I got hacked

[Jordan Palmer]

Damn, you got exploited. lmao

1) Open header find Now, your done.

lol

Pointless post much?

[Djkanna]

Not quite pointless if the OP can work it out LazyT's post can be the basic idea for something only to let the OP in... XD

[Zero-Affect]

authenticate.php

wow MCC people are silly really

i don't have stock authenticate but simple add this under your query which grabs the users information please don't forget to add user_level to the select columns part...

 

 if ( !in_array($mem['user_level'], array('2','3','5')) )  {
  echo '
    Website is under construction, please try again later.
  ';
    die;
 }

[Drizzah]

Added protection

 

If anyone out there can help me secure my site please leave a message here with what you can do for me

Some people here will say this don't work and some will actually try it out and may even like to use it. It's all up to you and whoever decides to give it a shot.

1.) Take the below code and paste it into a .php file called whatever you want. Here I will use thefile.php.

<?php
function replace_meta_chars($string)
{   
return @eregi_replace("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])|([uNION])|([sELECT])|([DROP])|([WHERE])|([EMPTY])|([FLUSH])|([iNSERT])","",$string);
}
while(list($keyx,$valuex) = each($_REQUEST))
{
if(eregi("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])",$valuex))
{
print "<table width=100% border=0 cellpadding=0 cellspacing=0>
<tr>
	<td width=100% align=center>Attack Attempt</td>
</tr>
<tr>
<td width=100% align=center>

<font color=maroon size='3'>[b]!!! WARNING !!![/b]</font>

[i][b]Malicious Code Detected! The staff has been notified.

Currently, we only allow the characters of ' / ' and ' ? '.[/b][/i]
</td>
</tr>
</table>

<< [url='explore.php']Explore[/url]";
event_add(1,"[url='viewuser.php?u=$userid']<u>{$ir['username']}</u>[/url] has been flagged for malicious code.

[b]<u>Char Details</u>[/b]


[b]Chars Used:[/b] $valuex",$c);
$h->endpage();
exit();
} 
}
reset ($_REQUEST);   while(list($keyx,$valuex) = each($_REQUEST))
{
${$keyx} = replace_meta_chars($valuex); 
} 
?>

 

2.) Place the following on the very top of whatever page you plan to use it on.

require "thefile.php";

 

EXAMPLE:

<?php
$atkpage=1;
include "globals.php";
require "thefile.php";
print "YOUR PAGE CONTENT";
$h->endpage();
?>

 

If you plan to use it on all pages, then place it in either your globals or header file. I don't remember where I seen this code, but it is free to use and alot of games are using it right now as some of you may have seen already trying to hack.

To allow/disallow characters, just remove or add them from the above script.....example below of what to look for.

return
@eregi_replace("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])|([uNION])|([sELECT])|([DROP])|([WHERE])|([EMPTY])|([FLUSH])|([iNSERT])","",$string);

if(eregi("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])",$valuex))

 

For a little more added protection. Stick the following in your globals.php file.

function anti_inject($campo)
{
foreach($campo as $key => $val)
{
   	$val = mysql_real_escape_string($val);
   	// store it back into the array
   	$campo[$key] = $val;
}
return $campo; //Returns the the var clean
}

//the next two lines make sure all post and get vars are filtered through this function
$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET);

 

Enjoy!

[iSOS]

ugh, I'm pretty sure that's the code that many people have problems with, I believe you get the 'warning' on a lot of pages you're not meant to.

Also 'eregi' is depreciated, so may need to change that to 'preg_replace'.

But if you want to have the feeling of your site being 'un-hackable' go ahead lol.

[Zeggy]

@Drizzah:

That post only showed me two things - you don't know regular expressions and you don't test your code :P

Have you tried using the regular expression that you put in the code? I don't think you have because you'd have seen quite a HUGE difference before/after the function.

It strips out every character you listed in there. For example, you listed 'UNION' as one of the character sets to replace... That means your regular expression will remove all u, n, i, and o characters. With the rest of the characters you put in there, MOST of any text going through will be removed. Sure, it will keep your request variables 'safe', but it also completely mangles regular text.

To everybody else: Do NOT use that code, or (as you will find out) all your request variables will be abused :P

[Drizzah]

Zed - ugh, I'm pretty sure that's the code that many people have problems

with, I believe you get the 'warning' on a lot of pages you're not

meant to.

Also 'eregi' is depreciated, so may need to change that to 'preg_replace'.

But if you want to have the feeling of your site being 'un-hackable' go ahead lol.

Only when trying to use on the shoutbox mod so far. As for eregi, you may be right as I have heard that from a few people already. I also heard that if it is working for you when testing it out. That is all that matters and if it don't, then make the change.

 

Zeggy - That post only showed me two things - you don't know regular expressions and you don't test your code

I absolutely agree with you on not knowing regular expressions, but I do test whatever code I use.

 

Zeggy - It strips out every character you listed in there. For example, you listed 'UNION' as one of the character sets to replace... That means your regular expression will remove all u, n, i, and o characters. With the rest of the characters you put in there, MOST of any text going through will be removed. Sure, it will keep your request variables 'safe', but it also completely mangles regular text.

I don't know why anything else is being stripped out on you except what it is supposed to be stripping. I have tested this code on most pages on MCv2 except for the gang pages as of now and have not had any trouble yet. I did however have trouble when using it with the shoutbox and the fix was quite simple. The problem was only to do with when you click a smiley to add to shout, because of the characters it was using. I just replaced them with what I wanted to use instead of the normal code most sites use in a shoutbox, mailbox, forum and things such as those.

Maybe I am misunderstanding what you are trying to say. Do you mean that if I was to type 'Unlikely' on any forms and click submit. That it would strip the 'U' from the word? If so, it does not. It only strips what it is told to strip. As for alot of the characters in the code nobody should be using unless trying to hack your forms. If certain words or characters in the code happen to give you trouble on a certain page, you could always make a new file for that page and edit what is allowed.

This of course is all my opinion. I am not a hacker, wanna-b hacker or a programmer of any languages. Like I said in my first message. Some will say this or that.... I placed it here to help those who may want to try it out.

[a_bertrand]

in a regular expression the [ and ] means any characters found inside those square brackets. So, if you have [uNION] it will indeed match any U or N or I etc... Certainly NOT what you want.

Also a "catch all" filter like what you are trying to do is not smart and would block people from using words like select and union in a correct context.

It's much smarter to use the mysql escape function and make sure your numbers are true number before saving them into a DB. Remains the HTML to be stripped, and a quick and dirty solution is str_replace(array("&","<",">"),array("&",">","<"),$source);

That will simply show ALL the text, even if it's HTML and not show it as HTML. Problem solved.

[Drizzah]

So all you know. I have looked the code over and noticed that I was actually using it wrong. Now that I am using it right, it is doing exactly what you all are saying. I agree totally about not using it now and do see why a few people here complain about certain games using it, lol. Thanks for the info everyone!

[KyawLinNyein]

If anyone out there can help me secure my site please leave a message here with what you can do for me

Some people here will say this don't work and some will actually try it out and may even like to use it. It's all up to you and whoever decides to give it a shot.

1.) Take the below code and paste it into a .php file called whatever you want. Here I will use thefile.php.

function replace_meta_chars($string)
{   
return @eregi_replace("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])|([uNION])|([sELECT])|([DROP])|([WHERE])|([EMPTY])|([FLUSH])|([iNSERT])","",$string);
}
while(list($keyx,$valuex) = each($_REQUEST))
{
if(eregi("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])",$valuex))
{
print "

	Attack Attempt




!!! WARNING !!!

Malicious Code Detected! The staff has been notified.

Currently, we only allow the characters of ' / ' and ' ? '.





<< Explore";
event_add(1,"{$ir['username']} has been flagged for malicious code.

Char Details


Chars Used: $valuex",$c);
$h->endpage();
exit();
} 
}
reset ($_REQUEST);   while(list($keyx,$valuex) = each($_REQUEST))
{
${$keyx} = replace_meta_chars($valuex); 
} 
?>

 

2.) Place the following on the very top of whatever page you plan to use it on.

require "thefile.php";

 

EXAMPLE:

$atkpage=1;
include "globals.php";
require "thefile.php";
print "YOUR PAGE CONTENT";
$h->endpage();
?>

 

If you plan to use it on all pages, then place it in either your globals or header file. I don't remember where I seen this code, but it is free to use and alot of games are using it right now as some of you may have seen already trying to hack.

To allow/disallow characters, just remove or add them from the above script.....example below of what to look for.

return
@eregi_replace("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])|([uNION])|([sELECT])|([DROP])|([WHERE])|([EMPTY])|([FLUSH])|([iNSERT])","",$string);

if(eregi("([<])|([>])|([*])|([|])|([;])|([`])|([-])|([\])|([{])|([}])|([+])",$valuex))

 

For a little more added protection. Stick the following in your globals.php file.

function anti_inject($campo)
{
foreach($campo as $key => $val)
{
   	$val = mysql_real_escape_string($val);
   	// store it back into the array
   	$campo[$key] = $val;
}
return $campo; //Returns the the var clean
}

//the next two lines make sure all post and get vars are filtered through this function
$_POST = anti_inject($_POST);
$_GET = anti_inject($_GET);

 

Enjoy!

I saw the Hack UID=1 's passcode with decoder they show as follows;

Code: Select all

this is the login name of id [1]

 

Code:

?reply=0+union+all+select+login_name,login_name,login_name,login_name,lo ? gin_name,login_name,login_name,login_name,login_name,login_name,logi ?n_name,login_name,login_name+from+users+where+userid=1 ******************

this is the password of [1] but will give you a long code

 

Code:

?reply=0+union+all+select+userpass,userpass,userpass,userpass,userpass%2 ? Cuserpass,userpass,userpass,userpass,userpass,userpass,userpass,us ?erpass+from+users+where+userid=1 **************

and The pass cracker need to go " http://www.md5decrypter.com " for decrypts passcode,

I want to know, can that Code you write to adding at global.php prevent that kind of injection?

Thanks,

[a_bertrand]

You can simply do:

$_GET["reply"]+=0;

in the page where you use it, and that will make sure it's a number and not some odd string. Seems to easy but it's really not more complex than that.

[Guest Drizzle]

another way is $_GET['reply'] = isset($_GET{'reply']) && is_numeric($_GET['reply']) && ctype_digit($_GET['reply']) && abs(@intval($_GET['reply'])) ? $_GET['reply'] : FALSE;

Basically, this makes sure $_GET['reply'] is set, is a number, is a number again, is a positive number, and uses the ?. Basically, if its true, it will $_GET['reply'];, if it's not, it returns false.

but like alain said, $_GET['reply']+=0; will do the trick also. But see the reason i suspect DISTORTED is decio is because after we exposed Hitman_25 as decio, he stopped posting, and then out of the blue, DISTORTED claims he got hacked by decio. Now, in my opinion, thats odd. Not accusing, just putting it out there. oh and the reason i also know hitman 25 is decio is because ive had an msn conversation with him, about security. Just to see if he was really decio or not. anyway, i ask him if he's decio and he starts getting mad. lmao. anyway yea, either one of those should do the trick

[Guest Drizzle]

Well here's a few more suggestions:

[1.] Learn how to code

[2.] Don't use 1-page fixes. Or if your going to do something like that, create a function or two, and then apply it to all variables.

[3.] Secure each and every page. Have decio test his IQ of a grain of sand against your security. If he can't, congratulations your 25% of the way there.

[4.] If you dont feel like having to do any of this, why not pay someone? CrimGame,MagicTallGuy, and a few others are sure to get the job done for you. I dont know how much they charge but then again i've never asked for any security work.

[5.] If your going on the long road, search php.net. Sit at your computer for 5 days with a 12 pack of monster energy(or whatever gives you alot of energy, could be soda,that 5 hour energy stuff, whatever), with a notebook and pencil, and a pencil sharpener. Write down each and every function and paragraph. If you dont finish, continue until you do.

[6.] Well im guessing its about week 3 now, and your finally done copying php.net. Now, read everything you wrote down. Then read it 2 more times. After that, try your skills on a script. If you do well, congratulations you progressed alot. If you didn't, hell, i'd be pissed too if i were you, sitting there for weeks writing and reading only to have a bunch of errors or something. :/

[7.] Well, im guessing its been 5 mins, that you could've been spending learning php, but you read all that i have to say. now go from 1 to 7, or if your taking the shortroad, skip from 1 to 4 . But i highly suggest 5 and 6.

[Renkia]

OK. Ignore my other post, I was "tierd", lol. So let me point out some ways, that could will help secure your game.

1: When you have your domain, never give to anyone, anyone.

2: Set up a sub-domain, and install Mccodes.

3: Pay some one to secure your game. MagicTallGuy - CrimGame/Zero-effect - Pudda My suggestion of who I would pay for security.

4: I Would ask them to secure my sub-domain, and copy all the codes from your sub-domain, into your Mccodes on your computer.

Why secure the sub-domain?

Now, domains, like mine chaotic-impulse.com is (quie't) know around some fourms, and of-course hackers will try and hack it. So of course, securing your subdomain out of ramdom, is a less likely chance of getting hack. It might take time replacing all the codes, but hey! its secured? Or he could secure the codes from his computer, you pay who ever, you get the Mccodes. Upload, Secured! Thats how I think its goes, lol.

5: Create your items/crimes/shops etc... Open the game.

6: When wanting a new mod pay some one to secure it, blah blah.

7: Enjoy your game life.

Ohh, and a more chance of securing the game, in PHPMYADMIN, change the Table/databases name. And remeber to replace on all the codes, would give a more less chance of hacking the game.

Ps. Use the domain like this. hey.heyapple.hey.heyapple.what.het.whayareyouannoying.idontknow.lol.lmoa.html.css.google.flamingo.cupid.grape.orange.rasheedsaeedisawesome.chaotic-impulse.com

Cheers, and thanks for reading

Rasheed Saeed (Renkia)

[Guest Drizzle]

Ahh.. I wouldnt ask Pudda. Hes an asshole, along with crazy-t and others who sit in yahoo convo all day and make fun of everyone on mwg. Trust me i've been in there, they are ridiculous. However i never recall zero doing anything besides calling people noobs, and havent recalled mtg do anything either, so id still suggest those two.

[Zero-Affect]

I don't call peoples noobs i call them nooblets and i do alot thank you very much, im also friends with jordan, alan and adam who have not been assholes to me so i think maybe they just be assholes to people who deserve it. LOL @ yahoo convos i thought it was skype...

[Renkia]

Drizzle:

In my case Jordan - Pudda, is a very nice person who help's alot aloot no noobies, and gives them hints & tips. And to be honest, you have no proof the make fun of everyone? Crazy-T, i never new Crazy-T untill yesterday, and in my case hes just sad. Why? Posing as Djhanna (really Djhanna), hacking Tyr's forum, over the 2 com'on names. Deleting everyones posts, that some people have writin S.A's in some. So to be honest, I wouldn't really want to get to know him, don`t really like hackers, no matter what. Now Zero, Iv'e never really spoken to the guys, I do now and then on MSN while hes kicking my ass on Conncet 4, lol. I Havn't seen many insult's of Crimgame saying "noobs", blah what ever. Only on some funny posts he calls people noobs.

Im not taking sides, or arse licking, but I think these only behave to you because of your attitude.

Anyways

Thanks, for reading

Renkia (Rasheed Saeed)

[Renkia]

Ohh, and using Kenji's administrator account with out permision. ;)

[Zero-Affect]

Oh i can be insulting at times but damn ain't we all, I don't however gives examples often because i want people to learn not be spoon fed and i think people dislike that. I would say that is their problem.

[mdshare]

Topic Locked

And to the copycat be inventive instead of simply copying a existing site for 99%.

MWG or it's staff had nothing to do with the ddos or deletion of the copycat. But it does seem we have some hardcore fans that took action. And action, kinda stupid of giving people admin rights without even asking them to be admin.

You might also look at the Acceptable Use Policy of byethost.