[mccode] Game Monitor [$200.00]

[oxidati0n]

I know what your thinking, what the hell is it and why is it expensive.

It is a script which will fix it all, it will add on a tiny bit more of CPU (not much at all, less than 1% more) and will basically put your site in a fixed mode, everything will be fixed so if the site is SQL injected rest assured either you will be notified, little damage will be caused or they will be disabled to run that page.

It will come with a daily monitor such as if the Crons have worked, If theres been a/an increase in Server Load and if theres any spammers.

Estimated Installation Time: 3 hours, 30 minutes

Required: cPanel 10-11 or Plesk or Ensim or DirectAdmin, Linux Server and reasonable speed server.

We can install it on V1.1 for $300 due to the fact it's not got any custom interface of functions.

So total pricing:

MCcodes V1 - $300.00 USD

MCcodes V2 - $200.00 USD

Add-ons available:

Site Optimization - +$100.00 USD

SEO (Search Engine Optimization) - +$150.00 USD

[sEO - Search Engine Optimization, key features to make your site have a pagerank. PR 5 sites are worth $90k alone]

Payments can be paid by:

Offline Credit/Debit Card Processing ($3 fee)

PayPal

MoneyBookers

AlertPay

Payoneer Cards

Wire Transfer

NoChex

:) Thanks.

[Haunted Dawg]

Re: Game Monitor [$200]

Any screen shots of this? And how can we be assure that your services are still loyal?

After seeing you dump your ptc's we need something to assure that it works.

After your mods has been sold ive come to find many people ask me to fix them.

Alot of has happend in your absence and i wouldnt buy anything from you unless im assure it will work.

If you take this reply as a bad way then fine, but if you take it as some thing else cool because all i know is im not trying to be mean here at all.

[Guest Anonymous]

Re: Game Monitor [$200]

 

It is a script which will fix it all, it will add on a tiny bit more of CPU (not much at all, less than 1% more) and will basically put your site in a fixed mode, everything will be fixed so if the site is SQL injected rest assured either you will be notified, little damage will be caused or they will be disabled to run that page.

A script -- Well there is #1 problem. Is this a PHP script? If so, at what permission level is it running on? What version of php? If its running with elevated privileges - exactly what are they - What services does it require (server architecture etc).

Anti-SQL injection... Well that's simple to prevent. And there is nothing that I have ever seen that sits at a higher level than my basic code that is capable. Perhaps, you'd care to provide more information. As I am not aware of any hooks to the mysql/mysqli functions, I fail to see how this can be done. Perhaps you've written a new C client for php... But that in itself would raise far to many questions to be viable, plus I doubt it would be ratified by PHP themselves for exactly that reason.

 

It will come with a daily monitor such as if the Crons have worked, If theres been a/an increase in Server Load and if theres any spammers.

Well using the standard cron system on any unix system you automatically have that functionallity - so nothing new there. As for checking the load looking for spammers - interesting trick. Pointless, after all a swift look in /var/log/httpd/ ... (i.e. standard web-server logs) will provide much of this information. So what extra facilities do you provide outside of what any half competent machine has already built in.

 

Estimated Installation Time: 3 hours, 30 minutes

I assume that's with the obligatory coffee breaks and swift trip to Asda. Come on, I can build a server, compile the kernel install apache, php, mysql and a few extra toys in half that time...

 

Required: cPanel 10-11 or Plesk or Ensim or DirectAdmin, Linux Server and reasonable speed server.

Probably be a lot faster at ssh level. But then there's security to consider.

Well overall, personally I feel this "product" is suspect. A lot of what is supposedly done is already available in your systems, so be wary.

I would like to propose that the OP supply mdshare with a copy so that it can be authenticated fully and tested on the rack system (27+ machines running different OS's specifically for this kind of problem).

[oxidati0n]

Re: Game Monitor [$200]

Nice of you to ask Nyna, I've not met you before but anyways.

I think you know how poorly coded MonoCountry codes were.

MCcodes is a very unreliable script to use, all the "less popular" games get hacked once they get big because they don't know the vunerabilities of the script. This script keeps them updated basically, and it is infact made in PHP using some new features enabled in PHP 4.7> and MySQL 5 which can strengthen the script security. I forgot to mention that those two are required.

Here's just one example, and one of the many things I do. (I know it's basic, but every little helps):

Say you're going to run a MySQL query to update a users money, with no security at all.

$amount = "10000000000000"; //if they posted that much, like i said without security.. even with some security it can be tortured.

mysql_query("UPDATE users SET money='$amount' WHERE userid=$userid");

simply run this to lower the damage.

mysql_query("UPDATE `users` SET `money` = '".(int) $amount."' WHERE `userid` = '$userid`LIMIT 1;");

Not only does this make the hacker unfamiliar with ` is enabled or not, but it also makes the hacker unfamiliar that it will only affect one field, and in reality that is what it's going to affect. Like I said, this is one of the things.

Basically toning up your site and offering a site report so if any problem persists (except PHP errors of course) it will report to you. I can make it report PHP errors, but I would need a list of all of your PHP files in order to do so.

The reason it's going to take so long as it isn't going to have the same structure with every site, and will be installed to fit in with the site.

I know I've got a previous bad reputation, but that was only for having bad mods and now I've improved and even made my own script I feel I've got more potential when site development is being involved. and No, w3schools didn't do it. It was pure PHP for dummies book reading and experimenting with WAMP Server.

killah - Yeah, I was pretty bad but I wasn't the worse at the time. I was loyal enough to sell my own work, which a large majority of people didn't. No offence taken, I'm glad you've spoken up so I can improve on my work. I've improved my skills a lot since I last came here, so I guess CE was where I began, and it's what I'm good at. I won't always be here, this is where I go sometimes.

[KDawg08]

Re: Game Monitor [$200]

So I see that you are saying this runs security basically... But what exactly makes it worth $200-$300+?

[Guest Anonymous]

Re: Game Monitor [$200]

As a demo of protecting against SQL injection thats rather poor.

It actually will still fail in several cases partially due to PHP's rather poor number handling.

It also IMHO makes the code less readable, which in turn makes it simpler to make mistakes.

A better solution is...

 

<?php
$amount = isset($_GET['amount']) && is_string($_POST['amount']) && preg_match("`^\d+$`ims", $_GET['amount']) ? @intval($_GET['amount']) : 0;
// amount we can now guarantee is an integer

$sql = sprintf("UPDATE `users` SET `money` = `money` + %u WHERE (`userid` = %u)", $amount, $userid);
// we now have a perfectly valid SQL statement - separated out from the actual query for legibility.

if (mysql_query($sql)) { ... }
?>

 

Of course that is an ideal scenario. Obviously the time taken during installation is in going through all the source files and checking each SQL statement. And therein lies a problem. My source will be made available to the public shortly after hell has frozen over. ie. No way.

So basically you appear to have a service rather than a product. This service involves you editing the client's sources and fixing possible problems. That's fine. But we all know that people add "mods" that have vulnerabilities, they reload their entire system, the get other people in to write bits.

There are in fact many better ways of protecting a system - ideally build security in from scratch, but failing that there are suitable server-side alternatives.

Suhosin - part of the hardened PHP project is a start.

Running your server in a jail is another very good system.

Using the MySQLi extension and prepared statements.

These are all free, extremely well supported, require little user intervention assuming you follow the basic guidelines for preventing SQL attacks and are proven to work on a number of platforms.

References:

http://www.hardened-php.net/suhosin.127.html

http://en.wikipedia.org/wiki/FreeBSD_jail

http://uk2.php.net/manual/en/ref.mysqli.php

http://dev.mysql.com/doc/refman/5.0/en/sqlps.html

[mdshare]

Re: Game Monitor [$200]

 

So I see that you are saying this runs security basically... But what exactly makes it worth $200-$300+?

it doesn't run, it's oxi that manually checks all your files and alters them as he finds security issues.

so you pay his time, if it's to expensive just check on CE, all mccode security issues are posted with solutions

[KDawg08]

Re: Game Monitor [$200]

 

So I see that you are saying this runs security basically... But what exactly makes it worth $200-$300+?

it doesn't run, it's oxi that manually checks all your files and alters them as he finds security issues.

so you pay his time, if it's to expensive just check on CE, all mccode security issues are posted with solutions

I wasn't trying to sound rude or anything, if that's how it came out, Sorry. I was basically just trying to get it spoken out in lamens terms, such as...

"I basically spend X amount of time per day X amount of days per week scanning your files for any bugs/glitches sql injections etc."

Something a little more basic might help the more php illiterate understand exactly what is done and who/how it is done. Specifics basically.

[Haunted Dawg]

Re: Game Monitor [$200]

Lol me again posting. Not to sound rude or anything but if he is going to go through all your files moderating it i doubt he will take 3 hours 30 minutes. I ran a scan on my v2 game and it has 154 files and not to mention this is a new game. Imagine killah-city.com or any other game he would take more.

And plus if it is that by going through all your files just find some one on google or such or some one who is experianced in php programing and they would most likely charge you like $80 - $150 to secure all your files.

I think oxi here is charging for v1 more for than v2 because v1 i think has more files when v2 has more options but less files.

I dont know maybe im wrong.

[Guest Anonymous]

Re: Game Monitor [$200]

Any optimal solution would be to use a set of simple (unix) command line tools : awk, grep, sed and possibly perl. The whole process could be automated although I'd still require a very in-depth visual inspection of the resultant source files.

The other issue here is trust. Allowing myself, mdshare or one or two other access to your source is acceptable - We are all long enough in the tooth to have built up a reputation based on trust. For someone who's admitted to having a less than clean history ... I certainly wouldn't allow any form to access to my sources. Throw in any possible "salts" used in password hashing and he has a great advantage in attempting to subvert the system from afar.

Plus there's complexity to bear in mind. Personally I use some very powerful SQL techniques which can be rather hard to grasp including dynamically generated stored procedures which are a nightmare to debug. Now not only do I not want people seeing how that is done, it's extremely complex to get the correct quoting across the function as you have to deal with PHP's quoting system AND MySQL's system together.

[Ragnar]

Re: Game Monitor [$200]

 

if it's to expensive just check on CE' date=' all mccode security issues are posted with solutions[/quote']

Is there a thread some where here with all the security issue solutions? All I've seen is tiny little tid bits scattered all over the forum! If there is a thread some where where 'all mccode security issues are posted with solutions' you would think it would be a sticky over on the mccode/dbscode forum!

[Guest Anonymous]

Re: Game Monitor [$200]

Unfortunately, no. There are so many issues, plus one major ... that of CE members posting fatally flawed and dangerous code. CE's policy in this is that it is up to the end-user to check all code throughly any from these pages as mistakes can and do happen.

Instead of cutting and pasting other peoples perhaps, I'd suggest a better understanding of PHP itself. A basic DBS/MCcodes system is simple and a useful set of scripts to learn from and hone your skills.

Teaching yourself to fix and secure source files has, in the long run, got to be a better solution for you.

[Ragnar]

Re: Game Monitor [$200]

 

Is that the market injections, that

$_GET['ID'] = abs(@intval($_GET['ID']));

fixes, that's the major one? If not, could you post a link to a thread that covers it?