Cryptic/Exotic/Free/Olympus Shaiya

JujiPoli · 12/10/2014, 17:19

Yes I post in shaiya-pserver-advertising, apparently those server got hacked -> SQL injection

[makesure that you save the database every 24 hours or 12 hours or less, till there a fix]

is it true for Cryptic? Olympus?

Is there other server to?

Do you know who doing that?

Is there a way to stop it?

Twilight360 · 12/10/2014, 17:25

Shaiya's that recently got hacked, or still in recover, Rose Shaiya, Olympus, Spectral, Tempest, Cryptic, Heroes, Free, Sanctuary, Crown, Implosion,not sure what else, but i am going to alert everyone this is not any attack to do with sql injections by php via, nor is it server files, it is a dll injection made by one person that was sold to another Korean dude then given to his Russian friend to re-code so the script to stop it was declined to protect against this attack, this is a serious attack because you will not be able to stop it unless you figure out the source, stop it and find out who it is. They will not stop so start rapping your database's up and making sure that you save the database every 24 hours. or 12 hours if you do not want a huge roll back.

Agony69 · 12/10/2014, 17:27

Quote:

Originally Posted by JujiPoli

Yes I post in shaiya-pserver-advertising, apparently those server got hacked -> SQL injection

You said it yourself, you post in the shaiya advertising section.
What exactly are you advertising?

Twilight360 · 12/10/2014, 17:28

Quote:

Originally Posted by Agony69

You said it yourself, you post in the shaiya advertising section.
What exactly are you advertising?

No, he is only alerting the owners for each server, because its going to get out of hand with the two people doing the attacks.

JujiPoli · 12/10/2014, 17:29

Yes, im trying to prevent server that didn't got hacked yet, please make sure you have a recent back up!, sorry agony for post here but it important.

Twilight360 · 12/10/2014, 17:30

Here's a code made by a friend that was the orignal protection to stop the attacks but after they recoded the attack it can't stop it now. To understand in a bit to how it works, it's made for 2008.

Code:

{\rtf1\ansi\ansicpg1252\deff0\deflang1033{\fonttbl{\f0\fnil\fcharset0 Calibri;}}
{\*\generator Msftedit 5.41.21.2510;}\viewkind4\uc1\pard\sa200\sl276\slmult1\lang9\f0\fs22 /****** Object:  DdlTrigger [ddl_trig_database]    Script Date: 01/11/2010 19:05:57 ******/\par
\par
SET ANSI_NULLS ON\par
\par
GO\par
\par
SET QUOTED_IDENTIFIER ON\par
\par
GO\par
\par
 \par
\par
CREATE TRIGGER [ddl_trig_Prevent_Drop_Database]\par
\par
ON ALL SERVER\par
\par
FOR DROP_DATABASE\par
\par
AS\par
\par
 \par
\par
--log attempt to drop database\par
\par
DECLARE @db VARCHAR(209)\par
\par
SET @db = (SELECT 'Database Dropped Attempted by ' +  CONVERT(nvarchar(100), ORIGINAL_LOGIN()) +\par
\par
' executing command: '+ EVENTDATA().value('(/EVENT_INSTANCE/TSQLCommand/CommandText)[1]','VARCHAR(229)'))\par
\par
RAISERROR(@db, 16, 1)WITH LOG\par
\par
 \par
\par
--prevent drop database\par
\par
ROLLBACK\par
\par
GO\par
\par
 \par
\par
SET ANSI_NULLS OFF\par
\par
GO\par
\par
SET QUOTED_IDENTIFIER OFF\par
\par
GO\par
\par
 \par
\par
--turn on trigger\par
\par
ENABLE TRIGGER [ddl_trig_Prevent_Drop_Database] ON ALL SERVER\par
\par
 \par
\par
 \par
\par
--test trigger\par
\par
CREATE DATABASE test1\par
\par
 \par
\par
DROP DATABASE test1\par
\par
 \par
\par
Msg 50000, Level 16, State 1, Procedure ddl_trig_Prevent_Drop_Database, Line 11\par
\par
Database Dropped Attempted by TestSQLUser executing command: DROP DATABASE test1\par
\par
Msg 3609, Level 16, State 2, Line 1\par
\par
The transaction ended in the trigger. The batch has been aborted.\par
\par
 \par
\par
 \par
\par
--turn off trigger\par
\par
DISABLE TRIGGER [ddl_trig_Prevent_Drop_Database] ON ALL SERVER\par
\par
GO\par
\par
 \par
\par
 \par
\par
/****** Object:  DdlTrigger [ddl_trig_Prevent_Drop_Database]    Script Date: 01/11/2010 19:22:28 ******/\par
\par
IF  EXISTS (SELECT * FROM master.sys.server_triggers WHERE parent_class_desc = 'SERVER' AND name = N'ddl_trig_Prevent_Drop_Database')\par
\par
DROP TRIGGER [ddl_trig_Prevent_Drop_Database] ON ALL SERVER\par
\par
GO\par
\par
 \par
\par
--cleanup current errorlog\par
\par
sp_cycle_errorlog\par
}

Agony69 · 12/10/2014, 17:35

Quote:

Originally Posted by Twilight360

No, he is only alerting the owners for each server, because its going to get out of hand with the two people doing the attacks.

Quote:

Originally Posted by JujiPoli

Yes, im trying to prevent server that didn't got hacked yet, please make sure you have a recent back up!, sorry agony for post here but it important.

No matter of your reasons there are rules that you must follow. This is Advertising section. Just imagine what would happen if everyone just made random topics and didn't respect rules. Chaos. Simply chaos.

#Requesting topic to be moved. > http://www.elitepvpers.com/forum/shaiya-private-server/

Twilight360 · 12/10/2014, 17:41

Quote:

Originally Posted by Agony69

No matter of your reasons there are rules that you must follow. This is Advertising section. Just imagine what would happen if everyone just made random topics and didn't respect rules. Chaos. Simply chaos.

#Requesting topic to be moved. > http://www.elitepvpers.com/forum/shaiya-private-server/

Question. Mod yes or no?
No?
Wait for mod to decide if this is something to pin, so after it is stopped then they can remove it? Have you thought of it? Because guaranteed That sig they will hit it as well if your advertising a server that is up in 21 hours, they will keep it down or you can understand why we need this to be pin, or no server will be up since they are not being stopped yet, didn't know nubness is coming back to shaiya by the name "Shaiya Invasion or did i?"

Autrux · 12/10/2014, 18:18

#pinned until there is a fix.

Just search for one.

Psycnosis · 12/10/2014, 18:18

How does these "hacks" work? it sounds like its something you must have installed on the server before it would take effect and not be triggered by outside sources. I am by no means expert on this.

JujiPoli · 12/10/2014, 18:21

I have some new, but im not a pro, they inject via login of our game.exe -> a .dll

JuuF · 12/10/2014, 18:48

Thats an injection but not a .dll one, all you have to do is write the injection to UserID part and boom.

JujiPoli · 12/10/2014, 18:53

Quote:

Originally Posted by JuuF

Thats an injection but not a .dll one, all you have to do is write the injection to UserID part and boom.

Well atm servers "boom" fastly, until there a fix we need to save data each time we can

Psycnosis · 12/10/2014, 19:00

Quote:

Originally Posted by JuuF

Thats an injection but not a .dll one, all you have to do is write the injection to UserID part and boom.

hmm if it was really that simple im surpriced this hasnt happened earlier. would encrypting the game.exe fix it?

JuuF · 12/10/2014, 19:03

Quote:

Originally Posted by Psycnosis

hmm if it was really that simple im surpriced this hasnt happened earlier. would encrypting the game.exe fix it?

That has nothing to do with game.exe the problem is on ps_login.exe and yea it is really that simple.