Joshua

n/m figured it out.

Ok so i'm trying to write up a tut on how to use a salt with sha1 on a password system for new game owners.   Here's what I have and there is 1 small problem. Register.php   $salt = 'testrun'; $password = $_POST['password']; $salted_hash = hash("sha512", ($salt . $password)); $db->query("INSERT INTO users (username, login_name, userpass, level, donatordays, member_status, energy, maxenergy, will, maxwill, brave, maxbrave, hp, maxhp, location, gender, signedup, email, lastip, lastip_signup) VALUES( '{$username}', '{$username}', '{$salted_hash}', 1, 0, 1, 12, 12, 100, 100, 5, 5, 100, 100, 1, '{$_POST['gender']}', unix_timestamp(), '{$_POST['email']}', '$IP', '$IP')"); $i=$db->insert_id();   Authenticate.php $salt = 'testrun'; $password = $_POST['password']; $salted_hash = hash("sha512", ($salt . $password)); $uq=$db->query(sprintf("SELECT `userid` FROM `users` WHERE `login_name`='%s' AND `userpass`='%s'", $_POST['username'], $salted_hash));   These 2 work fine. I can create a user, it hashes the password and I can login. The problem lies in Preferances on password change, it keeps telling me the password doesnt match up with the one in the database. Here's what I have preferances.php bit function PassChange() { global $ir, $db, $c; $salt = 'testrun'; $password = $_POST['password']; $salted_hash = hash("sha512", ($salt . $password)); $Info = $db->fetch_row($db->query(sprintf("SELECT `userid`, `userpass`, `login_name` FROM `users` WHERE `userid`='%d'", $ir['userid']))); if (isset($_POST['OldPass'], $_POST['NewPass1'])) { if ($_POST['NewPass1'] == '') { echo 'Error! You Entered No Password '; } else if ($salted_hash != $Info['userpass']) { echo 'Error! The Current Password Is Inncorrect! '; } else { $db->query(sprintf("UPDATE `users` SET `userpass`='%s' WHERE `userid`='%d'", $salted_hash, $ir['userid'])); echo 'Your Password Has Been Updated! Your New Password Is: [i]'.$_POST['NewPass1'].'[/i]     Can anyone see why it may not be reading the password the same as the Reg/Authenticate bit?

We've officially hi-jacked jons post :P

Well at least you've got your computer tighented up and can move on. Did your brother ever manage to trace the IP? Don't forget, my offer for Free Assistance still stands as well (:

We are already checking into that (;   IP theft is the same as Normal Thef, classified under Identification Theft.   I can only go off of what I know, as of right now, McFarlin has more info than I do ^_-

Agreed ^

One would assume

Now you've gone and lost me.   If I were to do something as malicious as attack a game, or a cpanel none the less, rest assured a proxy would be used. That's just common knowledge.   Turns out, this person attacked his Cpanel through his own computer.

I beleive 3 that I know of, but I know the culprit of the other 2 >,< This person isnt good enough to do what was done to McFarlin tho.

Understandable   BUT IT WASNT ME lol :)

The problem with that being said, is Dynamic IP or not, It was My IP. I've already checked, and changed my current IP to avoid any further damage. A cpanel bruteforce was discovered on McFarlins computer and has been removed. Hopefully anything else found that did not belong was removed as well.   ------   Eternal it matters not if you like me or dislike me, I said what I said in regards to you following other people's posts about you. I have had no personal experience with you other than the garbage over Decio which has been more than resolved. -----------   The person who hacked McFarlin did not do a great job in setting me up, as even an idiot would know to use some form of proxy when hacking websites. Why in the world would i use my real IP? seriously :p My clients, and my friends, know full well that I was not involved in these malicious attacks. Just goes to show you can spend tons of time building up a reputation for your clients only to have a hacking teenager damage it in the blink of an eye.

I've already discovered who that IP belonged to, even tho it was through a Proxy. I assure you, he has zero, hacking skills =) Self Admitted as well, so i'm 100% sure. :)

e elseI've had several users on my game win it..well not several, just 3 It works 100% so far as I know, anyone else having any prolems with this?

$_GET['NUMBER'] = isset($_GET['NUMBER']) && !empty($_GET['NUMBER']) && ctype_digit($_GET['NUMBER']) I was using that when abs(@intval failed The guy was/is a damn good hacker. I'll show you in msn the hack he was using, it was fkin nuts that i couldnt stop it lol I even tried a few if statements but nothing was stopping it as it was in the URL

consider a hack i had to deal with on BludCarts site last night using the Jailbail bit a user was adding onto it jail.php?action=bail&ID=-1" /><java junk   I tried using Abs(@intval on the query then tried the ISSET bit as well as a few other things. The Variable was secured but the java bit continued to work The only way I ended up stopping it fully was with an .htaccess rewrite. Granted, most of the mwg hackers are copy/pasters but this doesnt ignore the fact that some games get popular and there is always some malicious hacker out there just wanting to ruin your site because he can. Best to be safe from them.

Now there I will opt to disagree with you. All $_GET and $_POSTS should be secured to stop certain script kiddies from "/><java crap here > script </java> If nothing else :P just because it cant be sql injected doesnt mean there arent other backdoors =P   NO! er YES er..darn ..typo FtL.

Stupid Question #2. DO they have an ID ? If it's not inserting their userID your register may not be updating all the info needed >,<

Zero while you have a valid point, I just tend to know about how long it takes me per average site and what it generally creates for me 100.00 is a base quote while some sites tend to be more or less. It all depends on the types of scripts, the amount of scripts and how secure someone wants their site to be   This could include but not limit to Protection from SQL injections Protection from RFI hacks Protection from LFI hacks Protection from crsf Hacks Protection from Session Hi-Jacks Protection from XSS hacks Protection from members using other types of hacks to gain Admin Access. SQL/XSS protection tends to take the longest as it involves securing ALL $_GET and $_POST variables in all scripts. At least that is by far the best way to do it, no 3 liners here. Anyone who claims 3 liners or an "include" will secure your site are just hustling you for money and giving you a false sense of security.   Hope that sheds some light.

Dave he cannot post a Screenshot up of something that does not exist.   The issue is being resolved. As an update, He was hacked and his game was re-directed to mine. To make it even more fun, my own IP was being used. As a lot of people had my IP as i do a lot of work for all sorts off differant mccodes owners, this bit isnt hard to do. However, I can't deny the evidence against me. So i revert to, those who know me know of what I do and how I do it. They also Know that I do not maliciously destroy their sites. We have sudo gotten to the bottom of something or another with McFarlin. As it turns out he had a Cpanel BruteForce installed on his computer that managed to apparently access his cpanel. The other sites I can't speak for other than there was 1 person on my game that was hacking games and re-directing them to my site using their REF code. That person is IP banned and in federal jail should they ever use a proxy.   McFarlin has been offered my security services for free simply because my IP was used in the attack and he was going to purchase security from me in the future Which only further points that I was not involved, here is a list of reasons why it was not me, or should prove it wasnt.   1. McFarlin has purchased and was going to be purchasing Several mods off myself. 2. McFarlin was debating on having me secure his files in the future. 3. I've hacked his game with an IP sploof one time, per HIS request to "Test" it for him. Nothing malicious was done. This was merely a security measure. 4. One would think if I was smart enough to hack a Cpanel I would be smart enough to use a proxy, simple enough to find on google.com 5. Further more, Why would anyone hack someone who was about to pay them a bit of money for their services? That just shoots that right out the window. 6. Earlier while chatting with him in MSN to resolve this issue, A cpanel Brute force program was found running on his computer. Not to mention his facebook was being hacked as we were talking. ( I was unaware he had a facebook and even if i knew I wouldnt know the email or name of it much less be able to "hack" it)   That's what I have. Other than the list above, and the Referrals from my clients who will no doubt post here in my defense I can do nothing more but try and assist McFarlin in getting to the bottom of this.   Hope this doesnt sway anyone from purchasing any of my mods in the future.   Good Day.

I normally charge around 100.00 depending on how many mods / scripts that need securing. MTG does an Excellant job for around 2-300.00 I beleive Dno What Zero charges, but he's damn good to.

There is also no need to use strip_slashes with MRES =P Kind of has counter effects But you're learning and it's not to bad =)

McFarlin I am in no way shape or form pointing any of the blame at you. The only thing I wish you had done differantly is get with myself first, but I understand why you posted here.   I know you have put a lot of work into your site and that's why I always offered to help you with basic stuff free of charge. I only wish I had secured your site free of charge so this would not have happened >,<   I'm not 100% who the culprit or culprits are, but rest assured, I will find you.   Beleive that.

I'm not 100% sure how or what they are doing. I am contacting my ISP provider to get LOGS as concrete proof what time I disconnected last night. I'm on dial up, so my comupter usually isnt on-line much, and proving that my ISP wasnt connected at the time of the attacks is step one.   It would be differant if it was one game, but as it turns out it was 3-4 games all last night.   As a side note, None of these sites had strong security, i've just sold them mods and was planning on securing them in the future. Well two of them that is. So whoever it is knows My current game, My IP and their sites. The chance of a virus on this computer is high as the virus program on this computer is garbage, and being on Dial up i can't download a better one. Random disconnects every 3-4 hours kill that option ><

Side Note-- If anyone could inform me who I need to contact about my IP theft so I can clear my name and catch the culprit I'd be grateful.

Just gets more fun.   There was more than 1 games this was done to, My IP was used.