DELETE-ME-NOW- Posted August 15, 2010 Share Posted August 15, 2010 My game has just been hacked, as a guy just made himself admin, and deleted all users. X( :cursing: What are the ways to stop this? And how to i stop this from happening again? Quote Link to comment Share on other sites More sharing options...
Dominion Posted August 15, 2010 Share Posted August 15, 2010 well the most basic answer i can give is secure your site ... any idea how he did it the forums are well known for this kind of hack as is the ip hack (i think thats what it does anyway you can change you own user?) more info or do you have none ? Quote Link to comment Share on other sites More sharing options...
DELETE-ME-NOW- Posted August 15, 2010 Author Share Posted August 15, 2010 I think it may have been a mysql injection Quote Link to comment Share on other sites More sharing options...
Equinox Posted August 15, 2010 Share Posted August 15, 2010 Find out exactly how and we can help, just post the file Quote Link to comment Share on other sites More sharing options...
Dominion Posted August 15, 2010 Share Posted August 15, 2010 sql injection ? do you know the file it was from did you rename your staff files ? over the last few days i have been playing around with my test site for v2 and i have to say there are a lot more holes then most people seem to think (or at least post) however i do not have the updated copy so i can not comment on that Quote Link to comment Share on other sites More sharing options...
DELETE-ME-NOW- Posted August 15, 2010 Author Share Posted August 15, 2010 Not sure if this has anything to do with it, but a new newspapper advertisment appeared saying: Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 15 in /home2/***/public_html/class/class_db_mysql.php on line 94. That may be the problem Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted August 15, 2010 Share Posted August 15, 2010 Didnt you post at streetsyndicate that you can hack it like a piece of shit? Could be a case of someone reading it and then hacking your game. You will need to go through your game file by file and make sure each and every one is secure. Quote Link to comment Share on other sites More sharing options...
DELETE-ME-NOW- Posted August 15, 2010 Author Share Posted August 15, 2010 Didnt you post at streetsyndicate that you can hack it like a piece of shit? Could be a case of someone reading it and then hacking your game. You will need to go through your game file by file and make sure each and every one is secure. The first bit, i have no idea what you are talking about. Quote Link to comment Share on other sites More sharing options...
Dominion Posted August 15, 2010 Share Posted August 15, 2010 same name does not mean it was him as someone picked to show us in chat today lol but he did spell hack wrong so... from there chat Kieranrobo This month at 6:24:08 am: I can hakc this game like a piece of shit. Admin, dont use MCcodes... Kieranrobo This month at 6:23:45 am: f Quote Link to comment Share on other sites More sharing options...
DELETE-ME-NOW- Posted August 15, 2010 Author Share Posted August 15, 2010 lmao. I can garentee you that i didnt say that. Quote Link to comment Share on other sites More sharing options...
Dominion Posted August 15, 2010 Share Posted August 15, 2010 does not really matter no way we can show you did/did not so you think it was via your newspaper i assume its not paid if not post it up if it is ummmm can't help you sorry about that but i can say secure input and output if you need help chats always open :P (people seem to forget its there) Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted August 15, 2010 Share Posted August 15, 2010 I remember a post in the shoutbox with the same name kieranrobo. Perhaps someone using the same name. Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted August 15, 2010 Share Posted August 15, 2010 Normally to get security for MCC scripts it costs but you could use the search option for known exploits just use keywords like 'Exploit', 'injection', 'hack', 'cmarket' or contact someone to help you like myself but it can cost you about 150-250 USD for someone to secure your site. Quote Link to comment Share on other sites More sharing options...
Dominion Posted August 15, 2010 Share Posted August 15, 2010 sounds about right on the money side and on the side of looking around learning php will help in the long run anyway Quote Link to comment Share on other sites More sharing options...
DELETE-ME-NOW- Posted August 15, 2010 Author Share Posted August 15, 2010 <?php include "globals.php"; print "<h3>Gangsta Nations Newspaper</h3>"; print " <table width=90% cellspacing=1 class='table'> <tr> <td class=h><center>[url='job.php']<font color='red'>YOUR JOB</font>[/url]</td> <td class=h><center>[url='gym.php']<font color='red'>LOCAL GYM</font>[/url]</td> <td class=h><center>[url='halloffame.php']<font color='red'>HALL OF FAME</font>[/url]</td> <td class=h><center>[url='gangcentral.php']<font color='red'>LOCAL GANGS</font>[/url]</td> <td class=h><center>[url='index.php']<font color='red'>MY HOUSE</font>[/url]</td> </tr> <tr> <td class=h><center>[url='userlist.php']<font color='red'>LOCAL RESIDENTS</font>[/url]</td> <td class=h><center>[url='stats.php']<font color='red'>CITY STATS</font>[/url]</td> <td class=h><center>[url='usersonline.php']<font color='red'>PEOPLE AWAKE</font>[/url]</td> <td class=h><center>[url='gangwars.php']<font color='red'>CURRENT WARS</font>[/url]</td> <td class=h><center>[url='estate.php']<font color='red'>HOUSES FOR SALE</font>[/url]</td> </tr> <tr> <td colspan=6>"; print " <table width=90% cellspacing=1 class='table'><center><h3>Player Advertisements</h3><center> | [url='newspaper.php?action=add'][b]Buy An Advertisement ($10,000)[/b][/url]"; if($ir['user_level'] > 1) { print " | <a href=newspaper.php?action=all>[b]DELETE ALL[/b]</a>"; } $anpdata=$db->query("SELECT * FROM npaper"); $q=$db->query("SELECT user_level FROM users WHERE userid=$userid"); $r=$db->fetch_row($q); print "<marquee speed=2 direction=up onmouseover='this.stop()' onmouseout='this.start()' class='textbox'>"; while($npdata=$db->fetch_row($anpdata)) { $us=$db->query("SELECT username FROM users WHERE userid={$npdata['npADDER']}"); $us=$db->fetch_single($us); $time=date('F j',$npdata['npTIME']); print " <hr> [b]Ad By: [url='viewuser.php?u={$npdata[']<font color=red>{$us}</font> [{$npdata['npADDER']}][/url] | Added On: {$time}[/b]"; if($r['user_level'] != 1) { print " | <a href=newspaper.php?action=npID&npID={$npdata['npID']}>[b]DELETE[/b]</a>"; } print " [i]<u>{$npdata['npTITLE']}[/i]</u> [i]{$npdata['npBODY']}[/i] "; } print "<hr /></marquee> </table>"; $q=$db->query("SELECT user_level FROM users WHERE userid=$userid"); $r=$db->fetch_row($q); if($r['user_level'] != 1) { if($_GET['action'] == "all") { if($r['user_level'] != 1) { $db->query("TRUNCATE TABLE npaper"); print "Newspaper Ads All Cleared! <META HTTP-EQUIV=Refresh CONTENT='1;url=newspaper.php'>"; } } else if($_GET['action'] == "npID") { if($r['user_level'] != 1) { $db->query("DELETE FROM npaper WHERE npID={$_GET['npID']}"); print "News Paper Ad ID {$_GET['npID']} deleted! <META HTTP-EQUIV=Refresh CONTENT='1;url=newspaper.php'>"; } } } if($_GET['action'] == "add") { print "<h3>Add Advertisement ($10,000)</h3> <form action='newspaper.php?action=added' method='post'> Ad Title: <input type='text' name='npTITLE' class='textbox'> Ad Body: <textarea rows=5 cols=18 name='npBODY' class='textbox'></textarea> <input class='textbox' type='submit' value='Place Ad ($10,000)' /> </form> <font color=red>[b]WARNING:[/b] Only plain text will work Do not advertise other games Follow the rules."; } if($_GET['action'] == "added") { if($ir['money']>9999) { print "Congratulations, you bought an ad for \$10,000! "; $db->query("UPDATE users SET money=money-10000 WHERE userid=$userid"); $title=str_replace(array("\n"),array(" "),strip_tags($_POST['npTITLE'])); $body=str_replace(array("\n"),array(" "),strip_tags($_POST['npBODY'])); $q=$db->query("INSERT INTO `npaper` VALUES (NULL, '$userid', '$title', '$body', unix_timestamp())"); print "Advertisement was successfully added! <META HTTP-EQUIV=Refresh CONTENT='5;url=newspaper.php'>"; } else { print "You do not have enough money to place an advertisement. [url='newspaper.php']>Back[/url]"; } } print"</td></tr> <tr> <td td colspan=6> <center>$content</td> </tr> </table>"; $h->endpage(); ?> Remeber, im not certain that the hack was caused by here Quote Link to comment Share on other sites More sharing options...
Haunted Dawg Posted August 15, 2010 Share Posted August 15, 2010 It's most probably from the header.php file, post that up then we start looking at other cause's. Quote Link to comment Share on other sites More sharing options...
sniko Posted August 15, 2010 Share Posted August 15, 2010 Or.........The meta refresh display picture..... Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted August 15, 2010 Share Posted August 15, 2010 Could be one of many problems hence the paying of a expert and/or look through the forum. Quote Link to comment Share on other sites More sharing options...
Dominion Posted August 15, 2010 Share Posted August 15, 2010 the thing about paying someone or at least what i found was if you have just paid $300 for v2 (i know its only $100 now) i did not want to pay $200 more just to get it fixed up its the main thing that got my ass in gear and got me to google to learn php and i have to say its easy to learn if you already know html and a few different languages as i did Quote Link to comment Share on other sites More sharing options...
Paul Evans Posted August 15, 2010 Share Posted August 15, 2010 You do have a very good point Dominion but you go set yourself back a few month (6 if learning properly) and still need to get someone to check it over which is why it's best to just get someone to maybe review it then refer someone for the code. Then simply look over the code and learn from that php.net is your friend. Quote Link to comment Share on other sites More sharing options...
Dominion Posted August 15, 2010 Share Posted August 15, 2010 6? i paid for mccodes years ago only signed up to ce after i felt i was ready to face the "omg noob" part of the members area lol been learning website development for a few years now so long i can't find my email to say i have a vailed mccodes copy (its there will just take time lol) and i did not start on websites i was editing games back in 05 when civ4 came out that site still has mods from me but your right if you have the money paying someone is fast and you can learn from it i found learning myself to be better but i do admit i should have spent a lot more time on the php part since my skills there are not 1/2 as good as they should be but i get by :) Quote Link to comment Share on other sites More sharing options...
Joshua Posted August 16, 2010 Share Posted August 16, 2010 usually an Admin hack is done via 3 simple ways A picture / meta / iframe hack that is relatively easy. The old school IP sploofer, meaning if you didnt secure your header/register/global_func or globals? cant remember which, they will auto admin with a short line of code Or a mysql_injection via anywhere that is updating the users for the most part. i.e if you have a script such as...50 / 50 and they bet 10000 cash if the variable isnt secured they could simply do something as dumb as 10000', user_level='2 And they just made themselves admin. Secure your site. I don't really do it much anymore, bigger fish to fry, but there are a few roaming the boards that will, such as Paul / CrimeGame I know does a good job. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.