Jump to content

Just had a hacker on my test server ..

Guest Gimp

By Guest Gimp
in OldGeneral discussion

 Share

Recommended Posts

Gimp Advanced Member

Gimp

Posted
Posted

(On Mangos 3.0.9 rev. 7909)

Normally I wouldn't report this but I found it unusual, it wasn't just some noob using WEH.

My test server is setup very blizzlike, and I noticed a player at lvl 80 in my Minimanager. There's no way he could have gotten to that level so obviously he hacked with gm commands, so I banned him and deleted his account. The unusual part was that Minimanager didn't show a GM/BT sign next to his account name, in fact his account was set to "player", not moderator or game master. I checked back the gm logs and he was using gm commands to give himself items and delete and spawn npcs.

Alexstrasza Member

Alexstrasza

Posted
Posted

make sure SQL server is not acessible from outside (without password)

and better firewall it completely.

If you are using some kind of web forms - it may be insecure too and allow SQL injections

its much less possibility that hacking been done via the server itself.

Gimp Advanced Member

Gimp

Posted
Posted

I believe he's getting in one of 2 ways, he just got back in under a slightly different ip address tonight:

1. SQL injection through the registration page, I'm using Reggacc. I'm not sure how secure it is. Would I be better off using minimanager for registrations?

2. I'm using a vote rewards system developed by a member over at the Trinity forums. In order for it to work I have to have remote access enabled on the database, and it's currently set to ip 0.0.0.0, so any ip can access it.

Patman128 Advanced Member

Patman128

Posted
Posted
2. I'm using a vote rewards system developed by a member over at the Trinity forums. In order for it to work I have to have remote access enabled on the database, and it's currently set to ip 0.0.0.0, so any ip can access it.

The hacker probably used SQL injection on that system.

Gimp Advanced Member

Gimp

Posted
Posted

Well I think I found out how he was getting in (I hope so). I talked to him in game and he said he guessed (probably brute forced) the phpmyadmin password. It was a 7 or 8 character pass with numbers and letters. He had full access to the db but luckily he didn't do any major damage. :(

I replaced the pass with a MUCH longer and more complex password.

freghar Advanced Member

freghar

Posted
Posted

uh ... 8-char bruteforce on an MD5 hash (local, no network) could take almost half a year on my old 2.6GHz Celeron, so I really doubt he used that, my cracking tool (I believe it was jon the ripper) was able to do few milions of iterations per second (IIRC) while your man would unlikely get 10000+ / second.

Gimp Advanced Member

Gimp

Posted
Posted
uh ... 8-char bruteforce on an MD5 hash (local, no network) could take almost half a year on my old 2.6GHz Celeron, so I really doubt he used that, my cracking tool (I believe it was jon the ripper) was able to do few milions of iterations per second (IIRC) while your man would unlikely get 10000+ / second.

Even after the password change he's in again!

OMFG I can't stop him from getting in :o

Gimp Advanced Member

Gimp

Posted
Posted
tested this on default phpMA installs across variety of debiain-based distros, and they do not work.

By the way, i am 100% positive the "hacker" got in using mangos/mangos user/pw combination on pma or with mysql CLI client. Most of the people forget to restrict access to users from outside.

Our mysql is set to only allow connections from localhost. Our user/pass combo was username + 8 character pass. Even after we replaced the password with a VERY long and complex pass, they got in just the same. Ever since we got rid of phpmyadmin, the attacks have stopped.

I have a feeling they were using some kind of phpMA exploit to bypass it completely.

They also tried breaking into our SSH according to the logs but weren't successful.

Aligatro Member

Aligatro

Posted
Posted
Our mysql is set to only allow connections from localhost. Our user/pass combo was username + 8 character pass. Even after we replaced the password with a VERY long and complex pass, they got in just the same. Ever since we got rid of phpmyadmin, the attacks have stopped.

I have a feeling they were using some kind of phpMA exploit to bypass it completely.

They also tried breaking into our SSH according to the logs but weren't successful.

Is he on the same lan network(in some countries there are huge lan netoworks offered by ISPs) as your server ? Because there are tools out there that let you easily sniff traffic on lan and retrieve passwords from unencrypted connections.

Gimp Advanced Member

Gimp

Posted
Posted
Is he on the same lan network(in some countries there are huge lan netoworks offered by ISPs) as your server ? Because there are tools out there that let you easily sniff traffic on lan and retrieve passwords from unencrypted connections.

I don't think so, the hackers (two of them) were from Germany.

Anyways I recommend everyone not to use phpmyadmin.

Aligatro Member

Aligatro

Posted
Posted
I don't think so, the hackers (two of them) were from Germany.

Anyways I recommend everyone not to use phpmyadmin.

So, this means that you are hosting your server open to the internet. =/ Just use .htaccess file to restrict only to localhost or internal ips for the whole folder where phpmyadmin is located. Or use password protection, also using .htaccess.

Dagguh Advanced Member

Dagguh

Posted
Posted

You can use PDO in your PHP to secure yourself from SQL Injections.

If you are using MySQL, set that nobody can access to the database by localmachines

He probably meant disabling access from remote machines.

 Share
Go to topic listing

Contact Us

To contact us click here
You can also email us at [email protected]

Privacy Policy | Terms & Conditions

Repositories

The Link to the master list
of MaNGOS repositories:
Copyright © getMaNGOS. All rights Reserved.

This website is in no way associated with or endorsed by Blizzard Entertainment®
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue. Privacy Policy Terms of Use