[RELEASE] Server Security Flaws: What Every Admin Should Know

[zukoo]

1. [INFO] Weaknesses in the classic version: a warning to the community
   
   
   I decided to gather here some possible weaknesses related to the security of the classic version. I will soon bring suggestions for solutions, but it would be great if you also contributed ideas and alternatives. Together, we can build a fairer community, without malicious administrators or players exploiting loopholes to harm other servers.
   
   Note: I will not address basic issues here, such as the use of default passwords or open MySQL — this is the minimum expected of any responsible administrator.
   
   1. NPCServer Vulnerability – External Connection Exploit
   

    Spoiler

   Issue: The NPCServer is vulnerable to unauthorized external connections. This can lead to unexpected behavior in-game, such as monsters randomly disappearing from maps. In some cases, it may also cause server instability or gameplay disruption, especially in public or exposed environments.
   
   Cause: This happens because the NPCServer accepts incoming requests without verifying their origin, allowing attackers or misconfigured clients to interfere with server functions.
   
   Partial Solution:
   A workaround to mitigate this issue has been shared in the following guide:
   
   
   Note: While this fix improves security, it is recommended to place your NPCServer behind a firewall or use localhost-only configurations if possible, for full protection.

   2. AccountServer/MsgServer Vulnerability – Excessive Packet Traffic Exploit
   

    Spoiler

   Issue: Certain third-party programs such as NoPing, ExitLag, and similar network tools can generate an abnormal volume of packets targeting the server ports. This behavior causes packet flooding, which can severely impact the connection quality for legitimate players.
   
   Symptoms:
   

   • Login attempts may result in errors such as "overtime" or connection timeouts.
     
   • Players may experience high latency, frequent disconnections, or unstable sessions.
     
   • In extreme cases, the server may become unresponsive to new login requests.

   
   Cause: These applications reroute and manipulate traffic to reduce latency but, in doing so, unintentionally or intentionally create excessive and irregular traffic patterns that overwhelm the AccountServer or MsgServer.
   
   Partial Solution:
   A partial mitigation is to use a network-level connection filter. In the past, tools like SolveDDOS were effective in managing this kind of issue, though they are no longer available. Some administrators have reported moderate success using PortTunnel to filter traffic, though it requires some technical understanding. We are making this tool available here for those who wish to try it.
   
   
   Recommendation: For better protection, it's advisable to monitor port traffic, implement firewall rules, or use a dedicated anti-DDoS solution tailored to game servers.

   3. Regular players can summon monsters
   

    Spoiler

   Issue:
   Certain groups — often originating from China — have modified the client’s DLL files to allow unauthorized summoning of monsters on any map, including high-value bosses. These modified clients can also directly access monster IDs and names from the server’s database, increasing the risk of exploitation.
   
   Real Case Example:
   This vulnerability was recently exploited by a Brazilian administrator, luccasdev, who not only targeted our server but also carried out similar attacks against other server owners. He invited a Chinese player to abuse the system by continuously respawning high-reward bosses, farming rare drops, and selling those items to other players for real money. Additionally, his goal was to destabilize our server and push players to join his own competing project.
   
   Symptoms:
   

   • Unusual activity such as frequent boss respawns in inappropriate areas.
   • Rapid acquisition of rare items by a specific player or group.
   • Server economy imbalance or player reports of unfair behavior.
   • Partial Solution:
   • Drop Logging System: Implement a drop log for all boss monsters.
   • Drop Frequency Limit: Set a cooldown period per boss drop per player or account.

   
   Automated Monitoring: If a player kills multiple bosses (regular or superboss) within a short timeframe or in unusual locations, the system should automatically teleport them to jail or restrict their actions.
   
   Geolocation Blocking: Block or filter known malicious IP ranges, such as Chinese IPs, using your firewall or security gateway.
   
   Recommendation:
   For deeper protection, consider using encrypted communication between client and server, verifying spawn requests server-side, and integrating behavior-based anti-cheat systems.

   4. Zoom Hack and skill range
   

    Spoiler

   If the server is not properly configured, players can use Zoom Hack to attack targets from much greater distances than the visual and legitimate range of their skills. This completely unbalances PvP and makes the game unfair.

   
   If you know of other exploits or have found ways to protect your server against these threats, please share them! The idea is to strengthen the community and ensure a safer experience for everyone.
   
   
   
2. [INFO] Weaknesses in the 1655 version: a warning to the community

1. Possible System-Level Malware Risk

 Spoiler

Issue:
Several administrators have reported that version 1655 may include a form of intrusion or malware that compromises the host system. The reports suggest that server files become corrupted and, in some cases, the host machine itself is affected. Although not confirmed, there is speculation that this could be tied to the original developers of this version, especially since many are using leaked or unofficial versions that were intended to be paid.

Potential Cause:
Because the server files being used are often cracked or modified versions of paid software, it is plausible that malicious code was embedded intentionally to punish unauthorized use or to maintain remote access capabilities.

Symptoms:

• Unexpected file corruption within server directories.
• Server crashes or instability with no clear trigger.
• Suspicious activity on the host system unrelated to server operations.

Recommendations:

• Restrict Open Ports: Only open the necessary ports for your server. All other Windows ports should remain closed to minimize external exposure.
• Enable Windows Defender: Keep Windows Defender active at all times, and set only your server folders as exclusions. This ensures the rest of the system remains protected while allowing your server to run uninterrupted.
• Caution With Unofficial Files: Avoid using untrusted or unofficial versions of server executables whenever possible. If necessary, run them in a controlled or virtualized environment.

Note:
This specific issue has not occurred on our server, but due to multiple community reports, it is worth taking preventive measures to avoid potential damage.

2. Speedhack Usage

 Spoiler

Issue:
Unlike the classic version, version 1655 allows the use of speedhack, and it is believed that values below 1.7x are permitted. This causes significant gameplay imbalance, as players can enter the game and use it, further degrading the experience.

What We Recommend:
We suggest requesting that other players record those who are using speedhack (as the official eudemons.com does). After analyzing the footage, you can proceed with banning the offender.

Solution in Configuration Files:
In the file 全局控制.txt located in the 178引擎相关配置 folder, you can adjust the game’s speed settings. However, this does not fully resolve the speedhack issue. The configuration I have used is as follows:

Code:

开启行走加速判断=1
当玩家行走封包结构异常大于多少次时踢下线=9
当玩家行走封包速度异常大于多少次时踢下线=9
限制加速等级=9

Testing and Recommendations:
You may try these settings and adjust accordingly. If anyone finds a better configuration, please share it in the comments.

3. LoginTools Detected as Virus

 Spoiler

Issue:
Unlike previous versions (such as 1643), version 1655 forces the use of LoginTools for players to log into the game. The problem is that most antivirus software — including Windows Defender — immediately detects and deletes LoginTools.exe, flagging it as a virus. It’s unclear whether this is truly malicious or if it’s a case of a false positive due to the tool’s behavior (likely because it manipulates connections or processes in ways commonly associated with malware).

What We Recommend:
Currently, the only workaround is to inform players that they’ll need to temporarily disable their antivirus while installing the game and to re-enable it afterward. Also, always keep a fresh copy of LoginTools.exe available for download on your website, so players can easily replace it if their antivirus removes it.

Important Note:
This was not an issue in version 1643. Unfortunately, I don’t have a definitive solution for this problem at the moment. The bigger issue is that AccountServer v5.5 prevents players from logging into the game without an active connection through LoginTools.

Still under construction

1. If you have ever experienced any server security issues, please let us know so we can update this list and help you and other administrators.
   
2. Also, if you have any additional suggestions or improvements for the solutions mentioned, feel free to share them.
   
3. We truly need more contributors to help grow this community. Remember — we all benefit from working together. The Eudemons player base is already small, and server attacks not only hurt individual servers but can also discourage players from the entire game. This often leads them to abandon Eudemons altogether in favor of more secure alternatives.

[zukoo]

Please help me build this post!

[nomercyskin1]

Either classic or new engine , both are vulnerable to be exploited where all the database can be stollen, deleted or adjusted. Unless you have expertise to fix that. For example, once you completed upgrade your server and bug fixed, some one can easily stole that. Unless you open the server to the circle that you know. This is my cent tips.

[zukoo]

I've been an administrator of eudemons since 2009; as far as I know, I've never had a problem with that. It can probably happen due to lack of MySQL or PHP configuration. I already had my database leaked, but that was because I shared my database with a partner in 2009 and it robbed me.

[corey88]

It’s also important to highlight a major security concern that affects nearly all EO servers: the use of outdated MySQL (4.x) and PHP (4.x–5.x) versions. These versions are no longer supported and are vulnerable to well-documented critical CVEs such as:

- CVE-2012-2122 – MySQL password authentication bypass
- Remote Code Execution via register_globals and file inclusion
- SQL Injection due to lack of prepared statements
- Session hijacking and privilege escalation vulnerabilities

If you’re running a site that interacts directly with your database (register pages for example), here’s a good practice to help mitigate those risks:

- Host your public-facing website using a modern PHP version (preferably 8.0+), and use it as a proxy to communicate securely with the legacy backend (PHP 5.x/MySQL 4.x).
- Restrict access to the legacy environment by IP whitelisting, so only your modern website can interact with it.

It’s not a full solution, but it’s a solid step toward reducing your attack surface.

[revinmage2]

Good morning everyone.
First of all, we would like to clarify that, unfortunately, Chinese servers have several security flaws — including backdoors and open ports integrated into the executable itself. These vulnerabilities cannot be fixed permanently, and they also cause serious performance problems and other technical risks.

The problems with these files involve remote connections that the server itself allows.
Without going into the client's details, it is important to highlight that these files were leaked to the community by someone who, in addition to distributing them, inserted several malicious codes.
Several loopholes were left that allow the server to be hacked, including commands to stop, restart or even delete the VPS, in addition to full remote access.

Quote:

Originally Posted by zukoo

I've been an administrator of eudemons since 2009; as far as I know, I've never had a problem with that. It can probably happen due to lack of MySQL or PHP configuration. I already had my database leaked, but that was because I shared my database with a partner in 2009 and it robbed me.

I strongly recommend that you review your website's structure and security as there are several serious flaws that need immediate attention.

Quote:

Originally Posted by nomercyskin1

Either classic or new engine , both are vulnerable to be exploited where all the database can be stollen, deleted or adjusted. Unless you have expertise to fix that. For example, once you completed upgrade your server and bug fixed, some one can easily stole that. Unless you open the server to the circle that you know. This is my cent tips.

but people do not accept this truth

[zukoo]

Was version 1655 leaked or just a revamped classic version?

[revinmage2]

Quote:

Originally Posted by zukoo

Was version 1655 leaked or just a revamped classic version?

There is no version 1655. That number was just something 178 put in his version of the font. The version that leaked is exactly the one you use today, 1655.

In fact, it was a mix-up he had with WebDesign, who leaked the source and added malware, backdoors and other things on purpose to harm 178. (I'm using the name he uses in the community).

[zukoo]

With all due respect, this statement is not true.

We have a clear track record: since 2018, version updates have been implemented continuously, using our dedicated archive, which includes a TXT with all corrections and improvements.

In addition, the final version that was released online is visibly incomplete. Many features that were previously perfectly operational — such as the Castle, the Family and the Hall of Fame — simply do not work in it. This leads us to believe that the version we are using is, in fact, different and edited.

[revinmage2]

Quote:

Originally Posted by zukoo

With all due respect, this statement is not true.

We have a clear track record: since 2018, version updates have been implemented continuously, using our dedicated archive, which includes a TXT with all corrections and improvements.

In addition, the final version that was released online is visibly incomplete. Many features that were previously perfectly operational — such as the Castle, the Family and the Hall of Fame — simply do not work in it. This leads us to believe that the version we are using is, in fact, different and edited.

I think you should do a little more research. This 1655 engine is still sold in China, with a monthly subscription and payment for the software, without backdoors or viruses embedded in the ones presented, but with some additional improvements. There is still an update changelog to this day, but only for the paid version, exclusively in China. However, the server continues to present several structural errors due to the update from version 1.0 to the current one, done without the proper technical treatments.I will not take this further, as it does not benefit me at all, since I do not use such programs.

[zukoo]

Quote:

Originally Posted by revinmage2

There is no version 1655. That number was just something 178 put in his version of the font. The version that leaked is exactly the one you use today, 1655.

In fact, it was a mix-up he had with WebDesign, who leaked the source and added malware, backdoors and other things on purpose to harm 178. (I'm using the name he uses in the community).

Reread your first paragraph and you will understand what you meant.
It was very confusing, even if you edited, he remained confused.

In your previous post, you said that version 1655 was leaked and that malicious items were inserted before the leak. I already mentioned this as a known weakness in some editions of this version.

That might have happened in isolated cases, but 1655 itself was not leaked. What was actually leaked was the classic version, which was later modified by 178studio and adapted into godlev-based versions back in 2017. Version 1655 was only finalized in 2021. I have access to Chinese servers, and it looks like development stopped there. Fortunately, the official version did not progress much.

I've seen only two reports in three years, and both involved file exchanges with third parties, suggesting contamination from external editors. The number of issues is very low considering how many servers used this version.

Also, as I’ve said before, there is no need to use LoginTools. I don’t use it — only the original client — so there is no risk to the client side.

So, to be clear: version 1655 was not leaked. It is an improved version of the classic. Yes, some variations of 1655 have security flaws, and I already pointed that out in the first post.

It seems like you're confusing an edited version with the official one, which nobody here even mentioned.
Honestly, your statements sound like someone who just heard about it without fully understanding the topic.
In the end, I still don’t see what your actual point is.