Jump to content

Search the Community

Showing results for tags 'security'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • Metin2 Dev
    • Announcements
  • Community
    • Member Representations
    • Off Topic
  • Miscellaneous
    • Metin2
    • Showcase
    • File Requests
    • Community Support - Questions & Answers
    • Paid Support / Searching / Recruiting
  • Metin2 Development
  • Metin2 Development
    • Basic Tutorials / Beginners
    • Guides & HowTo
    • Binaries
    • Programming & Development
    • Web Development & Scripts / Systems
    • Tools & Programs
    • Maps
    • Quests
    • 3D Models
    • 2D Graphics
    • Operating Systems
    • Miscellaneous
  • Private Servers
    • Private Servers
  • Uncategorized
    • Drafts
    • Trash
    • Archive
    • Temporary
    • Metin2 Download

Product Groups

  • Small Advertisement
  • Large Advertisement
  • Advertising

Categories

  • Third Party - Providers Directory

Categories

  • Feature Plan

Categories

  • Release Notes

Categories

  • Overview
  • Pages
    • Overview
    • File Formats
    • Network
    • Extensions

Calendars

  • Community Calendar

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Joined

  • Start

    End


Group


Pillory


Marketplace


Game Server


Country


Nationality


Github


Gitlab


Discord


Skype


Website

Found 24 results

  1. Hello, I have been hearing about the existence of such an event from time to time. I thought of creating such a solution. I haven't had any problems so far in my tests. To briefly talk about the incident; Some pack files can be opened and edited while the game is open. This may pose a problem in some exceptional cases. Most of the time, changes made due to cache may not be reflected in the game unless the client is reset, but I still thought it wouldn't hurt to prevent this situation. In addition; Nowadays, foxfs etc. methods are used, so you can also consider this as additional security for your game. The codes are completely open to development and customization, you can progress them in any direction you want. I should point out that this method will work more efficiently with autopatcher. So, you also have a job to do here, the codes I share here are the first stage of this system. The necessary adjustments you will make to the autopatcher depending on these codes will be the second stage. To give an example from the working logic; As soon as the pack file named x is edited, the game will close completely, and when it is opened again, autopatcher (if there is a file integrity feature, etc.) will download the original instead of this edited pack file and allow you to log in from the original file. Likewise, if there is any intervention in the pack files again, these operations will be repeated automatically. (This is the idea I suggested, anyone can use it however they want.) Now let's get to the point.. Here's a short video showing it before editing: [Hidden Content] After video: [Hidden Content] [Hidden Content] For those who are curious; The codes run only once when the client is opened and only keep track of the pack files as long as the game (client) is open. In other words, it does not work repeatedly in situations such as teleportation or casting a character.
  2. Hello, As the title says, there is a significant exploit in the chat link system. Given that many servers utilize this system, I believe most private servers are affected by this exploit. Essentially, someone can execute any CMD command they want on a player's computer by instructing them to click on an item. How does it work? [Hidden Content] He sends this through whisper or public chat, and the player clicks on the item. The command opens notepad.exe. How can you fix it? Firstly, STOP using os.system to open links. There are special libraries for that, such as the one I will use to implement this fix. Please note that this is a straightforward fix and may not be 100% foolproof because malicious links can still be sent to open in the browser. I recommend using a link validation technique on the server side and allowing only specific links. [Hidden Content]
  3. Hello community, About Firewall This firewall is ideal for those who have a national server and not an international server. It is based on GEO block, adding new countries or removing them is extremely easy. Currently I can easily say that it is the best pf that is published for free at the level of efficiency. I attacked the firewall several times, it was tested on online servers with 700/800 simultaneous players and it worked efficiently without problems. Warning The best protection that can be applied is at the network level. there is no point in having 1 firewall running on an operating system if the network does not support a large amount of traffic for the operating system's firewall to be able to act. This firewall in combination with a good VPS/dedicated VPS and good network protection on the company side can easily handle small to medium attacks. All the magic happens because of GEO BLOCK, without GEO BLOCK it is equivalent to the pf's shared here in the community. The code is not optimally organized and can be improved, remembering that it was my first version. Requirements -pftop (PF) -wget How To Setup [Hidden Content] Questions? Comment, as soon as possible I will answer. Best Regards, Papix
  4. There was a time, when Metin2 was still a recent game, when it was fairly easy to perform Layer 7 attacks on FreeBSD servers, or even hack into them. Much software was shipped with insecure defaults, and it was expected from the user to properly secure it. This has changed, and now MySQL is only listening to localhost by default, Apache is for the most part an unnecessary relic from the past, root user cannot login to ssh, and so on. But there is a part of the structure that has always been extremely vulnerable: the website, particularly the cheap webhosts many people opt for when they need to use certain poorly written CMS or Forum software that doesn't play well with Nginx. Since the needs of a game server (payment, voting and so on) can hardly be covered by any off-the-shelf solution, there will often be a need for some php script directly pulling data from the database to show a player ranking, or similar functions. This script can be repeatedly hit by one or multiple IP addresses and eventually overload the MySQL database which your game happens to use as well; eventually, both your game server and website go down. And no, Cloudflare will not help you unless you pay money and/or configure it extensively and properly, a process I may explain some other time. Today we are going to introduce two extremely easy solutions to mitigate this sort of attack I described with the help of nginx and a bit of mysql. Two stage rate limiting The first technique is rate limiting. It involves throttling repeated request from the same IP, particularly to php files which are the ones that consume by far more resources in the server. Hitting anything else is unlikely to cause any harm. In order to enable rate limiting, first we must add in the http context a "zone" where IPs are saved: limit_req_zone $binary_remote_addr zone=www:10m rate=5r/s; This will create a 10 mb memory zone to store a log of connections; if any of them exceeds 5 requests per second, they will be refused with a 503 error. But for this to actually work we must add this extra line into the php part of the server context - just mind the first two line heres and ignore the others that are there for context: location ~ \.php$ { limit_req zone=one burst=20 delay=10; limit_req_status 444; try_files $uri =404; fastcgi_pass unix:/var/run/php-fpm.sock; fastcgi_index index.php; include fastcgi_params; } Besides specifying where to perform this rate limiting (.php files), the settings enabled here make the experience a bit smoother by allowing the client to send a burst of up to 20 requests/second before refusing subsequent requests. Finally, the delay parameter indicates that when the connection speed exceeds 10r/second, the subsequent requests will be served with a delay. The second limit_req_status line instructs to give an empty response (444) instead of the default 503 error to excess connections, slightly reducing the server resources needed to deal with the presumed attack. FastCGI cache: serving stale content Now this is all fine and well, but what happens if we are attacked from multiple IPs? The feared DDoS! Well, it depends on what our hypotetical php script is exactly doing. If it's simply pulling data from the Database, we can use the proxy cache to force NGINX to serve such pages from a cache and avoid making repeated connections to the database. Let's define our cache in the http context: fastcgi_cache_path /var/run/nginx-cache levels=1:2 keys_zone=mycache:10m inactive=10m; fastcgi_cache_key "$request_method$host$request_uri"; fastcgi_cache_use_stale updating; The first line creates a cache zone in memory of 10 mb, and specifies that if there are no requests for 10 minutes, the cache will be refreshed anyway. The second line specifies the arguments to use for creating a key (a sort of hash) in the cache for this request. In practice this means that if, for example, the query string is different in two requests they will still be considered to be the same request and for caching purposes, as the query string is not part of this "key". And the third line and most relevant means that while the cache is updating, the client will not wait for said update to finish before serving the requested content;instead it will serve the outdated ("stale") version of the page. Since every request normally triggers a cache update, this technique reduces the number of times the php script is actually executed during a flood enormously. (On a side note, this setting also allows us to show stale content when the backend is not responding. This is exactly what Cloudflare does with its "offline mode". We can enable this behavior by adding further triggers:) fastcgi cache use stale updating error timeout invalid_header http_500 http_503; Finally and to use the cache we defined in a location (in this case it must be the php location since its a fastcgi cache) we add this. Second line specifies for how long a 200 OK response is valid; other response codes will not be cached: fastcgi_cache mycache; fastcgi_cache_valid 200 5m; The icing in the cake: limit MySQL connections by user What about scripts that UPDATE the database? Things can get nasty here, since there's no cache to speak of all we can do is limit the total amount of requests that can be made to the backend and the database. In this case, nginx is not going to help; instead, create a specific user for your website different from the game user in MySQL and set a strict limit of connections. This means such attack will not take down the database. create user 'website'@'someip' identified by 'somepassword'; grant usage on account.* to 'website'@'someip' with max_user_connections 10; As an extra measure you can set more strict rate limits for the most vulnerable POSTing scripts in nginx (register, login...). Be aware you need to place specific locations (such as login.php) above the wildcard *.php location in the nginx config: location /login.php { limit_req zone=one burst=5 delay=2; limit_req_status 444; fastcgi_pass unix:/var/run/php-fpm.sock; include fastcgi_params; } And that is all you need to prevent your php scripts from being flooded. Of course, that's only one of the vector attacks, but also the most overlooked, yet easiest to fix. PHP programmers may also add extra checks in their code for repeated connections - memcached is your friend. But that's outside of our scope here.
  5. M2 Download Center Download Here ( Internal ) Intro This release will explain how to "convert" your root .py files to .c ones. Actually, Cython only converts those files to pure CPython code. Download Main Branch VS Impl Branch (highly suggested) As requested by many people, you can download the compatible and clean official cn root dated 20131228-0034 without further edits: rootCn_20131228-0034_edit.rar uiscriptCn_20131228-0034.rar cN-serverinfo-edit.py Is Cython really worth it? Pros All the modules are compiled, and they can't be "extracted as .py" anymore. We can always disassemble the launcher with IDA, but the result will be pseudo-c code after waiting 6-8h of analyzing. Since we're not using .pyx files but directly .py ones, there's no "so much optimization". At least, 10% of performance increasing is guaranteed. Cons For testing purposes, it's heavy to maintain. Everytime you try to re-compile your root files, you should wait 5-10 minutes. You can always use the uncythonized root (.py files) when you perform tests, and compile cython whenever you will make an update in your live server. The launcher's size will increase ~10mb. You can actually pack it to save space. If you directly use a .pyd (still 10mb), the launcher's size won't increase. VideoTutorial Credits Me (lollo_9_1/martysama0134) Night (OST suggestion) Random Testers What's New: vsimpl Visual studio implementation automatic cythonization when compiling only the edited files will be compiled v2.0 The module's name check is now case-insensitive (colorInfo == colorinfo) Added a new function rootlib/uiscriptlib.getList() to retrieve a tuple of all the available cythonized modules. Now you can compile a uiscriptlib library from the uiscript*.py files! (implemented as __USE_EXTRA_CYTHON__) Added a sample ui.py containing the code to run uiscriptlib.
  6. Hello, int CInputMain::Analyze(LPDESC d, BYTE bHeader, const char * c_pData) if (ch && ch->IsPC()) { if (get_global_time() < ch->analyze_protect) { ch->analyze_protect_count = ch->analyze_protect_count + 1; ch->ChatPacket(CHAT_TYPE_INFO, "<test server> analyze_protect_count. Count %d", ch->analyze_protect_count); if (ch->analyze_protect_count >= 300) { ch->analyze_protect_count = 0; d->SetPhase(PHASE_CLOSE); return (0); } } else ch->analyze_protect_count = 0; ch->analyze_protect = get_global_time() + 1; } In char.h int analyze_protect; int analyze_protect_count; In void CHARACTER::Initialize() and Destroy analyze_protect = 0; analize_protect_count = 0;
  7. Update April 2020 I have modified the rules to allow ipv6 connections, and added some comments. Update: January 2021 New more exhaustive and optimized config, and more explanations Hello, As I had just posted the file without any explanation of it, which is not really useful unless you are already familiar with pf, I have added a little tutorial. Here is a sample pf.conf file that you can use as a base to create your own for your FreeBSD server. It assumes you are not using UDP as the original client does. Preliminary steps Add the following to /etc/rc.conf to enable pf. It will enable the pf firewall on boot and log blocked packets to /var/log/pflog. This is not a text file but a pcap file that can be opened using tcpdump -r /var/log/pflog (followed by any other flags you may want to use). For a good tcpdump cheatsheet check [Hidden Content] The second part is ip6addrctl which attempts to use ipv4 addresses instead of ipv6, since the game does not support ipv4. # Packet Filter pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" # Prefer ipv4 when available ip6addrctl_enable="YES" ip6addrctl_verbose="NO" ip6addrctl_policy="ipv4_prefer" Firewalling The configuration file further below must be save as /etc/pf.conf (be aware the default location for pf rules may not be here anymore; if you used my rc.conf above that should be no issue). Before attempting to use it, make sure to change everything that is between brackets. You can find out the relevant parameters with the ifconfig command on FreeBSD. root@godzilla:/home/www $ ifconfig igb0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500 options=e53fbb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,LRO,WOL_UCAST,WOL_MCAST,WOL_MAGIC,VLAN_HWFILTER,VLAN_HWTSO,RXCSUM_IPV6,TXCSUM_IPV6> ether d0:40:19:d5:e3:69 inet 57.93.137.82 netmask 0xffffff00 broadcast 57.93.137.255 inet 57.93.114.128 netmask 0xffffffff broadcast 57.93.114.128 inet6 fe80::d110:99ff:fec4:e469%igb0 prefixlen 64 scopeid 0x1 inet6 2001:27d0:119:1872:: prefixlen 64 media: Ethernet autoselect (10Gbase-T <full-duplex>) status: active nd6 options=8063<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL,NO_RADR,DEFAULTIF> [int] is name of your external interface (ix0, igb0, etc...). It's the first thing that appears below ifconfig. [primary_ip] is the one after the first "inet" (in this case 57.93.137.82) [game_ip] is the one after the second "inet" (in this case 57.93.114.128) [ipv6] is the one you see after the second inet6. Finally, edit the service_ports, game_ports and auth_ports with the ports you want to open for administrative tasks and for the game, separated by commas. At the very least, add your SSH port to service_ports or you won't be able to connect to your machine. Why have 2 IPs? Easy: you cannot change your primary IP. If a DDoS brings down your machine, you can block all traffic to your secondary IP while working on protective measures through your primary IP. If all else fails you could even bind your game, or whatever you are running, to a third IP and hope the attacker doesn't notice (yeah sounds dumb but so is the people doing that stuff!). If you just have one IP, you may not be able to access your server at all. So the idea is that you access SSH and other administrative stuff through the primary IP while any public facing services go through a secondary IP or several of them. The OVH firewall can help you closing unneeded ports. Closing UDP there is also a very good idea if you don't need it - if you get a UDP flood bigger than your bandwidth, PF is not going to help you. When inbound traffic saturates your link, it's already too late to do anything at the OS level - it must be done by a hardware firewall or mitigation system such as the one provided in the OVH Panel (IP menu). If you prefer to use just one IP, you can just enter the same one as both primary and secondary. Or, if you want to do it properly, remove all references to $game_ip throughout the file. Also, if you don't have ipv6 set up, comment out (#) or remove every line that mentions "inet6". And finally, there is a file named /var/db/trusted_hosts which is a simple text file you can create with ee or vi. This is where you can add your own IP, or the IP address of other servers such as your webserver that you want to give full access without going through the rules. Write one IP per line, and be aware that your own IP could change so don't rely on this to give you access permanently - more like a fallback in case you make a mistake. ext_if="[int]" set skip on lo0 set block-policy drop set loginterface $ext_if primary_ip="[x.x.x.x]" game_ip="[x.x.x.x]" ipv6="[x:x:x::]" icmp_types = "{ echorep, unreach, squench, echoreq, timex, paramprob }" icmp6_types = "{ unreach, toobig, timex, paramprob, echoreq, echorep, neighbradv, neighbrsol, routeradv, routersol }" table <trusted_hosts> persist file "/var/db/trusted_hosts" table <bad_hosts> persist scrub in on $ext_if all fragment reassemble martians = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, \ 10.0.0.0/8, 169.254.0.0/16, 192.0.2.0/24, \ 0.0.0.0/8, 240.0.0.0/4 255.255.255.255/32 \ ::/128 ::1/128 ::ffff:0:0/96 ::/96 100::/64 \ 2001:10::/28 2001:db8::/32 fc00::/7 fe80::/10 \ fec0::/10 ff00::/8 }" service_ports="{ 21, 80, 443 }" # Game game_ports="{ 24000, 24001, 24002, 24010, 24011, 24099 }" auth_ports="{ 28000 }" ## Set default policy ## block return in log all pass in quick from <trusted_hosts> # Drop all Non-Routable Addresses block drop in quick on $ext_if from $martians to any block drop out quick on $ext_if from any to $martians block in quick from <bad_hosts> ## Blocking spoofed packets antispoof quick for $ext_if pass proto tcp from any to any port $service_ports pass inet proto icmp icmp-type echoreq # Allow essential outgoing traffic pass out on $ext_if inet proto { tcp, udp, icmp } pass out on $ext_if inet6 proto { tcp, udp, icmp6 } pass out on $ext_if inet6 proto icmp6 all icmp6-type echoreq keep state # Game, we do not ratelimit here pass proto tcp from any to any port $game_ports pass proto tcp from any to $ipv6 port $game_ports # Auth pass in quick proto tcp to $game_ip port $auth_ports keep state (max-src-conn 32, max-src-conn-rate 16/3, overload <bad_hosts> flush global) pass in quick proto tcp to $ipv6 port $auth_ports keep state (max-src-conn 32, max-src-conn-rate 16/3, overload <bad_hosts> flush global) ## allow icmp6 for getting address using IPv6 autoconfiguration from router pass inet6 proto ipv6-icmp all icmp6-type routeradv pass inet6 proto ipv6-icmp all icmp6-type routersol ## allow icmp6 for getting neighbor addresses pass inet6 proto ipv6-icmp all icmp6-type neighbradv pass inet6 proto ipv6-icmp all icmp6-type neighbrsol ## allow icmp6 echo, not required, but sometimes nice pass in inet6 proto ipv6-icmp all icmp6-type echoreq ## pass icmp-types: unreachable, time exceeded, parameter problem pass in inet6 proto ipv6-icmp all icmp6-type {1 3 4} Using pfctl pfctl as its name implies is a tool to control pf. There are plenty of cheatsheets online, but here's the most basic stuff: pfctl -e Enable pf (WARNING will drop all connections including yours) pfctl -d Disable pf (may have the same effect) pfctl -f /etc/pf.conf Reload rules (may drop connectionds as well but usually it shouldn't) pfctl -sa Show all status pfctl -t bad_hosts -T flush Flush the bad_hosts table (effectively unbanning all IPs banned by the ruleset) pfctl -t bad_hosts -T show Show all the IPs banned so far Using tcpdump with pf You may watch the packets being blocked in realtime by using tcpdump on the pflog0 interface: tcpdump -i pflog0 -ttt -n -e Or instead show the previously logged ones. You may probably want to filter the output with either grep or further tcpdump flags. tcpdump -r /var/log/pflog -n -e Extras Here are some sysctl tunings that may help with certain DDoS attacks. You cann add them at the end of /etc/sysctl.conf and then type service sysctl restart at the command prompt to activate those. I don't recommend doing so unless you're being attacked though. That's why I have commented them out - remove all the # if you actually need them at some point. #net.inet.tcp.syncookies=1 #net.inet.tcp.syncache.rexmtlimit=0 #net.inet.ip.check_interface=1 # verify packet arrives on correct interface (default 0) #net.inet.ip.process_options=0 # IP options in the incoming packets will be ignored (default 1) #net.inet.ip.redirect=0 # do not send IP redirects (default 1) #net.inet.ip.accept_sourceroute=0 # drop source routed packets since they can not be trusted (default 0) #net.inet.ip.sourceroute=0 # if source routed packets are accepted the route data is ignored (default 0) #net.inet.icmp.bmcastecho=0 # do not respond to ICMP packets sent to IP broadcast addresses (default 0) #net.inet.icmp.maskfake=0 # do not fake reply to ICMP Address Mask Request packets (default 0) #net.inet.icmp.maskrepl=0 # replies are not sent for ICMP address mask requests (default 0) #net.inet.icmp.log_redirect=0 # do not log redirected ICMP packet attempts (default 0) #net.inet.icmp.drop_redirect=1 # no redirected ICMP packets (default 0) #net.inet.icmp.icmplim_output=1 # show "Limiting open port RST response" messages (default 1) #net.inet.tcp.always_keepalive=0 # tcp keep alive detection for dead peers, can be spoofed (default 1) #net.inet.tcp.drop_synfin=1 # SYN/FIN packets get dropped on initial connection (default 0) #net.inet.tcp.fast_finwait2_recycle=1 # recycle FIN/WAIT states quickly (helps against DoS, but may cause false RST) (default 0) #net.inet.tcp.icmp_may_rst=0 # icmp may not send RST to avoid spoofed icmp/udp floods (default 1) #net.inet.tcp.msl=15000 # 15s maximum segment life waiting for an ACK in reply to a SYN-ACK or FIN-ACK (default 30000) #net.inet.tcp.path_mtu_discovery=0 # disable MTU discovery since most ICMP type 3 packets are dropped by others (default 1) #net.inet.tcp.rfc3042=0 # disable limited transmit mechanism which can slow burst transmissions (default 1) #net.inet.tcp.sack.enable=1 # TCP Selective Acknowledgments are needed for high throughput (default 1) #net.inet.udp.blackhole=1 # drop udp packets destined for closed sockets (default 0) #net.inet.tcp.blackhole=2 # drop tcp packets destined for closed ports (default 0) Disclaimer I am by no means an expert in the subject, and I have just a vague idea about what many of the settings are actually doing. The above stuff has been helpful in real life situations, having been through literally hundreds of DDoS attacks. Be aware that pf may lock you out of your own system, and you may need to use IPMI/KVM to gain access again by disabling pf in /etc/rc.conf and then fixing the errors. Use at your own risk. PS: Here is a very good writeup about modern DDoS attacks: [Hidden Content]
  8. Hi guys, Running a server for a year and a half while a bunch of guys gets paid to destroy it by any means ends up giving you a good insight in what the word security really means. So, after being the target of almost every type of attack possible over the Internet, I think I am ready today to write a quick checklist on how your Metin2 server should be secured from criminal and disruptive behavior. I will divide it into several parts: ingame, website, server, staff. I will try to explain in brief how those attacks are executed, but the focus here is in how to defend from them effectively. I do not want this checklist to serve the purposes of hackers. But be aware; you are never 100% safe - it depends on how much your enemy is willing to work on it. So this should be taken as a bare minimum. And don't forget: the science of destruction evolves constantly. What is considered safe today, might not be so safe tomorrow. Disclaimer: This text reflects 5 years of experience managing a server's technical aspects. I do not do certain things (like quests) for a long time so excuse me for any mistakes I may be making here. Part 1 - Ingame bugs and exploits This part refers to threats that may realize through the game client or external software that acts through the game client. While often overlooked, sometimes these can be more dangerous to your server than any other type of attack. Keep an eye in your server's economy - the average price of items. If prices for a particular item or all of them change suddenly, there may be some obscure reason behind it. That is one of the reasons why we keep public and private statistics on the average market price of every item at WoM. One of the most common mistakes - and I commited this myself - when one wants to extensively edit everything is having an item give you more Yang when you NPC it than it costs to buy it from a shop. This gives unlimited Yang to whoever discovers it. There are even public bots which automate the process of buying and selling these items. The effect on the economy is devastating over a sufficient long period, not to mention that it's unfair that some people are infinitely rich and unbalance is never good for any MMORPG. Have your GM double check that no item can be sold for more than it costs. However, this is not the only way that a player can obtain access to unlimited resources. Badly written quests may allow players to obtain their rewards repeatedly by closing their clients while a quest dialog is open. One simple way to avoid this is to make sure that the commands which reward the player are the last in the code block before changing state. Now going into disruptive behaviour - the most annoying probably are the bugs which cause a server core to crash. The most famous is probably the number_ex bug. This causes several commands which depend on this function such as dice to be exploitable by using certain parameters. This bug is fixed in rev 40k and therefore in any game compiled from the source. If you are using 34k, the best you can do is use iMer's lib which provides several security enhancements. If you are using 2089, there are public diffs that patch this. Another bug exists in the war command in 34k and older which leads to a server crash. You cannot disable this command as it is used by the guild leaders to war other guilds. iMer's Lib takes care of this bug in 34k. Older and less known is the gold drop core crash bug present in 2089 and fixed -I believe- in 34k. Dropping huge amounts of gold or any other item which you can acquire in huge numbers in a map will cause the server to crash. I am not aware of public fixes for this exploit. Another favourite is the kickhack or sync position hack -partially fixed only in 40k- which allows a malicious user to disconnect other players at will. There are even videos of this being done in DE years ago. iMer's lib provides a fix for rev 34k. Finally, we have the long list of cheats which purely seek to gain advantage while playing. There are several client protection tutorials and services around this forum so I won't extend myself here about the subject. Part 2 - Server and OS Here we talk about the threats that affect your server and Operating System Part 2.1 Choosing and preparing your server There is no doubt at the moment of writing this that the french hosting company OVH provides the most cost-effective anti-ddos solution in the market. While many companies provide DDoS protection services, these cost several times as much as OVH offerings and this increase does not necessarily translate into a better protection. Therefore we will assume that you are renting either a dedicated server at OVH or a VPS at Eterhost as those are the ones I'm familiar with. Other providers or resellers may be configured in a different manner. Dedicated Server at OVH There are two flavors of the Anti-DDoS solution: Basic and Pro. Basic is free when renting a Kimsufi or Soyoustart server (cheap and intermediate OVH brands respectively). What it does is detect attacks directed at your IP address and route your traffic through the mitigation system during the attack. This is not enough to deter a dedicated hacker though - before the attack is detected, your server may be collapsed for a few minutes, and this can be repeated every hour by the attacker, as happened with one of the TEC attacks on WoM about 1 month ago. The PRO version comes with all the OVH proper (also known as professional) line of servers. It adds the ability to route traffic permanently through the mitigation system and provides you with a simple hardware firewall. This is what you should get if serious attacks are a concern, specifically an Enterprise line server (cheapest is at about 100€/month, VAT included) How to activate permanent mitigation on OVH Professional servers: - Open the new manager. If you don't know where this is, open the classic manager and click on "Home" and then below on the "Dedicated" icon. - Click on IP on the column at the left - Click the little wheel that appears at the right of your server's IP address - Select "Mitigation: permanent" How to set up the hardware firewall: - Click the wheel again and select "Activate firewall". Wait around a minute and then reload the page. - Click the wheel and select "Configure firewall" - You will be presented with the rules screen. You can add up to 20 rules to deny or allow specific ports on the firewall. Start by adding the allowed ports in the lower numbers and end with a global deny rule. Leaving a field blank in the "Add Rule" dialog will result in a wildcard; so if you leave the IP address field blank, this rule will affect all IPs. Adding an allow port port rule: click on Add Rule; choose rule priority; select protocol (TCP or UDP); select Accept; enter the port number. Adding a global deny: choose rule priority (must be higher than the allow port rules); select protocol (TCP or UDP); select Deny. Here is an example set of rules. We have added the SSH port and the game & auth ports, as well as 3306 so our website can connect to MySQL. You can specify the webserver's IP in the rule to prevent others from connecting to your database, although I personally prefer to do this at the software level with the pf firewall; in any case, port 3306 must not be public. "How do I connect with Navicat then?" Simple, use the SSH Tunnel option. This logs you in to SSH and then connects to the MySQL server as localhost. You must enter your server's SSH login details in the SSH, and your MySQL login details in the General tab, but remember we are connecting to localhost or 127.0.0.1: that's what you must enter in hostname, NOT your server's public address, as MySQL doesn't see us as a remote user anymore. Regarding UDP: UDP is your enemy. Disable it completely as I did in the above ruleset. The official client previously used UDP to check on server status, but it's trivial to override it in python so it always shows "NORM" regardless of the result of servercheck. If you are using 40k or source, the check already uses TCP, but your ports must be lower than 32768 (or the source modified) for it to work. VPS at Eterhost Our VPS are always routed through the mitigation system. Hardware firewall can be activated and configured to your needs for 5€/month extra. Part 2.2 - Hardening SSH First things first: have your OS always updated to the current version. It is often recommended by experts to access your server through a non-administrative account (some operating systems such as CentOS even force you to create one at install), so that's what we will be doing. We will create a restricted user for our game server: adduser game We can leave everything as default except for the login group: enter "wheel" here. Users which are part of the wheel group can use the su command to gain administrator privileges. This allows us to completely block root from remote login. Now it's time to create a SSH key for our new user. This makes bruteforce virtually impossible. Finally, let's prevent login from root, and login without key: ee /etc/ssh/sshd_config Look for the "PermitRootLogin" line and leave it this way, uncommenting if necessary: PermitRootLogin no And next look for the "PasswordAuthentication" setting and edit it so it looks like this: PasswordAuthentication no Now let's restart ssh for changes to take effect: service sshd restart Warning: at this point, you should open a new putty window to test that you can login with the new user and key, and that you can use the su command to gain root privileges. Wrong settings may lock you out of your server. Once everything is working, upload your server files to /home/game. This is the home directory of the user - a bit like "My Documents" in Windows. Make sure you change permissions in the files so the "game" user can read and write them: chown -R game /home/game (this command must be run as root! only root can change someone else's permissions. To switch between the game and root account, you use the su (short for superuser) command: root# su game Password: (game user's password) game# su Password: (root user's password) root# Or: root# su game Password: (game user's password) game# exit root# Finally, it may be a good idea to install ssh-guard for extra security or change your SSH port if you don't like your logs being spammed by portscans. To change your SSH port, edit the Port line in /etc/ssh/sshd_config and restart the sshd service as indicated above. Remember to open the new port if you are using a firewall or you will lock yourself out of the server. Part 2.3 Software Firewall: pf At this point it's a good idea to add a second line of defense with the pf firewall. First we will create the /etc/pf.conf file following this sample config. ee /etc/pf.conf Make sure you enter the correct interface and all the ports which must be open: SSH and game ports in our case. Neither p2p ports or db core port should be open to the public! Under trusted_hosts, enter the IP address of your web server so it can connect to the database (We assume a typical set up of web server + game / db server here) instead of opening port 3306 to everyone. This firewall provides us with scrubbing and rate limiting capabilities which the hardware firewall doesn't. Next we will enable pf: kldload pf pfctl -e Check that everything is working fine and then add the following line to /etc/rc.conf to load pf on boot: pf_enable="YES"
  9. Hello guys. I'm Narvikz, I've been in the Metin2 scene since forever, actually I feel like I'm kind of the furniture already and unluckily full of dust by now This will actually be one of the slight amount of contributes I've given to metin2dev, I've jumped off ship a while back since this game died but apparently some troll still support it, anyway that's not related to this thread so let's keep it out of here. As there's still demand for some reason so is there a supply of game hacks, it's the basics of games, the more players there are the bigger the market for payhax and so the more profitable they are. I was contacted by a friend of mine (Runah Services) which told me that he wasn't unable to detect m2bob in any way, he also said that there are very few people who are doing it and those who are able to detect were keeping it private, he did not find anyone providing a satisfactory service to protect against these tools. What I have to say about this? You fools, you clueless fools. So, let's face it, you guys just don't have a clue about what you are doing. Right off the bat I could enumerate dozens of ways to systematically detect that m2bob is running on some system and think of its basic architecture. But first, let's talk about its architecture and how we can defeat it. Architecture M2Bob - Patcher.exe: This is the start up process when you first start using M2bob, this will generate a 128-bit Digest (probably md5) for each file that is to be checked on disk, send it through a POST HTML request to an API that will compare the client side files to the server side up-to-date files, if any file's digest is any different it will download the most up to date file using the HTTP protocol and replace it at disk. This patcher will connect to a web server hosted at the subdomain ni220471_1.vweb02.nitrado.net and as you can see in the spoiler, little reservations has Slait as to what's hosted there. Once everything is updated it will open M2Bob.exe which we'll talk about next. M2Bob.exe This file when opened from outside the Program Files will create a randomly named (yet with constant size - 10 characters) folder inside of the Program Files folder of your computer and then another one with the same template. After that it will spawn a copy of itself with a random name (yet same size once again) and do the same for the M2Bob_Dll.dll changing its extension to ".e" instead of "dll". After that it will open that randomly named executable and execute from there. Once you press the button to start the game it will spawn a metin2client instance, it will inject its module into the process memory. After that it doesn't close the open HANDLE to the game which leaves us a HUGE detection vector to take advantage of. M2Bob_Dll.dll This module once injected into metin2client will run a few Signature Scans to find the game's subroutines it needs to call in order to simulate game actions. If you take a look into the module's memory you can see those patterns and its masks quite easily, this uses a standard FindPattern function that's been around since the very start of the cheating scene. It will then automate the actions of the player using complex algorithms which are not relevant for what we care about. Security wise all M2Bob does is hooking Module32Next and whenever at your iteration through the module list you hit the m2bob random named module it jumps it to the next one, successfully hiding its module from the simplest of all module enumeration techniques. Good job Slait, always work for the minimal standards and do not think out of the box The hooking method used is the BIGGEST PILE OF CRAP I'VE EVER SEEN being done on a Windows NT based Operative System This is still a detour with a trampoline hook at function start but instead of replacing the first 5 bytes with a JMP + 32 bit absolute memory address he does THE MOST RETARDED SHIT I'VE SEEN IN A WHILE. Trust me guys, I've seen so much retarded shit lately, but Slait takes the crown on this one, he really deserves it since he's put a lot of effort into this. Instead of copying the first five bytes of this function, replacing it by a simple JMP to a memory region where it has these first five bytes followed by his detour function and then a trampoline JMP back to where it all started, he managed to do a 8 FUCKING BYTE LONG in-line hook, when literally every Windows API function is compatible with Hotpatching (easy first 5 bytes hooks). System Overview The whole system is really weak, it circumvents the protection mechanisms that is supposed to which are a PILE OF CRAP like Hackshield and GameGuard or whatever the fuck GameForge is using nowadays, but it doesn't really think out of the box when it comes to protection and obfuscation. Slait wouldn't stand a chance if GameForge purchased an actual decent service from someone who has a single clue about what they're doing (lol, even fucking Bastian Suter would perform better) instead of this pile of crap. There's no solid DRM and the system is overall really weak and shouldn't take much longer than a few hours to crack to a talented reverse engineer. Detection Vectors Well, I don't even know where to start, the whole system is flawed and weak, there's holes everywhere so I'll enumerate some quick detection vectors I can think off, and yes, I HAVE TESTED MOST OF THOSE AND THEY WORK Method #1 - Hidden Memory Pages (TESTED & WORKING) Iterate through memory pages and using VirtualQuery find those which are 4096 byte long (size of the PE Header) and being used, for those check if you can get a DOS MZ executable signature, and if you do then you most probably have a PE Header memory page. Interpret cast that memory address to NT Header and check the TimeDateStamp and or SizeOfCode or other parameters that are constant (there's tons of them) and allow you to uniquely identify m2bob. Method #2 - Open HANDLEs to game process (TESTED & WORKING) You're gonna have to use the Native API and some Undocumented structures and functions to get this done, it's really easy to do so though, shouldn't take you longer than an hour to being able to enumerate all you need to do this. Calling NtQuerySystemInformation with SystemHandleInformation as first parameter while the return value of this function is different than STATUS_INFO_LENGTH_MISMATCH or STATUS_BUFFER_OVERFLOW you are able to populate a SYSTEM_HANDLE_INFORMATION object which will have the first 4 bytes as the count of SYSTEM_HANDLE objects present in an array that follows it. This list once populated will contain a list that contains all the HANDLEs opened in your environment, this means all the File, Registry Keys, Processes, Threads, etc, HANDLEs will be enumerated and will be in that list. But to know the type of HANDLE you're dealing with you have to first call QueryObject on that HANDLE with ObjectTypeInformation to know more about it. This will get you a UNICODE string that will contain the HANDLE type, you only want the ones that are "Process" so you can filter the irrelevant ones out. Then you can check if the HANDLE is targeting your game's process id (you can get your process id at the PEB of your process), if it is you're gonna want to run some checks on that process to check whether if it's a legit one or a blacklisted one. You can do this by opening a HANDLE to it with OpenProcess and PROCESS_QUERY_LIMITED_INFORMATION as parameter. Then you're gonna want to get the executable path in disk using QueryFullProcessImageName, from there you can just read the first 4096 bytes of that file, cast them to NT Header and do the same checks as mentioned above. Alternatively you could just open the handle with PROCESS_VM_READ privileges, and use ReadProcessMemory to get the PE Header, but PROCESS_QUERY_LIMITED_INFORMATION never fails, even if the process is run as administrator or it is a system process and since m2bob doesn't use any Dynamic Forking technique it is pointless to use anything more than that. Method #3 - Integrity checks at Module32Next (TESTED & WORKING) Okay, this might sound retarded because there's malware that will spread to every process in the target system and hide itself using a user-mode rootkit that might hook Module32Next, thing is, Slait's kind of hooking is so retarded there is no actual way this would raise a false positive. This is his retarded hook: The 1st byte will always be FF, the 2nd will always be 25, the 7th will always be E4 and the 8th stays at a constant F8 as well. Check those and insert a huge dildo in Slait's ass, seriously, isn't that hard really. Do you think that's even hard? Please...... Method #4 - DNS Cache (Untested But Will Work) So, now we're jumping to the shitty methods that are only here to fill the thread just so you can be proven wrong when you say it can't be done. Basically whenever you resolve a domain name a UDP request is sent to your DNS Server asking for the resolution of a certain domain or subdomain, it will answer with some records for that domain, these records contain the IP Address it resolves to, and that IP address will be the one you'll connect using the Internet Protocol version 4. Your operative system will cache those resolutions so that each time you need to have that domain solved it doesn't bother your DNS Server with requests each time and there is a faster resolution, you can use this to beat M2Bob once again. You don't wanna look for m2bob.net since that could flag players that just crawled around that website, but if you flag their patch server subdomain, you can actually accurately flag players that have been using m2bob. Remember ni220471_1.vweb02.nitrado.net? Yup, flag the shit out of it. Method #5 - USN Journal (Untested But Will Work) The USN Journal is a system in the NTFS that keeps track of changes to files in the user's system. It will contain the timestamp of the said change, the file name and the reason for the log. The first two need no explanation, as to the third it could range from Opening the file, deleting, moving, renaming, creating, etc, etc. How's this useful? Remember how opening M2Bob.exe spawns a different executable in the Program Files folder and opens it? Well, you don't access that executable directly, you still open M2Bob.exe, this means that you could just look for entries in the USN Journal in the last 15 minutes or so that contain the name M2Bob.exe and are followed by some program in the Program Files folder a few milliseconds after (or even skip the latter) that has been opened and just kick the player from the game whenever you detect it. Aditional Methods Detection Vectors, detection vectors everywhere, I laugh at all the incompetents that for months tried to do it and failed systematically, you fools, how can you be so clueless? Even though Module32Next is hooked Module32NextW is not, which means that if you use the UNICODE alternative of the kernel32 library you will get unfiltered results - Good fucking job Slait, Incompetence at its fittest (inb4 every incompetent out there edits a public anti cheat source to use Module32NextW LOL) Haven't checked it, but even though Windows API module enumeration modules are hooked to spoof the results, you should be able to use the InInitializationOrderModuleList, InLoadOrderModuleList or the InMemoryOrderModuleList to find its module. Just be h4rdc0r3 and use Syscalls. Since you're incompetent you won't do this, hell you couldn't even get the indexes for your own operative system version let alone do it for 20 different versions per each function you wanna call. Anyway just implement the native API functions without actually calling them, this can be done really easy and WITH LITTLE INLINE ASM CODE using naked hooks, that will make sure that you don't break the stack inside of the function. You can look into this HERE. Your function call will be done within the kernel, meaning that this would bypass any placed hooks by Slait. Why the hell would your metin2 game process own 2 windows bruh? Doesn't make sense to me, just kick them dude. Signature Scans, this is pointless because his system is all flawed but could be a nice backup resort if he ever decides to use his brain. Pretty sure m2bob has some exported shit in their PE Header, just scan for it using the hidden PE Header detection shown above. As I'm really fucking tired already of writing a long ass thread incomparable to anything ever seen before here or anywhere released publicly online I won't even write down any more detection vectors, the system is filled with holes, I think I've proven my point already and it's pointless to keep doing this. This is a rant thread because you guys that own a metin2 server to make a quick buck should be ashamed of how unskilled you actually are, you are complete incompetents that keep leeching public releases and stealing other people's/servers' work, claiming it as your own or often not even mentioning it since people just don't even care any more. You provide public PAID services on an area you don't have a clue about, you're just scamming customers and selling them dreams. It is really frustrating for me since I left the scene when I was still a kid, I barely knew English and I stayed mostly on my local country's forums, my contributes back then were merely in the translation area, I've put a lot of effort into it now that I think about it, after that I limited my contributes to helping people with general Linux/BSD issues, but then it seemed that owning a Metin2 Private Servers built with pieces and pieces of stolen or leaked work was a trend, and I got really really pissed at the whole scene, I just started trolling all the retards asking for assistance with BSD issues that are from 101 classes, obvious errors that even my grandfather could solve and other retarded threads. Have Fun guys, I know most of you won't use this for anything since even being spoonfed all the methods you're so clueless you can't write this down on code, but maybe there's some one out there that will actually use some nice tips like this, and since I gave them to one guy privately on skype I might as well post them publicly for everyone to see. I've been contacted by SandMann016 to work with him, and to be honest it kind of makes me sad that I am releasing this, I never managed to proceed with those plans but still, he seemed to be a decent guy back when I first met him, but oh well, here it is now. /rant
  10. Note: This tutorial was originally written on 26-01-2017 for a pserver. Note: I don't have the SDK, I'll notify the admins if I manage to find one (it's missing on the temp forum) Note: AhnLab HackShield is deprecated, it has not received any update since 2013 or similar 1. Extern Go to Extern/include and create a new folder called hackshield (If you already have some files inside that remove all of them) Put the files from (Your HackShield SDK Zip)/Include to Extern/include/hackshield This step must be done on both Client and Server Extern Copy from (Your HackShield SDK Zip)/Lib/Win/x86/MultiThreaded to Extern/lib the following files: (Client only) HShield/HShield.lib AntiCrack/AntiCpXSvr.lib Copy (Your HackShield SDK Zip)/Developer/Lib/Win/x86/Multithreaded/HShield.lib to Extern/lib/HShield_d.lib (Yes you have to rename this) Copy from (Your HackShield SDK Zip)/Lib/FreeBSD/x86/AntiCrack/LibAntiCpXSvr_st.a to Extern/lib (Server only) Create a new file called hshieldLibLink.h in Extern/include/hackshield (Both Client and Server) and put this: #ifndef _HACKSHIELD_INCLUDE_LIBLINK_H_ #define _HACKSHIELD_INCLUDE_LIBLINK_H_ #ifdef _MSC_VER #ifdef _DEBUG #pragma comment(lib,"hshield_d.lib") #else #pragma comment(lib,"hshield.lib") #endif #pragma comment(lib,"HsUserUtil.lib") #endif #endif 2- Client source: Adding /CLR -- Speaicl note: you need to rebuild libjpeg, lzo, cryptopp with /MD and /MDd (defaults are /MT for CryptoPP, /MD for libjpeg and lzo if cmake is being used) You have to edit the VCXProjects Go to C/C++ -> All Options and find /M In Distribute/Release you have to set the "Runtime Library" value to /MD In Debug you have to set that to /MDd Now you have to go on General (In the project settings) and add "Support with Common Language Runtime" to 1 (/clr) Now go on C/C++ -> All Options and find /RTC and change that to "Default" Now go to All Options and write in command line: "/RTC:NO" --- Special note: this step was intended for an old CryptoPP version (I think v5.x?) follow this step only if you receive issues Now rebuild everything and you don't have "mutex is not supported in CLR" error 3. Client source: Adding hackshield Open UserInterface/HackShield.cpp You will find the following lines: (Or something similar at the beginning of the file) #if defined(LOCALE_SERVICE_EUROPE) #define METIN2HS_MONITORING_SERVER_ADDR "79.110.88.84" #elif #define METIN2HS_MONITORING_SERVER_ADDR "79.110.88.84" // GF #endif //#define METIN2HS_MONITORING_SERVER_ADDR "119.192.130.160" //±è¿ë¿í pc Replace all with this: #define METIN2HS_MONITORING_SERVER_ADDR "YOUR IP OF THE MONITOR SERVER" -- Extra note: the monitoring server should be a server used to monitor running instances of HackShield, I never went deeply into this, perhaps you can find some extra information on the HackShield SDK docs Ok now open UserInterface/Locale_inc.h and add this: #define USE_AHNLAB_HACKSHIELD // HackShield #define METIN2HS_INCLUDE hackshield Open HackShield.h and replace: #include "HackshieldLicense.h" with: #include "HackshieldLicense_metin2client.h" Open UserInterface/HackshieldLicense_metin2client.h and replace: #define METIN2HS_EXE_FILE_NAME "metin2client.bin" With: #define METIN2HS_EXE_FILE_NAME "NAME OF THE METIN2 CLIENT.EXTENSION" Example: #define METIN2HS_EXE_FILE_NAME "testclient_arves100.exe" Now you need to setup your project for compile and use without error Open UserInterface Properties page: When you see Common Language Runtime Support (CLR) set it to /clr (If you use anyother it wont compile\link properly) Now go on C/C++ -> Enable C++ exception (sorry for bad translate <.<) Change "Yes (/EHsc)" to "Yes with SEH exceptions (/EHa)" Extra: If you get error on "DEFAULT_HSMS_TIME_OUT not defined" you have to do this: Open Extern/include/hackshield/hshield.h and delete: DEFAULT_HSMS_TIME_OUT Add after: #ifndef _HSHIELD_H_INC #define _HSHIELD_H_INC this: // Fix for compilation error #ifndef DEFAULT_HSMS_TIME_OUT #define DEFAULT_HSMS_TIME_OUT (5 * 1000) // 5ÃÊ #endif - 3. Server Open game/src/Makefile and change this: # HackShield INCDIR += -I../../libhackshield/include LIBDIR += -L../../libhackshield/lib LIBS += -lanticpxsvr to: # HackShield *New* INCDIR += -I../../../Extern/include/hackshield LIBS += -lanticpxsvr_st Open game/src/HackShield_Impl.cpp and edit this line: handle_ = _AhnHS_CreateServerObject("metin2client.bin.hsb"); with this: handle_ = _AhnHS_CreateServerObject("data/<client file name.extension>.hsb"); Open your Auth and Game CONFIGs and add this: hackshield_enable: 1 Extra: "hackshield_first_check_time" and "hackshield_check_cycle_time" are 2 CONFIG variables First check time: it tells after what second the server should ask the first heartbeat of the hackshield Cycle time: it tells after what second the server should ask a heartbeat of the hackshield 4. Client binary You have to copy from (HackShield SDK Zip)/Bin/Win/x86/HShield to Client Binary Folder If you want to use development hackshield (raccomended for Debug or QA) you have all content from (HackShield SDK Zip)/Developer/Bin to (Client Binary Folder)/HShield Remember: Do not distribute the development file (/Developer/Bin/), always use the release (/Bin/) If you want to periodically release updates for your HackShield you have to copy all content from (HackShield SDK Zip)/Bin/Win/x86/Update to your HShield folder on Client Binary Folder 5. Configuring Hackshield We will work on (HackShield SDK Zip)/Bin/Win/x86: We must setup the AntiCrack that will check if the Client integrity is ok AntiCrack/HSBGen.exe will generate our HSB file AntiCrack/HSBHelper.exe will check if the files are ok Explanation: The Output file will be the same name as we setted in HackShield_Impl.cpp before If you had to sign your exe make sure you do that after you used HSBGenerator If you use any other packer than UPX you must have to select "Execute Packet Exe File" Now it will generate a hsb file, put this file on (Server Binary Folder)/data/ You can now check the hsb file with the client to see if everything match We need to tell hackshield witch server he uses to update our HShield files (Only if you want HSUpdate.exe) Open Util/HSUpSetEnv.exe -- Extra note: this is used for updating HackShield content from a remote server, you might want to ship it and do not use HSUpdate.exe Let me explain this application: After you save it will create a HSUpdate.env file witch you have to put on (Client Binary Folder)/HShield Extra: Configuring HSUpdate server If you want to use FTP trasfer method you have to configure a ftp server with username and password you want to use (i won't explain this) You have to copy the folder PatchSet to your webserver Normally when you update your HackShield SDK you will get the update PatchSet for updating your client's HackShield to lateset version Everytime you get an HackShield SDK Update (mine is from 2012) you have to put the new PatchSet and distribute the new client (.exe) Extra: Disabling HS Monitor HackShield.cpp, change the _AhnHS_StartMonitor function to this: #ifdef ENABLE_HACKSHIELD_MONITOR DWORD dwRet = _AhnHS_StartMonitor (HsExtError, szInterfaceFilePath); if( dwRet != ERROR_SUCCESS ) { MessageBox(NULL, MA_T("START_MONITORING_SERVICE_ERROR"), "HACK_SHIELD", MB_OK); } #endif Extra: Customizing names We see before how to customize .hsb file name for Server, Check out Server part if you miss out HSMonitor Client Name and Version can be setted in UserInterface/HackShield.cpp by editing this: strcpy(HsExtError.szGameVersion, "1.0.0.0"); //Game ë²„ì „ strcpy(HsExtError.szUserId, "Metin2User_test"); //ìœ ì € ID If you changed the locale/ folder you also have to edit this: #define PREFIX_LOCALE "locale/" If you want to edit the EhSvc.dll Name and Folder you have to edit this: #ifdef _DEBUG MA_PathMerge(szInterfaceFilePath, MA_ARRAYCOUNT(szInterfaceFilePath), szModuleDirPath, "hshield\\EHsvc.dll"); #else MA_PathMerge(szInterfaceFilePath, MA_ARRAYCOUNT(szInterfaceFilePath), szModuleDirPath, "hshield\\EHsvc.dll"); #endif If you want to change the HShield folder you have to edit this: MA_PathMerge(szFullFilePath, MA_ARRAYCOUNT(szFullFilePath), szModuleDirPath, "hshield"); I don't have any working image or anything to show, I think I can confirm that it should work fine.
  11. Consinfo.py add def GetInjectText(text): characters = ["SELECT","TRUNCATE","INSERT","REPLACE","DELETE",'/', '>', '<', '|', ';', ':', '}', '{', '[', ']', '%', '#', '@', '^','&'] succes = False for j in xrange(len(characters)): if text.find(characters[j]) != -1: succes = True break return succes use def __SendShoutChatPacket(self, text): if constInfo.GetInjectText(text): chat.AppendChat(chat.CHAT_TYPE_INFO, " SQL INJECT") return quote from turkish forum
  12. Hi devs, I'm not a person who discovered this issue but I would like to share this with you. According to source: „On September 24, 2014, a GNU Bash vulnerability, referred to as Shellshock or the "Bash Bug", was disclosed. In short, the vulnerability allows remote attackers to execute arbitrary code given certain conditions, by passing strings of code following environment variable assignments. Because of Bash's ubiquitous status amongst Linux, BSD, and Mac OS X distributions, many computers are vulnerable to Shellshock; all unpatched Bash versions between 1.14 through 4.3 (i.e. all releases until now) are at risk.“ How to check if my machine is in a risk? All you have to do is execute this code: env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test" If your output is „Bash Test“, then you are safe and you can continue without any troubles. In oposite case you have to be worried, because your input is „Bash is vulnerable!“ and your machine is not safe. How do I become safe? You should update version of bash ASAP. You can do it easily by executing this command: pkg upgrade bash Attention: Now execute test program again and you should be safe, because it will give you correct output. Sources: [Hidden Content] [Hidden Content] [Hidden Content]
  13. Hello dear minions (oh how I love that one!), for my first guide I'll try to talk a little bit about securing your server. Many people know it: 3 weeks after your server started some wannabe-badass wants to break in. And maybe he'll be successful. It depends on you and just on you. Within the following text (yeah brace yourselves, this is gonna be a wall of text) I'll show you why it is so important that YOU get up your lazy ass and fix some issues. I wrote this guide when many servers got attacked, that's why I was a bit ironic in every part of the guide. If you can deal with it, you're free to read the whole guide and maybe learn something new. It's mainly for beginners, but some experienced users may get something out of it. The guide was published with minor changes long time ago in another board that's now "dead". Anyways, let's get started! Securing isn't just "lul I copied and pasted it, now my server is perfect!!!111oneoneeleventwelve". It's much more! Get that. There are many variables, software versions and things you just NEED to care about. Make yourself comfortable with your system or you'll go down. If you're prepared to spend some time reading this guide written by such an ironic idiot like me you're on the right track! *thumbs up!* First of all we need to concern about the most important things in security. The following things can give you a bad time and maybe some headaches: -> You used a public homepage script without checking for security breaches. In this case: Shame on you. -> You set up a unsecure password for your authentications. In this case: Shame on you again. -> You gave passwords or authentications to people who aren't trustful. In this case you know what I'm going to write here: Sh... False, in this case you're just an idiot. -> The software got a security issue with which people can break in -> You don't protect against bruteforcing your passwords etc... Most of the cases are the 4th, the 3rd and the first one. Very rarely other things come to handy for hackers. But we won't miss them, won't we? Good. You're going to get a cookie at the end of the guide. Let's just start with the most important things and how you can solve them: -> Your homepage script got security issues? <- Don't dare to answer the question. Maybe you aren't aware of it but some issues aren't visible that easy. First of all you need to get used to php at least a little bit. EVERY and yes, EVERY time a user can fill in a formular or has the chance to put something in which will be used for a query, there could be possibly a securits issue. Why? Because this method is called "SQL Injection". When you fill in a formular, you can (if it's not secured) manipulate the query by adding some things. For example you can let the query execute a command to create a new user with full admin rights. Nah, isn't that fun? No, it isn't and you shouldn't do it to others. How to fix this: Everytime a user can access a formular and his input is used to query a command for mysql you need to force him to use only valid answers. But how? It's just easy. PHP offers a function mysql_real_escape_string() You can just use this to clean the input from a user so it won't harm your mysql server. Make sure you clean EVERYONE of these inputs. The next thing are file inclusions. For this, please forgive me but I'm using wikipedia as my source. It's just a good example: <?php if (isset( $_GET['COLOR'] ) ){ include( $_GET['COLOR'] . '.php' ); } ?> Look at this. What does this code do? If (maybe by using a formular button) 'COLOR' is set in the URL, you can simply include files for your script. BUT! Be aware of the risks from this code. Everytime you include something a user can manipulate (maybe through inputs or the url), you're going to have maybe a bad time. In this method the value of 'COLOR' is written in the url. GET's can be seen in the URL (At the end of your URL there should be a ? and then the following names with their values). Let me give you an example. If you open this script like this: index.php?COLOR='blue' Everything goes like you want it. This is a valid color. But if you're a bad user and don't drink your milk, you're going to exploit it: index.php?COLOR='[Hidden Content]' What happens? The server tries to include a script made by another one! If he includes his own script he can cause VERY high damage. Not only minor, but MAJOR damage. Yes. He can use ../../../ to spy your folders too. There are many things a hacker can do with this. What do we learn about this? Never let the user manipulate or influence inclusions like he wants to. YOU are the admin, not he. Let's conclude the things and lock down the topic 'homepage script' for now. These are the most important things you need to do: -> check your script -> No really, check it. -> Now. When you check your script, remember looking for these things: -> Always use mysql_escape_string() to deny user from executing their own queries at your homepage -> Never let the user type in things to include (and really.. Don't use the url to get values for including files..). Except you can make sure that you're filtering the input in such a way that users simply can not manipulate it. If you checked the homepage script and you're happy with it, you can proceed. If not, then what are you waiting for? -> Your software is out to date and got security issues <- If you want to make sure your server doesn't get exploited and you can stand attacks, you need to update and configure it. Yes, it's true. Deal with it. You can't just update every software like you want. It's not like clapping in your hands and then having everything done. You need to know WHAT software you're running. Some programs are just insecure or instable and cause your system to fail. And of course: What OS version do you use? If you answer me '7.1' now you'd feel a hard kick in your... I guess you figured it out... Tricked, I was about writing 'ice cream'. But never ever use outdated software! NEVER. Write it down 15 times and you'll know it. I can't tell how often I saw people using 7.1.. If you don't know what version you're running just type in "uname -a". This will display the version. The first number tells us the branch you're using. For example '7.1' is a part of the 7th branch. If you want to upgrade your system, you'd use the built-in commands. You can try to use the latest versions, but you don't really need to get the 9-branch that fast. You can stay at the 8th branch for a while (but please, don't use the 7th branch). Use the following command to fetch the updates: freebsd-update upgrade -r 8.3-RELEASE This will fetch the updates to upgrade your system to 8.3. You can jump from the 7th branch to the 8th. If you're running 9.2 or better 10.0 everything seems fine. Yes, you read the wright word: SEEMS. Make sure you're running the LATEST patch-version of your system. This means you need to check for updates sometimes with the following command: freebsd-update fetch This will just fetch the updates for your version. You'll stay on the branch and the lower version of your branch, but you'll get the latest updates for your system. To install fetched upgrades you just need to type in: freebsd-update install This will give you a HUGE advantage if you're moving from 7.1 to 8.3 for example. The old verions are just obsolete. Don't use them. You can visit the freebsd homepage to get information about the latest versions. The next thing is the software. You can list your software with this command: pkg_info or with the new pkg management tool: pkg info This will list every package you installed and it's version. For software like php or mysql you'd use google to get a little bit more about the latest version. Sometimes things aren't that good with the newest version. Maybe some new bugs occur or php killed some old functions and destroyed your homepage with it's latest update. If you're going to update your software, you can use a pretty good package for it. It's called portupgrade. Before you're going to install it you need to learn how the ports-tree work. It's quite simple: Every programm FreeBSD accepts to the ports-tree will be added to the ports-list. It's installation files can easily be fetched and you can just install it from there. To fetch a whole new ports-tree (like when you set up your system and now want to install ports for the first time) you can use this command: portsnap fetch extract This will fetch the latest portsnap (like a bundle of every package) and extract it to /usr/ports If you already have the ports-tree, you can simply update it with this command: portsnap fetch update Make use of it!!! But updating the ports-tree isn't enough to keep your software at the newest version. If you update your ports-tree you've updated the installation files, but not the softwares itselves. You can simply update the software AFTER YOU UPDATED THE PORTS-TREE with the program mentioned above: portupgrade! You can install portupgrade with this: cd /usr/ports/ports-mgmt/portupgrade && make install clean After the installation you can just type in 'rehash'. Now make sure you really updated the ports-tree with portsnap fetch update. Type in the following command to run portupgrade then: portupgrade -ai It'll check every version and asks you wheter to install the newer version or not. You can simply decide yourserlf! Make sure you update your ports-tree sometimes and your software too! Also the choose of your serverfiles is important! You'd better use serverfiles that are trustful and not modified with backdoors etc.. Better use untouched serverfiles and do the stuff yourself instead of using instant tea that's poisoning you. You get the drift, right? Especially the gamefile is important. You'd either compile one yourself or use a gamecore that's proven to be stable und secure. I'd now advertise my gamefile and tell you hooow good it is but I won't, it's up to you to make your decisions. Just make sure you're using something that won't kill your server at last. -> You misconfigured your software. It can't stand attacks <- To secure your server even more, you need to configure it properly. Most programs offer you to configure it with a configuration file. PHP allows you to set up a php.ini-file (I won't get into this), mysql offers you the my.cnf (too) and ssh gives you the opportunity to set up sshd_conf So first of all we need to configure the basics! What is the most important thing on your server? Right! The SSH-authentication. If someone breaks in there you can say good bye to your server, maybe once and for all (if you haven't got backups and time to reinstall everything). So we need to set up ssh. In freeBSD there is the following file: /etc/ssh/sshd_config You can simply edit it. Look over it and maybe google what the settings mean at all. It's very important. The most important thing is the "protocol" setting. It's set to the old version by default. Make sure this line is in your sshd_config: Protocol 2 If you're using Protocol 1, people can break down your machine within a snip of your fingers. After you edited your sshd_conf you can restart sshd by using this command: /etc/rc.d/sshd restart TRY to connect to your server via a new putty instance after you restarted ssh! If it won't work you'd better NEVER reboot your machine or close putty until you fixed this!!! The next thing is the firewall. ALWAYS make sure you got one. I recommend pf, but for this I'll write more another day. Not this time. Maybe you can use a sample script but CONFIGURE IT! You need to block every p2p port from outer access so people can't use the API to kill your metin2 server. I'll tell more about this another time and maybe add it if this topic goes well. And at last you'd consider your user restrictions. If someone is able to break in, he shouldn't be allowed to cause much damage. In the best case you'd set up another user and restrict 'root' from logging into your server. Of course you can do this for mysql too! And yes, DO IT! Connect to mysql via navicat. After that click on the Button "User" in the upper menu. You can edit, create and delete users you don't like to have. Or you can change their passwords. And of course, you can restrict them in many different ways. For example you can create a homepage user which is only allowed to insert/modify the tables it needs in the right way. Why do they need to be able to delete tables? Just give them only the rights they need. Even if someone can break in with this user, it wouldn't be that hard for you since he can't destroy your whole server. Finally there are some important things you should always have. Never let anyone work on your server unless you have to full control about it. This means, you shouldn't give access to your server (ssh AND mysql) to anyone except yourself and people you can REALLY REALLY REALLY REALLY REALLY REALLY REALLY (and take care of a big REALLY) trust and they also contribute to the project. If someone goes mad he can simply hack your server or just release the authentication data. Why do you think there are so many serverfiles released without the owners permission? And at least: always be paranoid. Never think "ohoho this won't affect me". You should consider EVERY option and let your attackers NO chance to break in. Get used to your machine, your system and your software and everything will be fine. Don't be lazy. Just be paranoid. Best Regards, Vanilla
  14. Yep , as you saw in the title , there are always some fucking retard kids that they think ddosing is everything in this world. Today i'm gonna show you some little settings . If you've done this completely , a warning should apper like " You need to restart skype changes to make effect " or something like that. Then , put a friend to resolve your ip, he will be very surprised that he gets nothing. IT WORKS FOR Every skype resolver existing on internet. netstat -n netstat -p Too , so people can't hunt you in any method Best Regards, Dr3Ame3r
  15. Tools needed: [Hidden Content] I have seen that many people are using the python file extractor to steal from other people their work.I don't think it's nice so I found one fix. The main function that executes the python injector is PyRun_SimpleFile, PyRun_SimpleString. We open at HxD the python22.dll and we change the 2 functions that I said. If you want to protect the python22.dll from read you can try to pack it with mpress.(Untested but I think it will work.) After doing that, you can add also a md5 check to the python22.dll because someone maybe try to change the python22.dll with another one where the functions are not modified. Regards.
  16. Please, move this post into right pinned topic. Name: I don't know how to name it. Sub-server maybe? Release date: I discovered this in 2010. Affects: all game revisions Symptoms: It won't show. You can discover this only via reading config and looking for unknown IP. Causes: Someone can connect to your db cache server. Can login without know password into everyone's account (attacker must know id from account->account->id). Attacker uses login&password from his own server, but he's logging into victim account. Attacker can do whatever he/she want (login into GM account too). Fix: Reject all connections to your DB port. Every connections except localhost (if you haven't other servers which must connect into this port). Actually is harder to make this work because mess with packets but it's still possible if someone don't take off db port from public.
  17. M2 Download Center Download Here ( Internal ) Scan: [Hidden Content] Download: [Hidden Content] May this will help for someone understand (why is useless) how hackshield works and how to run it in metin2.
  18. I've found a File (AntiAccess.h) in Extern/include/YmirBase and I was wondering whats inside. It's content is pretty small and simple, the following Function will disable every write access to the current process. Of course it's not all you have to do for a fully working protection, but i thought this Function in addition with another good anti cheat will work very good. BOOL EL_FORCEINLINE EL_DenyProcessAccess( void ) { BYTE abyBuffer[0x200]; PACL pACL; SID_IDENTIFIER_AUTHORITY stIdentifierAuthority = SECURITY_WORLD_SID_AUTHORITY; PSID pSid = NULL; BOOL bRet = FALSE; DWORD dwSize = 0; HANDLE hToken = NULL; HANDLE hProcess = ::GetCurrentProcess(); PTOKEN_USER pUserInfo = NULL; if( ::AllocateAndInitializeSid( &stIdentifierAuthority, 1, SECURITY_WORLD_RID, 0, 0, 0, 0, 0, 0, 0, &pSid ) == FALSE ) goto Cleanup; if( ::OpenProcessToken( hProcess, TOKEN_QUERY, &hToken ) == FALSE ) goto Cleanup; ::GetTokenInformation( hToken, TokenUser, NULL, NULL, &dwSize ); if( dwSize > 1024 ) goto Cleanup; pUserInfo = (PTOKEN_USER) ::GlobalAlloc( GPTR, dwSize ); if( pUserInfo == NULL ) goto Cleanup; if( ::GetTokenInformation( hToken, TokenUser, pUserInfo, dwSize, &dwSize ) == FALSE ) goto Cleanup; pACL = (PACL) &abyBuffer; if( ::InitializeAcl( pACL, 0x200, ACL_REVISION ) == FALSE ) goto Cleanup; // Deny except PROCESS_TERMINATE and PROCESS_SET_SESSIONID if( ::AddAccessDeniedAce( pACL, ACL_REVISION, PROCESS_CREATE_PROCESS | PROCESS_DUP_HANDLE | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_VM_OPERATION | PROCESS_CREATE_THREAD, pSid ) == FALSE ) goto Cleanup; // Allow SYNCHRONIZE, PROCESS_QUERY_INFORMATION, PROCESS_SET_INFORMATION, PROCESS_SET_QUOTA and PROCESS_TERMINATE if( ::AddAccessAllowedAce( pACL, ACL_REVISION, SYNCHRONIZE | PROCESS_QUERY_INFORMATION | PROCESS_SET_INFORMATION | PROCESS_SET_QUOTA | PROCESS_TERMINATE, pUserInfo->User.Sid ) == FALSE ) goto Cleanup; if( ::SetSecurityInfo( hProcess, SE_KERNEL_OBJECT, PROTECTED_DACL_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION, 0, 0, pACL, 0 ) != ERROR_SUCCESS ) goto Cleanup; bRet = TRUE; Cleanup: if ( hToken ) ::CloseHandle( hToken ); if ( pSid ) ::FreeSid( pSid ); return bRet; }
  19. M2 Download Center Download Here ( Internal ) Hi, I was bored, and I started thinking how to do so they could not use the cheat-engine on a client, well, here I come to bring you the code in python. import os import thread import time def procesoss(): try: while 1 == 1: Black_List = ["inyector.exe","cheatengine-x86_64.exe","ollydbg.exe","skype.exe"] # here the programs to block, you can see the full name in cmd and put "tasklist" for p in os.popen("tasklist"): procesos = p.lower() for sema in Black_List: if procesos.find(sema) != -1: p = procesos.split() os.popen("taskkill /im %s /f" % p[0]) time.sleep(3) # wait 3 second to check again except: time.sleep(3) # wait 3 second to check again thread.start_new_thread(procesoss, ()) I try it, and work. Sorry for my bad english Update*: I change os.system to os.popen and now you can't see the console from windows. regards SeMa
  20. Good morning, Today I will show you how to make your ssh safer easily while avoiding having to type your login and password every time you want to work on your server. Part 1. Logging in with a SSH Key For starters, we will create a new user for our metin2 server. pw useradd metin2 -m -g wheel Next, we will move our server files to /home/metin2 and give our new user ownership of the files cd /home chown -R metin2:wheel metin2/ Now we are going to create a ssh key. In short, this is a file you save to your PC and replaces your password for login. su metin2 ssh-keygen Press enter (leave defaults) and move to the .ssh folder that has been created cd metin2/.ssh mv id_rsa.pub authorized_keys cat id_rsa Copy the output of this last command (including the comments) with ctrl+C and save it into a text file. This is your private key; to convert it to a format that putty and Filezilla can understand, you can use puttygen. Download and open the tool and click on Load. Select "All files" on the File dialog and open the text file you saved previously, then click on "Save Private Key" to create the ppk file. Finally, we are going to try to login with our new key. Open putty and load your server's settings, then go to the Connection > Data tab and in autologin username enter metin2 (or whatever you called your server's user). Next open Connection > SSH > Auth and load your ppk file. Finally, return to Session and save your new settings, then Open to verify that you are able to login automatically with your new user and key, and use the su command to gain root privileges. Part 2: Securing SSH Once this is done, we can proceed to disable root login and password authentication in /etc/ssh/sshd_config, and restart the ssh server with service sshd restart. While you are editing the ssh config, it's also a good idea to change the ssh port to a different one, preferably an unused, high number port but don't forget to open this port in your firewall or you will lock yourself out! Part 3. Security good practices Once you do all of this, the only way to access your server is through the private ppk file. Therefore, make sure to backup it in a safe place such as USB stick or external drive! Always run your server startup script as the metin2 user. If you need root privileges, login with the metin2 user and then use su. In the event that someone gained shell access through some kind of backdoor or exploit, he won't have full access to the machine.
  21. Hey @ all For that people who are using Debian 6 and Apache could this be very nice! People who are using nginx, you are normaly safe, but if you fuck your configs up, slowloris can be a problem for you, too 1. What is slowloris? Slowloris is a perl script, which allows you to open hundreds of sessions on your webserver and hold them open! So your webserver crashes if it reaches ~700 connections at the same time 2. How to fix it? 1. Download and extract the mod wget ftp://ftp.monshouwer.eu/pub/linux/mod_antiloris/mod_antiloris-0.4.tar.bz2 tar -jxvvf mod_antiloris-0.4.tar.bz2 cd mod_antiloris-0.4/ 2. Install the compile kit: apt-get install gcc apache2-threaded-dev3. compile mod_antiloris /usr/bin/apxs2 -i -c mod_antiloris.c4. import the mod to apache echo "LoadModule antiloris_module /usr/lib/apache2/modules/mod_antiloris.so" > /etc/apache2/mods-available/antiloris.load a2enmod antiloris5. restart it /etc/init.d/apache2 restartI hope you enjoy it!Kind regards
  22. I copied parts of this file from a site that I long forgot, my apologies for not giving credits. They have been used in our server for years and at the very least I can confirm that they are not harmful. These system settings are intended to help defending your dedicated server against small DOS attacks. Be aware that they are NOT a substitute for proper (hardware) protection. Instructions: 1) ee /etc/sysctl.conf 2) Move to the end of the file and paste the following lines: net.inet.tcp.syncookies=1 net.inet.ip.forwarding=1 net.inet.ip.fastforwarding=1 net.inet.tcp.nolocaltimewait=1 net.inet.tcp.syncache.rexmtlimit=1 net.inet.ip.check_interface=1 net.inet.ip.portrange.randomized=1 net.inet.ip.process_options=0 net.inet.ip.random_id=1 net.inet.ip.redirect=0 net.inet.ip.accept_sourceroute=0 net.inet.ip.sourceroute=0 net.inet.icmp.bmcastecho=0 net.inet.icmp.maskfake=0 net.inet.icmp.maskrepl=0 net.inet.icmp.log_redirect=0 net.inet.icmp.drop_redirect=1 net.inet.tcp.drop_synfin=1 net.inet.tcp.ecn.enable=1 net.inet.tcp.fast_finwait2_recycle=1 net.inet.tcp.icmp_may_rst=0 net.inet.tcp.maxtcptw=15000 net.inet.tcp.msl=5000 net.inet.tcp.path_mtu_discovery=0 net.inet.tcp.rfc3042=0 net.inet.udp.blackhole=1 net.inet.tcp.blackhole=2 net.inet.ip.rtexpire=60 net.inet.ip.rtminexpire=2 net.inet.ip.rtmaxcache=1024 kern.ipc.shmmax=134217728 tcp.path_mtu_discovery=0 3) Save and run "service sysctl restart" for the settings to take effect. I suggest to combine these settings with rate limiting through pf for best effect.
  23. So, this isnt exactly related to Metin2. But within this day I had two seperate attacks on two unrelated Metin2 Homepages. People are using WordPress websites to relay requests. access.log looks something like this: 173.236.144.96 - - [22/Feb/2014:00:57:34 +0100] "GET /?2554596=7542239 HTTP/1.0" 403 162 "-" "WordPress/3.8.1; [Hidden Content]" 195.154.120.142 - - [22/Feb/2014:00:57:34 +0100] "GET / HTTP/1.0" 403 162 "-" "WordPress/3.6.1; [Hidden Content]" 8.14.117.89 - - [22/Feb/2014:00:57:34 +0100] "GET /?2852111=9681641 HTTP/1.0" 403 162 "-" "WordPress/3.7.1; [Hidden Content]" 65.98.60.98 - - [22/Feb/2014:00:57:34 +0100] "GET /?8331124=3589667 HTTP/1.0" 403 162 "-" "WordPress/3.4.1; [Hidden Content]" 69.163.171.127 - - [22/Feb/2014:00:57:34 +0100] "GET /?8798433=9569671 HTTP/1.0" 403 162 "-" "WordPress/3.8.1; [Hidden Content]" 67.205.2.183 - - [22/Feb/2014:00:57:34 +0100] "GET / HTTP/1.0" 403 162 "-" "WordPress/3.8.1; [Hidden Content]" 109.168.123.104 - - [22/Feb/2014:00:57:34 +0100] "GET /?2400804=4166790 HTTP/1.0" 403 162 "-" "WordPress/3.5.1; [Hidden Content]" 97.74.144.211 - - [22/Feb/2014:00:57:34 +0100] "GET / HTTP/1.0" 403 162 "-" "WordPress/3.4.2; [Hidden Content]" 216.92.131.44 - - [22/Feb/2014:00:57:34 +0100] "GET / HTTP/1.0" 403 162 "-" "WordPress/3.8; [Hidden Content]" 89.151.73.40 - - [22/Feb/2014:00:57:34 +0100] "GET /?9155553=5259788 HTTP/1.0" 403 162 "-" "WordPress/3.8.1; [Hidden Content]" You can prevent them from overloading your server by simply blocking the WordPress useragent. You do this on nginx via: if ($http_user_agent ~* wordpress){ return 403; } Google also pointed me to this, which has a tutorial for Apache iMer
×
×
  • Create New...

Important Information

Terms of Use / Privacy Policy / Guidelines / We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.