Gimp

With many of the deathknight quests broken, making a DK is basically impossible now, due to them only receiving talent points through those quests.

I was wondering where I could find the code (in player.cpp perhaps?) that I could comment out to have that class automatically receive all their talent points based on their level like all other classes?

It would be really nice to get patch feedback finally after almost a month of development

Could you write a small tutorial on how to patch Mangos with this in your first post on page 1? If it was a .patch file it wouldn't be a problem, but the downloads are in .txt. Are we supposed to rename them .patch?

A git would be nice because we could use the git pull command.

still no git branch for this? it would be nice to actualy track changes done etc..

thx anyway GJ

I agree, this project needs GIT.

Thanks guys

I don't know who started this "mangos is emulator / isn't emulator" thing, but the wikipedia states

so the question is whether MaNGOS tries to "emulate" some other <unspecified here> service or if it takes a completely independent way.

Well considering that definition fits Mangos to a T, I'd say Mangos is an emulator, as it tries to emulate a World of Warcraft Blizzard server.

use ssh + the mysql cli for db access. configure your iptables correctly and turn your server into a bastion host (default all chains to DROP, only exceptions (e.g. mangos, http) are ACCEPT or FORWARD)

that way you'll be secured. (as long as your password is not '1234' )

Ya but the problem with SSH is that it's a pain in the ass to modify things in the DB, especially since our Linux is command line only.

Yes, firewall.

No I mean for accessing and editing your db from remote.

Anyone know a good less hackable alternative to phpmyadmin?

Is he on the same lan network(in some countries there are huge lan netoworks offered by ISPs) as your server ? Because there are tools out there that let you easily sniff traffic on lan and retrieve passwords from unencrypted connections.

I don't think so, the hackers (two of them) were from Germany.

Anyways I recommend everyone not to use phpmyadmin.

tested this on default phpMA installs across variety of debiain-based distros, and they do not work.

By the way, i am 100% positive the "hacker" got in using mangos/mangos user/pw combination on pma or with mysql CLI client. Most of the people forget to restrict access to users from outside.

Our mysql is set to only allow connections from localhost. Our user/pass combo was username + 8 character pass. Even after we replaced the password with a VERY long and complex pass, they got in just the same. Ever since we got rid of phpmyadmin, the attacks have stopped.

I have a feeling they were using some kind of phpMA exploit to bypass it completely.

They also tried breaking into our SSH according to the logs but weren't successful.

Well we completely removed phpmyadmin yesterday, and ever since things have been quiet.

*crosses fingers*

uh ... 8-char bruteforce on an MD5 hash (local, no network) could take almost half a year on my old 2.6GHz Celeron, so I really doubt he used that, my cracking tool (I believe it was jon the ripper) was able to do few milions of iterations per second (IIRC) while your man would unlikely get 10000+ / second.

Even after the password change he's in again!

OMFG I can't stop him from getting in

Well I think I found out how he was getting in (I hope so). I talked to him in game and he said he guessed (probably brute forced) the phpmyadmin password. It was a 7 or 8 character pass with numbers and letters. He had full access to the db but luckily he didn't do any major damage.

I replaced the pass with a MUCH longer and more complex password.

I believe he's getting in one of 2 ways, he just got back in under a slightly different ip address tonight:

1. SQL injection through the registration page, I'm using Reggacc. I'm not sure how secure it is. Would I be better off using minimanager for registrations?

2. I'm using a vote rewards system developed by a member over at the Trinity forums. In order for it to work I have to have remote access enabled on the database, and it's currently set to ip 0.0.0.0, so any ip can access it.

How does SQL injection work? Would replacing my existing website/mysql passwords with 15-20 character long passwords help?

(On Mangos 3.0.9 rev. 7909)

Normally I wouldn't report this but I found it unusual, it wasn't just some noob using WEH.

My test server is setup very blizzlike, and I noticed a player at lvl 80 in my Minimanager. There's no way he could have gotten to that level so obviously he hacked with gm commands, so I banned him and deleted his account. The unusual part was that Minimanager didn't show a GM/BT sign next to his account name, in fact his account was set to "player", not moderator or game master. I checked back the gm logs and he was using gm commands to give himself items and delete and spawn npcs.

If I back up my 3.0.9 characters and realmd databases, and restore them onto a fresh 3.1.3 database, do I need to run any kind of converter? I've seen people making comments about 3.0.9 characters being incompatible with the new mangos.

Mangos rev. 8038.

It appears CWN's anticheat and Naicisum's ahbot aren't compatible with one another. I can patch the mangos source with one, or the other, but not both.

Is this for a public server?

I'll post an updated version with improved stability in nearest few days. We already got some nice results, ~10% mangos' CPU usage cut on 1500 ppl server.

Holy crap that's awesome dude! :eek:

I think we should allow it. But there needs to be built in limitations such as:

Allow accounts to specify a macro with name "accounts.allow" that contains a list of account names that are allowed to log in characters from this account.

OR

Or always allow player bot logins from accounts matching current account name plus a fixed suffix such as "_EXTRA1", "_EXTRA2", "_EXTRA3", ... This option would probably be the easiest and completely controllable by account creators.

Anyone else have an opinion?

I'm fully aware of the issue of having 40 bots following your character around causing potential crashes, and I agree that limitations need to be put in place to prevent that. I don't want to load a ton of bots and have them chase me around, but instead plop them down in one place and have them stay there. The only reason I'm suggesting a way to load multiple accounts from one admin character is to make it easier to test server stability. Being able to load up 60 bots instead of finding 60 real testers could help Mangos development.

As for security issues I don't think it's anymore of an issue than the security of normal player accounts. Aren't the account passwords encrypted? If they are or not it doesn't matter, a hacker would have to break into the db remotely to read them.

Here's an idea:

Have a field in a config file where you can name up to 5 extra accounts/passwords, much like databases, allowing you to load the characters from those accounts. Have a master "on/off" switch (0/1) for enabling bots from extra accounts. If it's enabled, bots will cease to have any AI and they will no longer follow you. All they'll do is stand in one place after you spawn them, therefore not causing any potential system crashes.

A way to load bots from other accounts not just the one you're playing on would be sweet

I'm having a problem with reggacc restarting with each server restarter scan.

Here's my restarter code:

#!/bin/sh
### Set your default mangos Root Directory
mangosdir="/opt/mangos7797/bin"

### Set your mangos Binary Name
mangosbin="mangos-worldd"

### Set your mangos Pid File
mangospid="mangosd.pid"

########## you probably don't need to change anything below here ##########

cd $mangosdir

# is there a pid file?
if test -r $mangospid
then
 # there is a pid file -- is it current?
 pid=`cat $mangospid`
 if `kill -CHLD $pid >/dev/null 2>&1`
 then
   echo "mangosd is currently running...."
   exit 0
 fi
 echo ""
 echo "Stale $mangospid file, erasing..."
 echo "Attempting to Restart mangosd"
 rm -f $mangospid
 ./$mangosbin
else
echo "$mangospid appears to be missing. Attempting to Restart mangosd"
./$mangosbin
fi

And my crontab settings:

"*/2 * * * * /opt/restarter.sh"

Every 2 minutes when crontab runs the script, for some reason the server uptime on the reggacc page resets to 0 (even though Mangos doesn't restart) :mellow:

You mean wowscape?