Spudinski

Everything looks fine, even though it could have been coded better. How many users do you have at the moment, and how does your "warriorusers" look? (format)

I've got a question about the directory structure.   I see no use in having a lang and template directory separate from each other. This will cause problems, as sentence structures do not remain the same in all languages. I'd suggest a per-template language, much like a CMS. Also then, the config directory is in www root? That's not good security practice, I'd suggest it be lowered to below the root. Same applies to shared libraries. Maybe,   Lastly, when will the module guidelines be published. I'd like to see what is possible, and contribute if I have the time.

I'm against add_slashes. It ruins the input data, which could be almost impossible to regenerate. The best practice is still using regular expressions.

I know there a loads of books about cryptography, but I feel I would waste my time in reading a summary of a broad aspect.   Mostly to use/do with authentication procedures, and the transfer of data over WAN.   My main focus area is on UNIX operating systems(Solaris & AIX specifically), but I would like to have the knowledge on Windows as well. My reason for wanting to learn Assembly is purely educational, as I see it being a vital skill in the arsenal of a security professional no matter which field you are in.

So as some would know my programming knowledge is manageable, neither brilliant nor inferior. I'm quite contempt with where I am for what I know: I know how to program. I've read quite a few books that details out how Unix works, from the boot manager all the way through to kernel timing and more. I'm still practicing everything I've learned, since I'm not the best when it comes to why something works the way it does, but rather what does it actually do. What I'm getting at is: I think I have a good and well rounded knowledge base on the technologies I need, but what I have yet to learn are the often overlooked parts of security. And that's cryptography. :( So can anyone suggest books on the following topics? History of Cryptography(Early stages, how it came into being, etc) Practical applications of it(where, what, how) Modern and prospects of it(current, up to date methods and techniques of using it)   And for the last of the line, is somewhat unrelated, but it's something I know I will need. That's: Assembly. Can anyone also recommend books on that. PS. I like real books, not the Learn x in 10 days. Also I'm very analytic, I need an in-depth explanation within the books. Thank you. S.

More at Naked Security

Any other errors? The script is looking for something that isn't there, in this case, the $db variable that isn't being initialized as a object. It might be a missing $_CONFIG['driver'] variable. I've taken the courtesy of introducing it to the script you posted above, let us know if it works. <?php session_start(); if(!file_exists("license.php")) { die("License Not Found !!"); } require "license.php"; include "language.php"; if (filesize("config.php") <= 150) { header("Location: install.php"); } global $_CONFIG; define("MONO_ON", 1); // here's the edit if (!file_exists('class/class_db_' . $_CONFIG['driver'] . '.php')) require('class/class_db_mysql.php'); else exit('Configuration file could NOT be loaded!'); // end edit $db=new database; $db->configure($_CONFIG['hostname'], $_CONFIG['username'], $_CONFIG['password'], $_CONFIG['database'], $_CONFIG['persistent']); $db->connect(); $c=$db->connection_id; $set=array(); $settq=$db->query("SELECT * FROM settings"); while($r=$db->fetch_row($settq)) { $set[$r['conf_name']]=$r['conf_value']; } $q=$db->query("SELECT userid FROM users"); $membs=$db->num_rows($q); $q=$db->query("SELECT userid FROM users WHERE bankmoney>-1"); $banks=$db->num_rows($q); $q=$db->query("SELECT userid FROM users WHERE gender='Male'"); $male=$db->num_rows($q); $q=$db->query("SELECT userid FROM users WHERE gender='Female'"); $fem=$db->num_rows($q); $total=0; // Users Online , Counts Users Online In Last 15 minutes $q=$db->query("SELECT * FROM users WHERE laston>unix_timestamp()-15*60 ORDER BY laston DESC"); $online=$db->num_rows($q); ?>

It's advised to create a separate mysql user for each database to limit a possible security breach. And yes, Danny is correct. The script is failing to execute said commands due to a lack of connectivity to the mysql service. Replacing the authentication values within the "config.php" file to accommodate your database user will rectify the problem. The origin of the problem is most likely due to the switch over from R, you probably created a new database with separate authentication parameters. This error would not have occurred if only a database was added, as the said function does not need connectivity to a specific database, but only to the mysql service.

It actually does. Hex - ASIIC - JS - JAVA - C Edit: I figured it out with very poor SEO.

They are in The Netherlands, DMCA doesn't count there. Edit: Also, their copyright bill was created in the 1800s. When digital information was still just a spec of dust in the eyes of some mathematicians.

The challenge defeats it's purpose.

You we're gone? :\

It's - mostly - common policy, because they are intensive. Optimize your scripts to run every hour, or eliminate them all.

It's pretty, that's for sure. But as for it's usefulness - it's not very good. When I research a function for possible usage to perform a certain task, I need in-depth information on it. And yes, that includes it's bugs. That's something only the website will be able to give. In short, it's a nice summary of what parameters the function takes.

I admire your admiration, though it's not likely that they will do anything. They require a court summons before they will even touch R.

Not as yet. You can manually edit the map, with the file map.dat, or something alone those lines. The installer file will create a default map though, I don't know if it's random or not. I'd suggest you search Devana 2 to find out if the creator is planning on releasing it in the next version. Ps. Development seems slow.

I've got another one. 0 1 2 3 4 5 6 7 8 9 Subtract 9 from 6, 10 from 9, 50 from 40 and leave 6 alone. Now, NO cheating guys.

Just a hint, from experience... It's never a good idea to just replace files. MCCodes may not be built well enough to detect unlinked dependencies, but in the long run something could go wrong. On another note... From what I see is that it's a simple callback to ravan[]info, so in theory you should be able to: a) modify your hosts file for ravan[]info to point to localhost & create a spoofing file, which returns a static and valid output of what ravan[]info would. b) would require a bit more research into the technique used by R, but from what I can see is creating a file /tmp/LIC_KEY.cdk with data "codelock|expiry|checkback|checksum|extras". I'd suggest B, although I might be wrong.

So no need to learn JS then?

It's possible to write a script, although the default iptables is capable of this. You'd set it to only allow x request per seconds from a port, ip or subnet.

Yea, it's called a buffer overflow exploit. Most ftp severs have a long history of this. It's very easy to reproduce, but very hard to actually find/create it.

It makes no sense to block output ports, which is probably why your programs are lagging. And SSH and FTP shouldn't be blocked, in or out.

The term for it is called spoofing, but it's rather easy to setup a firewall rule to check for it. In addition, OpenSSHd would not be able to be configured without a password/key. And what I think you're talking about is discarding echo icmp packets, which would result in remote places not being able to tell if you're online by using the traditional ping.

The fact is that someone was able to gain enough privileges to write somewhere(they already have read and execute privs), there's nothing that says they didn't use a vulnerable setuid program to gain access to other places.

I have a strong suspicious that they keep archived passwords as well, either from access logs or another form. See, my alias was hacked a day after this thread was made, and the only place who has held the credentials within the past two years is this site. It's weird actually, because my present password on MWG is a randomly generated one, and my password on my mail account would take longer than a day to successfully have been bruted.