Admin hack? wtf?

[DELETE-ME-NOW-]

My game has just been hacked, as a guy just made himself admin, and deleted all users. X( :cursing:

What are the ways to stop this? And how to i stop this from happening again?

[Dominion]

well the most basic answer i can give is secure your site ...

any idea how he did it the forums are well known for this kind of hack as is the ip hack (i think thats what it does anyway you can change you own user?) more info or do you have none ?

[DELETE-ME-NOW-]

I think it may have been a mysql injection

[Equinox]

Find out exactly how and we can help, just post the file

[Dominion]

sql injection ? do you know the file it was from did you rename your staff files ?

over the last few days i have been playing around with my test site for v2 and i have to say there are a lot more holes then most people seem to think (or at least post) however i do not have the updated copy so i can not comment on that

[DELETE-ME-NOW-]

Not sure if this has anything to do with it, but a new newspapper advertisment appeared saying:

Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 15 in /home2/***/public_html/class/class_db_mysql.php on line 94.

That may be the problem

[rulerofzu]

Didnt you post at streetsyndicate that you can hack it like a piece of shit? Could be a case of someone reading it and then hacking your game.

 

You will need to go through your game file by file and make sure each and every one is secure.

[DELETE-ME-NOW-]

Didnt you post at streetsyndicate that you can hack it like a piece of shit? Could be a case of someone reading it and then hacking your game.

 

You will need to go through your game file by file and make sure each and every one is secure.

The first bit, i have no idea what you are talking about.

[Dominion]

same name does not mean it was him as someone picked to show us in chat today lol but he did spell hack wrong so...

from there chat

 

Kieranrobo This month at 6:24:08 am: I can hakc this game like a piece of shit. Admin, dont use MCcodes...

Kieranrobo This month at 6:23:45 am: f

[DELETE-ME-NOW-]

lmao. I can garentee you that i didnt say that.

[Dominion]

does not really matter no way we can show you did/did not so you think it was via your newspaper i assume its not paid if not post it up if it is ummmm can't help you sorry about that but i can say secure input and output if you need help chats always open :P (people seem to forget its there)

[rulerofzu]

I remember a post in the shoutbox with the same name kieranrobo.

Perhaps someone using the same name.

[Paul Evans]

Normally to get security for MCC scripts it costs but you could use the search option for known exploits just use keywords like 'Exploit', 'injection', 'hack', 'cmarket' or contact someone to help you like myself but it can cost you about 150-250 USD for someone to secure your site.

[Dominion]

sounds about right on the money side and on the side of looking around learning php will help in the long run anyway

[DELETE-ME-NOW-]

<?php
include "globals.php";

print "<h3>Gangsta Nations Newspaper</h3>";
print "
<table width=90% cellspacing=1 class='table'>
<tr>
<td class=h><center>[url='job.php']<font color='red'>YOUR JOB</font>[/url]</td>
<td class=h><center>[url='gym.php']<font color='red'>LOCAL GYM</font>[/url]</td>
<td class=h><center>[url='halloffame.php']<font color='red'>HALL OF FAME</font>[/url]</td>
<td class=h><center>[url='gangcentral.php']<font color='red'>LOCAL GANGS</font>[/url]</td>
<td class=h><center>[url='index.php']<font color='red'>MY HOUSE</font>[/url]</td>
</tr>
<tr>
<td class=h><center>[url='userlist.php']<font color='red'>LOCAL RESIDENTS</font>[/url]</td>
<td class=h><center>[url='stats.php']<font color='red'>CITY STATS</font>[/url]</td>
<td class=h><center>[url='usersonline.php']<font color='red'>PEOPLE AWAKE</font>[/url]</td>
<td class=h><center>[url='gangwars.php']<font color='red'>CURRENT WARS</font>[/url]</td>
<td class=h><center>[url='estate.php']<font color='red'>HOUSES FOR SALE</font>[/url]</td>
</tr>
<tr>
<td colspan=6>";

print "

<table width=90% cellspacing=1 class='table'><center><h3>Player Advertisements</h3><center> | [url='newspaper.php?action=add'][b]Buy An Advertisement ($10,000)[/b][/url]";
if($ir['user_level'] > 1)
{
print " | <a href=newspaper.php?action=all>[b]DELETE ALL[/b]</a>";
}
$anpdata=$db->query("SELECT * FROM npaper");
$q=$db->query("SELECT user_level FROM users WHERE userid=$userid");
$r=$db->fetch_row($q);
print "<marquee speed=2 direction=up onmouseover='this.stop()' onmouseout='this.start()' class='textbox'>";

while($npdata=$db->fetch_row($anpdata))
{
$us=$db->query("SELECT username FROM users WHERE userid={$npdata['npADDER']}");
$us=$db->fetch_single($us);
$time=date('F j',$npdata['npTIME']);
print "
<hr>
[b]Ad By: [url='viewuser.php?u={$npdata[']<font color=red>{$us}</font> [{$npdata['npADDER']}][/url] | Added On: {$time}[/b]";
if($r['user_level'] != 1)
{
print " | <a href=newspaper.php?action=npID&npID={$npdata['npID']}>[b]DELETE[/b]</a>";
}
print "

[i]<u>{$npdata['npTITLE']}[/i]</u>

[i]{$npdata['npBODY']}[/i]


";
}
print "<hr /></marquee>
</table>";
$q=$db->query("SELECT user_level FROM users WHERE userid=$userid");
$r=$db->fetch_row($q);
if($r['user_level'] != 1)
{
if($_GET['action'] == "all")
{
if($r['user_level'] != 1)
{
$db->query("TRUNCATE TABLE npaper");
print "Newspaper Ads All Cleared!
<META HTTP-EQUIV=Refresh CONTENT='1;url=newspaper.php'>";
}
}
else if($_GET['action'] == "npID")
{
if($r['user_level'] != 1)
{
$db->query("DELETE FROM npaper WHERE npID={$_GET['npID']}");
print "News Paper Ad ID {$_GET['npID']} deleted!
<META HTTP-EQUIV=Refresh CONTENT='1;url=newspaper.php'>";
}
}
}
if($_GET['action'] == "add")
{
print "<h3>Add Advertisement ($10,000)</h3>
<form action='newspaper.php?action=added' method='post'>
Ad Title: 
<input type='text' name='npTITLE' class='textbox'>

Ad Body: 
<textarea rows=5 cols=18 name='npBODY' class='textbox'></textarea>

<input class='textbox' type='submit' value='Place Ad ($10,000)' />
</form>
<font color=red>[b]WARNING:[/b] Only plain text will work
Do not advertise other games
Follow the rules.";
}

if($_GET['action'] == "added")
{
if($ir['money']>9999)
{
print "Congratulations, you bought an ad for \$10,000!
";
$db->query("UPDATE users SET money=money-10000 WHERE userid=$userid");
$title=str_replace(array("\n"),array("
"),strip_tags($_POST['npTITLE']));
$body=str_replace(array("\n"),array("
"),strip_tags($_POST['npBODY']));
$q=$db->query("INSERT INTO `npaper` VALUES (NULL, '$userid', '$title', '$body', unix_timestamp())");
print "Advertisement was successfully added!
<META HTTP-EQUIV=Refresh CONTENT='5;url=newspaper.php'>";
}
else
{
print "You do not have enough money to place an advertisement.

[url='newspaper.php']>Back[/url]";
}
}
print"</td></tr>
<tr>
<td td colspan=6>

<center>$content</td>
</tr>
</table>";
$h->endpage();
?>

 

Remeber, im not certain that the hack was caused by here

[Haunted Dawg]

It's most probably from the header.php file, post that up then we start looking at other cause's.

[sniko]

Or.........The meta refresh display picture.....

[Paul Evans]

Could be one of many problems hence the paying of a expert and/or look through the forum.

[Dominion]

the thing about paying someone or at least what i found was if you have just paid $300 for v2 (i know its only $100 now) i did not want to pay $200 more just to get it fixed up its the main thing that got my ass in gear and got me to google to learn php and i have to say its easy to learn if you already know html and a few different languages as i did

[Paul Evans]

You do have a very good point Dominion but you go set yourself back a few month (6 if learning properly) and still need to get someone to check it over which is why it's best to just get someone to maybe review it then refer someone for the code. Then simply look over the code and learn from that php.net is your friend.

[Dominion]

6? i paid for mccodes years ago only signed up to ce after i felt i was ready to face the "omg noob" part of the members area lol been learning website development for a few years now so long i can't find my email to say i have a vailed mccodes copy (its there will just take time lol) and i did not start on websites i was editing games back in 05 when civ4 came out that site still has mods from me but your right if you have the money paying someone is fast and you can learn from it i found learning myself to be better but i do admit i should have spent a lot more time on the php part since my skills there are not 1/2 as good as they should be but i get by :)

[Joshua]

usually an Admin hack is done via 3 simple ways

A picture / meta / iframe hack that is relatively easy.

The old school IP sploofer, meaning if you didnt secure your header/register/global_func or globals? cant remember which, they will auto admin with a short line of code

Or a mysql_injection via anywhere that is updating the users for the most part.

i.e if you have a script such as...50 / 50 and they bet 10000 cash

 

if the variable isnt secured they could simply do something as dumb as

10000', user_level='2

And they just made themselves admin.

Secure your site.

I don't really do it much anymore, bigger fish to fry, but there are a few roaming the boards that will, such as Paul / CrimeGame I know does a good job.