIN_NAME "somepassword"

*ADMIN_COMMAND "passgmlvl1"
*ADMIN_COMMAND "passgmlvl2"
*ADMIN_COMMAND "passgmlvl3"

All others is usulless.

and about GMSSS_IP and XXBUG_IP never mind. I forgot to translate to defauld commands because in my server I have changed all comands like /@get, /monster, etc... So even if some hacker can by pass it, they cant make itens and you can change hotuk.ini to whatever name you want and hex gameserver to improve security... but its not the point, sry.