Hacker Problem

Angelox · #1 08-26-2007, 01:22 PM

Probably, you are using a regular windows 98 or XP OS? I would suggest you set up a secure - Linux EqEmu server, as the windows version is very costly.
I didn't know it was so easy to hack in like that - are you sure you don't have any Trojans, Virus, Malware, etc?

aneriel · #2 08-26-2007, 01:38 PM

wish i had time to setup a linux server, but it took me a few days to get what I have up and running. The OS is basically XP, but the Media Center version. I'm installing anti-virus, spybot, etc right now. It's pretty much a fresh install so i didn't have all that going *smacks head*. we'll see what happens i suppose.

aneriel · #3 08-26-2007, 01:40 PM

If anyone knows what to do about IP addresses, I found this in my run command (along with some dos commands ..ftp included)

66.189.7.127

Angelox · #4 08-26-2007, 01:57 PM

Do you have a router? if so, shut all ports, void ones in use (shut ftp port too) - I know XP has a firewall, but I think router firewall is better (it's a hardware firewall), you can disable windows firewall if you have router firewall

Angelox · #5 09-03-2007, 02:41 PM

aneriel, here's your new Hacker thread, sorry about the old one

oldlurker · #6 09-03-2007, 03:55 PM

To recap part of the old thread:

Shutting down ports will not help because the exploit is an buffer overflow inside the world or zone binaries.
Such an buffer overflow might allow the attacker to gain higher privileges inside the binary or even execute commands on the host system.

Normally the first step after such an attack is to get an trojan package from a remote site and execute it on the host system. This trojan will look for other exploitable holes on the system to gain superuser privileges and hide itself from detection.

Sad thing is most Linux systems are as vulnerable for these 'local root exploits' as the average windows system because not many people give a thought about securing their server or installing security fixes.

Unfortunately just looking around in the sourcecode until we find that exploit could be the proverbial search for a needle in a haystack. There are tools out there that can help with identifying potential security risks in your sourcecode but someone still has to interpret what is harmless and what not.

froglok23 · #7 09-03-2007, 10:25 AM

I've identify 87 places where it can be exploited. I don’t want to post exactly where they are, due to the potential security risk, but I am preparing a patch.

- froglok

RangerDown · #8 09-03-2007, 02:39 PM

The wiki used to have an article about securing a linux server. If the spambots haven't completely trashed it, you might want to check it out.

If you're running anything bigger than a private LAN server, perhaps the most important rule of thumb -- and this applies regardless of OS -- is don't run your server under the "root" account for linux OS's, or with administrator access on Windows systems. Run them under an account that has no more access than it absolutely needs to run the world/zone servers, and set permissions on your file system so that areas that hold your personal documents/items are off-limits to the account the emu server runs under.

(Edit: Ok, now I'm confused. I posted AFTER the two posts that follow this one, but it's located above Angelox's in the sequence. Maybe the clock was wrong and got moved back between their posts and mine...)

image · #9 09-10-2007, 06:24 AM

I notified Doodman of an authentication bug existant in the LoginServer and his reply was:
[11:22] <Doodman> It's completely new code.

Although I looked in the World Server and the same authentication exploit exists (in the 0.7.0 source).