The screams of bloody murder!
 

I'm holding back a large amount of anger right now. One of my staff member's accounts was illegally used to access everything I had on my PW and kill it. My NPC server is down as well as all the NPCs are deleted since I retrieved my logs and discovered this. My serverops and folderconfig are deleted too. All that remains are the files in the FTP.

But oh well. Until I find out what happened, that accounts has been stripped of all its priveledges on my PW.

Woo hoo!!

My NPC Server is back...or at least its trying to come back.

that sucks :(

hopefully you had backups of all the npcs x_x

Si

gah
 

Man, Why do people have to be like that...
It shows how stupid people are these days...
Anyways,goodluck ;)

Well, its seems that Stefan has ignored my PM. My NPC server is back, but unstable. Its not like I can do much anyway, but I did have something I was going to test. Guess that will have to wait.

*shrugs* Some people think they are cool if they can excercise some usurpious power they have aquired. *sigh*

Well, actually, the person who did this was not the person that owned the account.

IP RANGES.

YEAH.

THAT'S WHAT THEY'RE FOR.

She had the ability to set her IP range, but she didn't :/

Hey, maybe the MANAGER SHOULD HAVE INSISTED. Oh wait, that's YOU.

Gah, you people just bring this on yourselves.

odd
 

when some one sets the ip for my account it doesn work I cant log on for some reason. and yes it was my wan address that I gave and not my lan address

She had static IP. I have already scanned my logs over many times.

Okay, you can just stop being a jerk.

Yes we need a new security thing for Dial-Up, as their IPs are too wide that anyone with same ISP can practically get on. I don't know what though.

well may people have said this
 

Well I think the best way to prevent atacks like this is to eductate your staff on how people get their passwords in the first place. I mean instead of making some to function as a fix why not try to prevent password theft in the first place and cut off the problem at the source.


One thing that could be done is making sure staff know about trojans and key loggers and making sure that your staff have a current virus scanner. also maybe making the passwords alittle longer making them harder to brute force (but I dont think thats the problem because they are already alphanumeric and case sensative)

As a matter of fact, I did. I did ask her to set the IP range, but she had said no.

Re: well may people have said this
 

You can't prevent absolutely all hacking. There are other ways and methods to reach the same goal. Of course, it would be a good idea to educate staff in such things. When I've given passwords, all I did was create a random set of 8 characters. Of course, since standard accounts can access RC, I no longer have control over the passwords for those accounts.

And to an effect, what Kaimetsu said was partly my fault in that I didn't persist on her setting an IP range. Oh well, live and learn. At least I didn't get all foamy and stuff ;)

G_Yoshi, couldn't make your sig slightly less wide so it fits normal with the size of posts? As it goes off and I get a bar at bottom its annoying!

Also G_Yoshi made the choise as he probably wanted to keep the staff member, he may regret it, but he did what was right for him at the time.

well, i hope u get ur NPC's back, :(

:( Moonie and I check the Staff accounts on a regular basis to make sure the IP ranges are in , on accounts that have RC . No matter how limited the RC is. It pays to check yourself sometimes.


PS: PLEASE shorten your sig somewhat I agree it is very annoying like it is. Thanks!

It's your fault then. IP ranges are a must, or your playerworld can face possible removal. You know why, right?

If she doesn't want you to set an IP range, she can't be staff. It's absolutely necessary. Kaimetsu is right.

not to bash yoshi or anything but kai and toran are right, if she doesnt want her IP set, there MIGHT be a reason behind it, maybe not. And you are putting ur own server at risk...

Not to be mean but it's like this, if it cannot be set then no RC, it’s that simple. We on Npulse will not allow anyone with a dynamic IP to have RC, they can be Staff but are limited to non- RC Staff positions because of the security issues and risks like this, it is also why we do not have problems like this.

well, i have AOL, and have been staff on many servers, staff jobs with RC...i think this is a good idea, but hurts, because u might miss out on some good people, like me, :)

I realize this may seem unfair and yes we do miss out on some BUT those who truly are out to help the Server anyway they can, understand and even work under those conditions. They understand that the top priority of any server is to protect it at all cost and to take steps no matter how unfair it may seem but is for the overall good of that server community to do it this way. I truly wish there was another way to get around it but as of now there isn't. Basically it only affects the GP's, we only have one Staff Admin and we don't believe in a lot of useless Admins with power they don't need. Staff Chiefs, GP , LAT, Nat all have RC. But not all have the same rights levels, only Moonie and I and the Lat Chief and NPC Server Admin has rights to the levels. Limiting rights to things like this make your server safer and more manageable. Nothing is worse than 3/4 of the Staff having RC to do nothing more than "chat with". The RC is a tool for those who actually need it to do their job; this is why regular Lats, FAQ, Events, Nats and Gats don't have RC. They do not need RC to perform their job, their Chiefs of their respective Staff positions are there to handle whatever they have to go online and check it before it is done so. There are also rights that are limited to the Managers only as it should be , like Folder rights , Folder config,and change server options, the Managers are responsible for everything on the server and these rights as we see only need to be with us.

I can't set a range for my account simply because I'm cursed with dialup and my IP is not static. Her's is static...sort of. The third number from what I've noticed in my logs bounces only sometimes but usually stays the same. The last IP on that account was not the same, but oh well. Its been done and I will learn from my mistakes considering this has only happened once. That's life. :) Now, if only my NPC server will stabalize again...

As far as I'm concerned with, what's done is done. If it is not much trouble, I'd like this thread to be deleted.

Right! I agree. I think its total bs to go on servers and see FAQs with RC and even ETs.. I mean wtf? ETs don't need that.. Only the chief barely needs it. Thats why you see *****s as ETs and FAQs. Just so they can get RC and act cool. I think only admins should have RC. GPs are really the only low level staff that need it. And even then they shouldn't have nothing more than set player attributes right and ban. Thats all. I just think its stupid to go on servers like UN and Mal and see every friggen staff member with RC... Its retarded and very unsafe if you ask me.

I trust Angel. It was an accident as far as what happened yesterday. I'm still waiting for a chance to talk to her on AIM so I can get some more info, but I'm not going to sit here and throw a huge fit since it won't do me anygood.

I couldn't agree more :p However, I won't have FAQ, ET, or even GP for that matter.

good point damn't... :)

Perhaps staff who cannot have fixed IP ranges can be forced to use the old staff accounts, and thus it can be ensured that they have regular password changes.

safe-ER, but not safe-EST

The old "Staff accounts" are now trial accounts , and if you know anything about trial accounts they are not EVEN safe to use for Staff. Why? Because nothing will save on a trial account and we don't let anyone be Staff with a trial account. They do not have to have a Gold account but at least a upgraded Classic account.


btw delete the thread? Why? There are useful and valid points made here and why mess up peoples post? The thread is not bashing you or I haven't seen anyone really do that, we ALL make mistakes and maybe this thread will help someone else from making a mistake like this on their server so in my opinion the thread is useful as long as it doesn't turn out to start bashing you just because a mistake was made. Ehh so what! We all make mistakes, lol Welcome to the Human Race!;)

*feels welcomed* :)

I was only making people aware of what happened and it got a little out of hand (in my opinion). I guess it can stay open. I'm just glad it was not as bad as it could be. Angel didn't have full FTP rights, I think, so nothing in the FTP was messed with.

Yes , thank Goodness for that!:)

Even if this person had wiped my entire FTP I wouldn't really suffer much of a loss. I'd be upset that it happened, but there's nothing on there that I don't have on my HD. I've already set it up so that players are stuck at a UC-like screen so it makes no difference now if I just obliterate everything but logs and NPC scripts.

Just a note from myself, the RC master ;D

if you can set even the first range on an IP it helps more than you think

123.*.*.*

there are 255 numbers that can be put in the front space, they are usualy fairly ISP specific but if you think about it, that one vague range eliminates 254/255 people right off the bat and people who live where that ISP isn't offered also!

if you can set the second

123.456.*.*

that leaves 65025 people out of a possible (as of now) 4228250625 people on the net that could possibly use that RC account, thats 1 person in every four million! we don't even have that many players in the entire history of Graal combined. Most dialups don't change these two numbers very often, the first i've never seen change at all

if you're lucky enough to set the third

123.456.789.*

there are 255 people that can use it, however, they would have to play graal, know how to hack your password in some manner, know what RC is, know how to use it, have the same ISP, AND live near you!

those are quite a list of requirements!

so you see, while the password is a formidable method of keeping out the uglies even a partial IP range is usually possible and helps more than you can imagine.

For those of you who can't use it (perhaps you have two different ISPs) i would suggest changing your password at least once a month if you have any high access and always change it after you have discovered any viruses or other people getting into/on your computer.

If you follow all these steps and a hacker get through them he'd probably be able to hack the server it's stored on and not bother with you!

Just some recomendations i thought of while sitting here :)