Graal Forums

Graal Forums (https://forums.graalonline.com/forums/index.php)
-   PlayerWorlds Main Forum (https://forums.graalonline.com/forums/forumdisplay.php?f=15)
-   -   security irc channel (https://forums.graalonline.com/forums/showthread.php?t=134269474)

Jakov_the_Jakovasaur 08-13-2014 04:34 PM
security irc channel
 
hello!

lately my systems seem to have been catching more unique players using a certain tool to inject weapon code, and usually this will cause them to be disconnected among other potential consequences, but another thing ive noticed is that typically they just log on to another server afterwards where a new set of staff may be oblivious to their intentions

i then realised that through a combination of using both global irc channels and remote control tabbed irc channels, it would be possible to setup a system where servers can report hack warnings to a global irc channel, and then through onReceiveText() any participating individual servers can relay these warnings to a tabbed remote control channel for logged in rc staff to automatically receive

does anything think it would be worth setting up?
it would ofcourse be open to potential abuse, false-positives and potential spam

PhantosP2P 08-17-2014 10:21 AM
The only thing we ever notice on Valikorlia, a server without any economy or anything to abuse with hacks, is that sometimes RC rings off about a user logging in with a proxy or something along those lines (logged in as 127.0.0.1). Is that related, or of any use to share?

Jakov_the_Jakovasaur 08-17-2014 11:16 AM
127.0.0.1 is a users localhost, which is used as part of the weapon injecting mechanism instead of communicating directly between client and server. though it does not necessarily mean someone is injecting code so would be more suitable as a warning than an alert

i have never noticed that message however despite successfully catching a lot of weapon injects through scripted security, surely that is a detection which has been scripted by someone on val?

other than code injections i also still notice the occasional x/y hacking, memory editing of function names to bypass systems like wall detection, and attempts to use the movie gani exploit even though it doesnt work in v6 having worked in v5

callimuc 08-17-2014 07:33 PM
Quote:
Originally Posted by Jakov_the_Jakovasaur (Post 1730107)
i have never noticed that message however despite successfully catching a lot of weapon injects through scripted security, surely that is a detection which has been scripted by someone on val?
neither did i ever see it, and we got some hackers and lot's of "hackers" on era iphone. must be a costum script you're using on val

scriptless 08-17-2014 08:25 PM
Quote:
Originally Posted by callimuc (Post 1730121)
neither did i ever see it, and we got some hackers and lot's of "hackers" on era iphone. must be a costum script you're using on val
I have seen it on one other server. Not sure if they share the script or if it's a server option that needs turned on.

NicoX 08-17-2014 09:29 PM
Quote:
Originally Posted by scriptless (Post 1730127)
I have seen it on one other server. Not sure if they share the script or if it's a server option that needs turned on.
It is a script Stowen shared with GK. I also added it on Val too.

Jakov_the_Jakovasaur 09-06-2014 06:09 PM
hello!

i have now discovered the way that you can tell if someone is relaying data through localhost, does anyone know with 100% certainty if there is a good reason or potential false positive which means you shouldnt just disconnect such players automatically?

thank you!

fowlplay4 09-06-2014 07:20 PM
Quote:
Originally Posted by Jakov_the_Jakovasaur (Post 1730852)
hello!

i have now discovered the way that you can tell if someone is relaying data through localhost, does anyone know with 100% certainty if there is a good reason or potential false positive which means you shouldnt just disconnect such players automatically?

thank you!
pm me your method.

PhantosP2P 09-06-2014 07:23 PM
Quote:
Originally Posted by NicoX (Post 1730133)
It is a script Stowen shared with GK. I also added it on Val too.
Well that explains that.

Jak: I see this easily 2-3 times a day. We never have people come back or try to communicate with us outside of the client, e.g. on forums, to try to rectify the issue so my assumption is that they are up to no good or otherwise do not belong to our usual roster of 40-60 people.

Jakov_the_Jakovasaur 09-06-2014 08:13 PM
Quote:
Originally Posted by PhantosP2P (Post 1730857)
Well that explains that.

Jak: I see this easily 2-3 times a day. We never have people come back or try to communicate with us outside of the client, e.g. on forums, to try to rectify the issue so my assumption is that they are up to no good or otherwise do not belong to our usual roster of 40-60 people.
i would guess that it is 99% certain that anyone relaying data through their localhost is up to no good, however i do not know with 100% certainty whether this could occur for a perfectly valid reason

xAndrewx 09-07-2014 10:11 AM
got a fix on iEra, hit me back if you need it.


All times are GMT +2. The time now is 10:47 PM.

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2026, vBulletin Solutions Inc.
Copyright (C) 1998-2019 Toonslab All Rights Reserved.