fodev.net
Other => FOnline:2238 Forum => Archives => General Game Discussion => Topic started by: Kinkin on February 14, 2010, 01:12:26 am
-
Hi there ! Bad News !
Today, i was playing with my crafter, and when i come back to my base i see my main Character "Kinkin" checking for containers.
Someone was logged in ! My account was hacked !
The guy start to run to escape me and disconnected in the base !!
Few minutes after i was able to connect to it then i changed passwords.
So, i ask two things :
- first to dev : how could this happen ? Security have to be checked.
- Second to every players : take care about your passwords, change them, and check if nothing missing in inventory, tent and base.
In many teams they are big trust issues about disappearing stuffs, people start to be paranoïd about everyone and this begin to be rageous ! I never gave my password to anyone, nor in forum or anyway !
The whole Cajuns teams is witness of what happened today !
-
Smells like GM Abuse for sure! :P
-
A gm doesn't need to log a character to see anything he wants. The coward logged in my account just disconnected when i saw him.
I'm talking with Solar right now to know what happened.
This problem is too serius to be forgive, my account was hacked, and tomorow it could be yours.
Furthermore, it totally destroys teams because stuffs disappear anytime anywhere, the game is totally raped, just like me (i really feel raped by what happened today).
-
More new Gamemasters = Lower Security :-\
-
GMs can't hack into your account.
-
can't you check logs ??? verify what happened today ??
it happened at 0:23 02-14-2010
I was logged in Kinkraft when i see the f***** connected on my main char.
-
and are You sure You haven't used any 3rd party programs before your account has been stolen?
-
GMs can't hack into your account.
As Lexx said, we can't log in into your account unless you tell us the pass - which never happen, fortunately.
Only possibility left is that someone found your password. If you witness this again, tell us immediately in IRC. No need to say it's totally against the rules.
-
I don't think it is a Gm, it is a Player, because when i meet him he try to escape me and when i stucked him in a room he disconnected.
It happened so quick, i could'nt ask for Gm in this short time.
i check my whole security on the computer today : no virus, spyware, keyloggers nor rootkits.
i relloged few minute after on my main character then changed password, i get my account back, the problem is that if there are some hackers, nothing is safe, any account can be hacked. And with my account it was jackpot for them, i have full access to 4 bases.
Since 2 days i watch my character disconnected in wrong place and with wrong thing in his inventory. And about 15 Combat Armor Bos are missing from Cajuns officer base.
-
And if Kinkin tells the GM at which hour he saw his "diabolic twin", will you be able to find him ?
-
can't you check logs ??? verify what happened today ??
it happened at 0:23 02-14-2010 (GMT+1)
I was logged in Kinkraft when i see the f***** connected on my main char.
i given the hour pozzo
-
Ho f**k ! Next time I'll try to read with my eyes opened :p
-
whats your old password? Something like 12345, qwerty etc. ?
If yes, no wonder you got +hacked+
-
It was not dude, Gm asked me many times.
-
"i really feel raped by what happened today."
You have no idea how hard I laughed at that.
Yeah me too, hope your accounts will be raped soon or later. You will see how fun it is to meet yourself in the game.
-
hm, not if you do not have an alt
-
Well, there is not much we can do about it for now. Next time, the GM should be immediately contacted, cause only when such person is logged in, we can check the ip.
Also, if it happened only once, only to one player, then...then I'm sorry but we're bound to think the problem is on the player side.
-
In the defense of the original poster... The passwords are NOT hashed and salted when transmitted across the network. So, one stray captured packet is all that is needed to gain access to someone's account. So, either someone located within either the sending or receiving subnet could ettercap and nab it. If it's someone within the server's subnet, all logins could theoretically be captured very trivially. Also, since the passwords are plaintext on transmission, they are probably plaintext in storage. Depending on the storage solution, this could be an issue. If a SQL database is in use... this probably would not bode well.
-
In the defense of the original poster... The passwords are NOT hashed and salted when transmitted across the network. So, one stray captured packet is all that is needed to gain access to someone's account. So, either someone located within either the sending or receiving subnet could ettercap and nab it. If it's someone within the server's subnet, all logins could theoretically be captured very trivially. Also, since the passwords are plaintext on transmission, they are probably plaintext in storage. Depending on the storage solution, this could be an issue. If a SQL database is in use... this probably would not bode well.
Hashing the pass before transmission wouldn't be better, the dude sniffing the network could login aswell, even if it would be a bit harder.
-
Also, if it happened only once, only to one player, then...then I'm sorry but we're bound to think the problem is on the player side.
In fact, it arrived to 5 differents accounts in my team. 3 of them were playing and received a message "knock knock anybody here ?". And when we was in our base, we saw (twice) comon character loging in and when he saw all of us in the base he disconnected (5 seconds connection). So we asked on mumble who it was and....it was nobody from the team.
So my question is : if I play to FOnline, can someone easily introduce into my computer using the game ?
-
You said it's 5 different accounts in your team. A question from me now would be:
- Do you guys use some other forum or anything else that requires registration and is more or less known by others?
- Do you guys use the same passwords for characters ingame and in this thing(s)?
One thing that comes into my mind now is, that someone was hacking something else and used the account data from there to login to the characters. Wouldn't be impossible.
-
- Do you guys use some other forum or anything else that requires registration and is more or less known by others?
Yes our private forum
- Do you guys use the same passwords for characters ingame and in this thing(s)?
No we have already verified.
And I don't understand what you mean in your last sentence. We have few ideas about who is trying to hack our accounts but we don't know how he does.
-
We saw new trys of him to steal us. We could fortunately kill him before he left with the stuff.
We are almost sure that he hacked our forum and used common passwords to steal our chars. Such a bad idea to have the same IG and on forums, guys :S
-
I was thinking a lot about SQL injection here. The traffic sent by the game does not yet look exploitable to me, thought any malicious code injection could be a problem here?
-
I talk with with other teams, and some others guy has been hacked too, without being registred on our forum.
The problem for them is the forum fonline2238.net, they have same password ingame and on this forum.... Who have access to sql server ? Or is SMF secure enough ?
this becoming ot be boring, for now we were thinking it was only "targeted" on Cajuns crew, but it seems to be a problem in other clans...
bad bad bad
-
maybe someone have keylogger installed and doesn't know... :-\
-
Hashing the pass before transmission wouldn't be better, the dude sniffing the network could login aswell, even if it would be a bit harder.
That's why you salt and rehash them before transmission. A function would need to be put into place in the client and server to generate a combined hash using either a set of shared keys or one generated based on a some independent, changing but synchronized factor (time), the password, and some salt. This way a resulting hash couldn't be used twice. And even if the attacker knew the salt and time... they still don't know the password to generate the next required hash for authentication.
-
I was thinking a lot about SQL injection here. The traffic sent by the game does not yet look exploitable to me, thought any malicious code injection could be a problem here?
The only attack point would probably be on Fonline client authentication in either the username or password. The client filters out special characters, but a forged packet could probably carry the SQL injection. A simple python script can do that after using wireshark to capture enough packet information. This is especially true if the authentication function used the given username and password strings directly in a code side SQL query to the server.
The problem for them is the forum fonline2238.net, they have same password ingame and on this forum.... Who have access to sql server ? Or is SMF secure enough ?
The FOnline service, updater, SMTP server, and forums is hosted on the same box. Less the hosting company provides SQL server access, the SQL server is on there but not configured to accept external connections. After that, it all depends on if a dedicated forums account was created, limited, and restricted to just the forums database properly. And SMF uses sha1 to store it's passwords, so there's very little chance of grabbing them from the forum database and use in the plaintext authentication of FOnline.
-
One additional way of "hacking" in is if you shared your logs with anyone and typed ~myinfo before. It displays the password in plain text.
The 94.23.237.127.2238.cache file stores your password in plain text as well, you just need to open it in notepad.