Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[gordulan]

hm, not if you do not have an alt

[Bartosz]

Well, there is not much we can do about it for now. Next time, the GM should be immediately contacted, cause only when such person is logged in, we can check the ip.

Also, if it happened only once, only to one player, then...then I'm sorry but we're bound to think the problem is on the player side.

[BubbaBrown]

In the defense of the original poster...  The passwords are NOT hashed and salted when transmitted across the network.  So, one stray captured packet is all that is needed to gain access to someone's account.  So, either someone located within either the sending or receiving subnet could ettercap and nab it.  If it's someone within the server's subnet, all logins could theoretically be captured very trivially.  Also, since the passwords are plaintext on transmission, they are probably plaintext in storage.  Depending on the storage solution, this could be an issue.  If a SQL database is in use... this probably would not bode well.

[Sgt Hartman]

In the defense of the original poster...  The passwords are NOT hashed and salted when transmitted across the network.  So, one stray captured packet is all that is needed to gain access to someone's account.  So, either someone located within either the sending or receiving subnet could ettercap and nab it.  If it's someone within the server's subnet, all logins could theoretically be captured very trivially.  Also, since the passwords are plaintext on transmission, they are probably plaintext in storage.  Depending on the storage solution, this could be an issue.  If a SQL database is in use... this probably would not bode well.

Hashing the pass before transmission wouldn't be better, the dude sniffing the network could login aswell, even if it would be a bit harder.

[Pozzo]

Also, if it happened only once, only to one player, then...then I'm sorry but we're bound to think the problem is on the player side.

In fact, it arrived to 5 differents accounts in my team. 3 of them were playing and received a message "knock knock anybody here ?". And when we was in our base, we saw (twice) comon character loging in and when he saw all of us in the base he disconnected (5 seconds connection). So we asked on mumble who it was and....it was nobody from the team.

So my question is : if I play to FOnline, can someone easily introduce into my computer using the game ?

[Lexx]

You said it's 5 different accounts in your team. A question from me now would be:

- Do you guys use some other forum or anything else that requires registration and is more or less known by others?
- Do you guys use the same passwords for characters ingame and in this thing(s)?

One thing that comes into my mind now is, that someone was hacking something else and used the account data from there to login to the characters. Wouldn't be impossible.

[Pozzo]

- Do you guys use some other forum or anything else that requires registration and is more or less known by others?

Yes our private forum

- Do you guys use the same passwords for characters ingame and in this thing(s)?

No we have already verified.

And I don't understand what you mean in your last sentence. We have few ideas about who is trying to hack our accounts but we don't know how he does.

[Shangalar]

We saw new trys of him to steal us. We could fortunately kill him before he left with the stuff.

We are almost sure that he hacked our forum and used common passwords to steal our chars. Such a bad idea to have the same IG and on forums, guys :S

[IronHalik]

I was thinking a lot about SQL injection here. The traffic sent by the game does not yet look exploitable to me, thought any malicious code injection could be a problem here?

[Kinkin]

I talk with with other teams, and some others guy has been hacked too, without being registred on our forum.

The problem for them is the forum fonline2238.net, they have same password ingame and on this forum.... Who have access to sql server ? Or is SMF secure enough ?

this becoming ot be boring, for now we were thinking it was only "targeted" on Cajuns crew, but it seems to be a problem in other clans...

bad bad bad

[_Youkai_]

maybe someone have keylogger installed and doesn't know...

[BubbaBrown]

Hashing the pass before transmission wouldn't be better, the dude sniffing the network could login aswell, even if it would be a bit harder.

That's why you salt and rehash them before transmission.  A function would need to be put into place in the client and server to generate a combined hash using either a set of shared keys or one generated based on a some independent, changing but synchronized factor (time), the password, and some salt.  This way a resulting hash couldn't be used twice.  And even if the attacker knew the salt and time... they still don't know the password to generate the next required hash for authentication.

[BubbaBrown]

I was thinking a lot about SQL injection here. The traffic sent by the game does not yet look exploitable to me, thought any malicious code injection could be a problem here?

The only attack point would probably be on Fonline client authentication in either the username or password.  The client filters out special characters, but a forged packet could probably carry the SQL injection.  A simple python script can do that after using wireshark to capture enough packet information.  This is especially true if the authentication function used the given username and password strings directly in a code side SQL query to the server.

The problem for them is the forum fonline2238.net, they have same password ingame and on this forum.... Who have access to sql server ? Or is SMF secure enough ?

The FOnline service, updater, SMTP server, and forums is hosted on the same box.  Less the hosting company provides SQL server access, the SQL server is on there but not configured to accept external connections.  After that, it all depends on if a dedicated forums account was created, limited, and restricted to just the forums database properly.  And SMF uses sha1 to store it's passwords, so there's very little chance of grabbing them from the forum database and use in the plaintext authentication of FOnline.

[blahblah]

One additional way of "hacking" in is if you shared your logs with anyone and typed ~myinfo before. It displays the password in plain text.
The 94.23.237.127.2238.cache file stores your password in plain text as well, you just need to open it in notepad.