Premium Zonni 230 Posted January 19, 2015 Premium Share Posted January 19, 2015 Please, move this post into right pinned topic. Name: I don't know how to name it. Sub-server maybe? Release date: I discovered this in 2010. Affects: all game revisions Symptoms: It won't show. You can discover this only via reading config and looking for unknown IP. Causes: Someone can connect to your db cache server. Can login without know password into everyone's account (attacker must know id from account->account->id). Attacker uses login&password from his own server, but he's logging into victim account. Attacker can do whatever he/she want (login into GM account too). Fix: Reject all connections to your DB port. Every connections except localhost (if you haven't other servers which must connect into this port). Actually is harder to make this work because mess with packets but it's still possible if someone don't take off db port from public. 1 Link to comment Share on other sites More sharing options...
Endymion 320 Posted January 20, 2015 Share Posted January 20, 2015 Somebody used this on my server and... Attacker had character whose account_id don't exist in my database. fix? BIND_IP: 127.0.0.1 in db config. I don't know how use this, so can't give you more information. Link to comment Share on other sites More sharing options...
Premium Zonni 230 Posted January 21, 2015 Author Premium Share Posted January 21, 2015 @Endymion, you're right because attacker uses account_id from his server, and if doesn't match with attacked server it's creating new char on attacked server but using account_id from attacker server. This is madness, any person doesn't want to have similar situation on server so protect your DB port via IPFW (if you're using more than one dedicated server) or Endymion's method (if you have only one dedicated server). Link to comment Share on other sites More sharing options...
Recommended Posts