Jump to content

Just had a hacker on my test server ..


Guest Gimp

Recommended Posts

(On Mangos 3.0.9 rev. 7909)

Normally I wouldn't report this but I found it unusual, it wasn't just some noob using WEH.

My test server is setup very blizzlike, and I noticed a player at lvl 80 in my Minimanager. There's no way he could have gotten to that level so obviously he hacked with gm commands, so I banned him and deleted his account. The unusual part was that Minimanager didn't show a GM/BT sign next to his account name, in fact his account was set to "player", not moderator or game master. I checked back the gm logs and he was using gm commands to give himself items and delete and spawn npcs.

Link to comment
Share on other sites

I believe he's getting in one of 2 ways, he just got back in under a slightly different ip address tonight:

1. SQL injection through the registration page, I'm using Reggacc. I'm not sure how secure it is. Would I be better off using minimanager for registrations?

2. I'm using a vote rewards system developed by a member over at the Trinity forums. In order for it to work I have to have remote access enabled on the database, and it's currently set to ip 0.0.0.0, so any ip can access it.

Link to comment
Share on other sites

2. I'm using a vote rewards system developed by a member over at the Trinity forums. In order for it to work I have to have remote access enabled on the database, and it's currently set to ip 0.0.0.0, so any ip can access it.

The hacker probably used SQL injection on that system.

Link to comment
Share on other sites

Well I think I found out how he was getting in (I hope so). I talked to him in game and he said he guessed (probably brute forced) the phpmyadmin password. It was a 7 or 8 character pass with numbers and letters. He had full access to the db but luckily he didn't do any major damage. :(

I replaced the pass with a MUCH longer and more complex password.

Link to comment
Share on other sites

uh ... 8-char bruteforce on an MD5 hash (local, no network) could take almost half a year on my old 2.6GHz Celeron, so I really doubt he used that, my cracking tool (I believe it was jon the ripper) was able to do few milions of iterations per second (IIRC) while your man would unlikely get 10000+ / second.

Link to comment
Share on other sites

uh ... 8-char bruteforce on an MD5 hash (local, no network) could take almost half a year on my old 2.6GHz Celeron, so I really doubt he used that, my cracking tool (I believe it was jon the ripper) was able to do few milions of iterations per second (IIRC) while your man would unlikely get 10000+ / second.

Even after the password change he's in again!

OMFG I can't stop him from getting in :o

Link to comment
Share on other sites

tested this on default phpMA installs across variety of debiain-based distros, and they do not work.

By the way, i am 100% positive the "hacker" got in using mangos/mangos user/pw combination on pma or with mysql CLI client. Most of the people forget to restrict access to users from outside.

Link to comment
Share on other sites

tested this on default phpMA installs across variety of debiain-based distros, and they do not work.

By the way, i am 100% positive the "hacker" got in using mangos/mangos user/pw combination on pma or with mysql CLI client. Most of the people forget to restrict access to users from outside.

Our mysql is set to only allow connections from localhost. Our user/pass combo was username + 8 character pass. Even after we replaced the password with a VERY long and complex pass, they got in just the same. Ever since we got rid of phpmyadmin, the attacks have stopped.

I have a feeling they were using some kind of phpMA exploit to bypass it completely.

They also tried breaking into our SSH according to the logs but weren't successful.

Link to comment
Share on other sites

Our mysql is set to only allow connections from localhost. Our user/pass combo was username + 8 character pass. Even after we replaced the password with a VERY long and complex pass, they got in just the same. Ever since we got rid of phpmyadmin, the attacks have stopped.

I have a feeling they were using some kind of phpMA exploit to bypass it completely.

They also tried breaking into our SSH according to the logs but weren't successful.

Is he on the same lan network(in some countries there are huge lan netoworks offered by ISPs) as your server ? Because there are tools out there that let you easily sniff traffic on lan and retrieve passwords from unencrypted connections.

Link to comment
Share on other sites

Is he on the same lan network(in some countries there are huge lan netoworks offered by ISPs) as your server ? Because there are tools out there that let you easily sniff traffic on lan and retrieve passwords from unencrypted connections.

I don't think so, the hackers (two of them) were from Germany.

Anyways I recommend everyone not to use phpmyadmin.

Link to comment
Share on other sites

I don't think so, the hackers (two of them) were from Germany.

Anyways I recommend everyone not to use phpmyadmin.

So, this means that you are hosting your server open to the internet. =/ Just use .htaccess file to restrict only to localhost or internal ips for the whole folder where phpmyadmin is located. Or use password protection, also using .htaccess.

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy Terms of Use