Topic: Arcade scores "hacked"?

Someone registered in our forums today, and had managed to put some strange scores in the arcade.
Is this a hack? Some security problem? What should I do?

If you do what you've always done, you'll get what you've always gotten.

Re: Arcade scores "hacked"?

can you give us an account please

Sorry. Unactive due to personal life.

3 (edited by Papillon 2008-03-27 19:31)

Re: Arcade scores "hacked"?

Er... Sure. Can I send you that by e-mail?
Edit: Do you mean as a regular member? (Registration is done in a few seconds ^_^ no verification required)

If you do what you've always done, you'll get what you've always gotten.

Re: Arcade scores "hacked"?

Top Highscores for Helloww
    Games     Highscores     Date
1     Yetisports 9     55654     Today 15:20:35
2     Rat Wheel     55654     Today 15:20:23
3     Donkey Kong     55654     Today 15:20:10
4     Chain Reaction     55654     Today 15:17:35
5     Spider Solitaire     55654     Today 15:17:24
6     Jezzball     1516549654     Today 15:17:04
7     Fox Tower     1516549654     Today 15:16:53
8     Hammer Throw     1516549654     Today 15:16:41
9     Mahjongg 3D     1516549654     Today 15:16:32
10     Bungee Ball     1516549654     Today 15:16:11
11     Arcade Lanes     1516549654     Today 15:15:58
12     Little Geek     1516549654     Today 15:14:18
13     Scrambled Eggs     1516549654     Today 15:13:02
14     Counter-Strike Lite     1516549654     Today 15:12:49
15     Crazy Keepups     1e+20     Today 15:12:20
16     Formula Fun     1e+20     Today 15:11:54
17     Galaga     1e+20     Today 15:10:50
18     Dolphin Dash     89627     Today 15:07:41
19     Ball     1e+20     Today 15:05:56
20     Pacman     1e+20     Today 15:05:42
21     Frogger     1e+32     Today 15:05:23
22     Gyroball     132456     Today 15:05:08
23     UFO     132456     Today 15:04:55
24     Fisher     132456     Today 15:04:37
25     Mooncave     132456     Today 15:03:49
26     Tubin     132456     Today 15:03:39
27     Bubbles     132456     Today 15:03:33
28     Icehockey     132456     Today 15:03:17
29     Collapse     132456     Today 15:02:50
30     Birdy     132456     Today 15:02:35
31     Count     132456     Today 15:02:30
32     Acceleracers     132456     Today 15:02:18
33     Watchmaker     132456     Today 15:01:56
34     WRAX     132456     Today 15:01:47
35     Railroad     132456     Today 15:01:39
36     TMAAS     132456     Today 15:01:29
37     Escargone     132456     Today 15:01:22
38     Laby     132456     Today 15:00:11
39     1992     132456     Today 14:59:38

I say that they have been forced, i would say that the db is hacked, but it dosnt seem to fit.. so it could be a secuirty bug... would your logs show anything usefull about mysql?

Sorry. Unactive due to personal life.

Re: Arcade scores "hacked"?

Er... How can I check?

If you do what you've always done, you'll get what you've always gotten.

6 (edited by Utchin 2008-03-27 21:53)

Re: Arcade scores "hacked"?

i have reason to belive their is a secuity bug in the mod... What version are you runing?

this person going by the name of halloww has hacked other punbb sites with arcades around 15:00 to 16:00 so their is a secruity hole in the arcade.


could you email me his ip. cheers wink

Sorry. Unactive due to personal life.

7

Re: Arcade scores "hacked"?

Moved as it appears to be mod related.

Re: Arcade scores "hacked"?

Here is the mod I am using:
http://www.berger-feld.de/index.php?opt … ;Itemid=37

Smartys told me before that it had serious DB bugs apparently.

If you do what you've always done, you'll get what you've always gotten.

9

Re: Arcade scores "hacked"?

If he said it has, then it won't be apparently, but fact.

Re: Arcade scores "hacked"?

yes, I use that mod, and I can cheat on my own forum.  From my localhost, I run the following cheat.php (doesn't need to be php, any web server will do, i.e. its simple html) page.  Just change the action to your newscore.php url location, then enter the game name and desired score:

<html>
<Body>
<form action="http://www.sample.com/newscore.php"  method="post">
game_name <input type="text" name="game_name" /> <br />
score <input type="text" name="score" /> <br />
<input type="submit" value="go" />
</form>
</body>
</html>

smile

There are several things that need to be done to the arcade_play and newscore.php page in that mod, (I haven't bothered, because my users haven't bothered and /or aren't informed enough to cheat).

11

Re: Arcade scores "hacked"?

cheeky! wow...

how do you stop this, confirm refurrer??

Sorry. Unactive due to personal life.

Re: Arcade scores "hacked"?

confirm_referrer can be faked if the client is knowingly doing this.
From my limited knowledge of this area, you need to
A. Make the games difficult to decompile
B. Have a method that does not submit the scores in plaintext, but instead uses some kind of encryption scheme.
That means the only way to cheat is to reverse engineer the encryption. Of course, since this is open source, the scheme has to work even with the algorithm being known.

13

Re: Arcade scores "hacked"?

is their a meathod that punbb uses? on 1.2.X ?

Sorry. Unactive due to personal life.

Re: Arcade scores "hacked"?

The info about the cheating is in the post of matt1298. I deleted the account of that member, and thus his scores, so the link above won't show anything anymore. After I banned him, he actually registered with another similar account today.
I appreciate all your feedback on the matter. And I also would love to know if there is anything to be done to stop the cheating.

If you do what you've always done, you'll get what you've always gotten.

15 (edited by Lurker.boi 2008-03-28 19:01)

Re: Arcade scores "hacked"?

Papillon wrote:

The info about the cheating is in the post of matt1298. I deleted the account of that member, and thus his scores, so the link above won't show anything anymore. After I banned him, he actually registered with another similar account today.
I appreciate all your feedback on the matter. And I also would love to know if there is anything to be done to stop the cheating.

You'd have to do something like:

On the arcade_play.php page, generate a new uniquekey for the user/game combo.  Save this key to a table.  Pass the key to the game similar to how the game name is passed, and then modify each game to pass this back to the newscore.php and mod newscore.php to compare the key to the one in the table.   A lot of effort (particularly modifying the games) that may not be worth the trouble unless you are having a tourney for cash based on these game score.  smile

Edit: Nevermind, this wouldn't work either, because they could probably scrape the uniquekey off the page where it's passed as a param to the game.

Re: Arcade scores "hacked"?

Some Googling turned up
http://www.hellboundhackers.org/forum/s … 647_0.html
http://ricardocabello.com/index.php?postid=286

17 (edited by StevenBullen 2008-04-05 14:12)

Re: Arcade scores "hacked"?

Cheer for this.

Im creating an arcade mod for 1.3 and will need to look into this.
I had a quick browse of what you posted Smartys and looks like they havent come up with anything solid either.

Currently I use 2 ways of finding cheats. First is that I time the moment the page is entered and the time the score is submitted... Then I also compare it with 3 forums that I run that has an arcade on it. I also monitor  scores for games on my forums to compare them with my other forums.
This is not solid either... but I have caught many cheats from it. big_smile

Ideally in 1.3 I will have this all built in and even a site where you can compare your info to that. Its the best I could come up with without having a proper look.

PS. Have been away on holiday (orlando) for a month. So will be back and posting regular again. big_smile