Hacked + errors on Mccodes demos

[newclear]

Ok, so i went to check out the demo games of the mccodes v1, v2 and redux..

And this is what i found..lol

When visiting the v1 demo:

This Account Has Been Suspended

When visiting the v2 demo:

Warning: require(class/class_db_.php) [function.require]: failed to open stream: No such file or directory in /home/samplev2/public_html/login.php on line 6

Warning: require(class/class_db_.php) [function.require]: failed to open stream: No such file or directory in /home/samplev2/public_html/login.php on line 6

Fatal error: require() [function.require]: Failed opening required 'class/class_db_.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/samplev2/public_html/login.php on line 6

When visiting the redux version:

SSH Secure [root # SA3D

HacKeD By SA3D HaCk3D

KurDish HaCkerS

./SA3D

 

 

 

So, what is up with that? lol

[Nickson]

Still? Whow, that's quite bad... since this first attacked happened almost a month ago xD Good job mcc!

[Neon]

Its clear the product is dead from support and what not. If your demo site remains in the "hacked" state for 2ish weeks now you have no company or support anymore. Tis sad.

EDIT: I see at least the defacement is gone. I stand corrected.

Edited January 5, 2012 by Neon

[ColdBlooded]

All demos has been repaired.

samplev1.mccodes.com

samplev2.mccodes.com

redux.mccodes.com

[rulerofzu]

Took close to two months to simply take it down and then upload a fix set of files.

Neon you are correct McCodes as a engine should be considered dead. Obviously the McCode owners/staff have no interest in it as they couldnt be bothered to fix their own demo's. Notice they did fix immediately the main site for purchasing the engine.

Its a scam. Lets face it if you bought a script from anywhere which had issues and was given no support and it didnt work correctly as in v1,v2 and redux then you would want a refund or want it fixed. The fact they do not do either of those means they are scamming those who purchase.

[ColdBlooded]

You are right that we didn't work well in the past in terms of customer satisfaction, but we promise to react to each issue/dispute from now on. MCcodes sells operational and secured engine version 1, 2 and Redux on mccodes.com. There are patches which can be downloaded from your client section.

[chicka]

You are right that we didn't work well in the past in terms of customer satisfaction, but we promise to react to each issue/dispute from now on. MCcodes sells operational and secured engine version 1, 2 and Redux on mccodes.com. There are patches which can be downloaded from your client section.

when a company or a product has as bad of a reputation as mccodes does, all the promises in the world ain't gonna make it better. I'm Gon' keep this real, Mccodes is dead, took a month or more to fix your hacked site (Looks very Very bad for your business), Security on all your versions was very very poor, Your lack of support made mccodes go down hill.

Now your planing on releasing v3? Well with people like Alain releasing their own engine for a very good price, The support we all know he's gonna offer, and with a reputation like he's got , why would anyone wanna purchase an other "broken out of the box" game from mccodes?

[Dominion]

I wouldn't be at all surprised if this particular bug manifests itself in

MonoDistrict given you and Paul's lackadaisical approach to security.

To be honest that's kind of harsh. From what I have seen you take security to a level that most people on this site would never even think of. (Even if it is the level it should be that's irrelevant for my point. ;) ) Take a step back for a moment, and consider that for a quick fix, and to avoid the common hacks that a small mccodes game would encounter, a simple regex check on the situation you pointed out was sufficient. Even more so when you consider the larger problems involving more known files.Some of which have been pointed out in the above thread.

As for mccodes being dead, frankly this much time to fix a demo is very disappointing. Knowing it was through idleness since you fixed your own sites does not help my view if it.

[Dominion]

Paul actually freely admitted that he did not even consider looking at that

particular file, and Dabomstew has pointed out that neither he nor ColdBlooded

is a security expert/consultant. Thus lackadaisical, which by definition is

among other things "carelessly lazy". These problems could have easily been

prevented when the code was initially written, by thinking about how the

particular script in question is called and from where.

Worrying... Would have thought he checked every file.

 

A regex, is quite simply, not the answer. If you don't understand why then so

be it; there is nothing to worry about.

As I said in our pm conversation, and half said above there are more pressing issues then this one. It's been unnoticed by a lot of people for years, and to my knowledge never been used to attack a site. As for how you would prevent it beyond a quick fix feel free to pm me, or openly discuss the problem although perhaps not here... Being challenged on methods is certainly the most fun way to learn.

P.S. “more pressing” to someone looking at mccodes as an option. Mccodes.com sell a product and should obviously consider it all pressing. Maybe consider looking through every file, and bring in a 3rd party opinions if you don’t consider yourselves experts. Maybe someone without prior knowledge of the mccodes engine.

 

Sorry, again harsh I know, but honest.

Points are valid so it does not matter to me. :p

I would also point out that this is not the place to discuss it, again for

what should be obvious reasons.

Of course. You should however know it’s also constructive to have an open, albeit more generalized, discussion on security problems. You don’t always need to explain how to use it to attack a system when explaining a fix, at least for some things.

Edited January 19, 2012 by Dominion

[SHAD]

Could someone please PM me about this problem and what it actually is; i have to say it has me tad worried and this thread is just feeding anxiety.

[Neon]

Whats there to talk about?

The site got hacked. The code in my opinion looks like it was made in 1990. Its old and out of date. It doesn't seem to follow any php model I know, and mixes php and html non-stop. I even see places where queries are taking place with direct $_GET and $_POST responses, which is just a no no for security. (However, maybe $db->query() runs checks on that query, but either way the code is not good). 6 years ago I believe thats when this domain was created and McCodes started. I played lots of games that were made off this engine and it was great. I never knew the "backend" of how mccoddes operated, just that it was used a lot back in the day. However, times have changed. A few years in college allows me to see the truth to this engine. Its 6 years later and people are still buying an out of date bad thing. My personal opinion. Don't buy it. Don't run it. Get as far away as possible from it.