You are not logged in. Please login or register.
PunBB Forums → PunBB 1.2 modifications, plugins and integrations → Arcade scores "hacked"?
Someone registered in our forums today, and had managed to put some strange scores in the arcade.
Is this a hack? Some security problem? What should I do?
can you give us an account please
Er... Sure. Can I send you that by e-mail?
Edit: Do you mean as a regular member? (Registration is done in a few seconds ^_^ no verification required)
Top Highscores for Helloww
Games Highscores Date
1 Yetisports 9 55654 Today 15:20:35
2 Rat Wheel 55654 Today 15:20:23
3 Donkey Kong 55654 Today 15:20:10
4 Chain Reaction 55654 Today 15:17:35
5 Spider Solitaire 55654 Today 15:17:24
6 Jezzball 1516549654 Today 15:17:04
7 Fox Tower 1516549654 Today 15:16:53
8 Hammer Throw 1516549654 Today 15:16:41
9 Mahjongg 3D 1516549654 Today 15:16:32
10 Bungee Ball 1516549654 Today 15:16:11
11 Arcade Lanes 1516549654 Today 15:15:58
12 Little Geek 1516549654 Today 15:14:18
13 Scrambled Eggs 1516549654 Today 15:13:02
14 Counter-Strike Lite 1516549654 Today 15:12:49
15 Crazy Keepups 1e+20 Today 15:12:20
16 Formula Fun 1e+20 Today 15:11:54
17 Galaga 1e+20 Today 15:10:50
18 Dolphin Dash 89627 Today 15:07:41
19 Ball 1e+20 Today 15:05:56
20 Pacman 1e+20 Today 15:05:42
21 Frogger 1e+32 Today 15:05:23
22 Gyroball 132456 Today 15:05:08
23 UFO 132456 Today 15:04:55
24 Fisher 132456 Today 15:04:37
25 Mooncave 132456 Today 15:03:49
26 Tubin 132456 Today 15:03:39
27 Bubbles 132456 Today 15:03:33
28 Icehockey 132456 Today 15:03:17
29 Collapse 132456 Today 15:02:50
30 Birdy 132456 Today 15:02:35
31 Count 132456 Today 15:02:30
32 Acceleracers 132456 Today 15:02:18
33 Watchmaker 132456 Today 15:01:56
34 WRAX 132456 Today 15:01:47
35 Railroad 132456 Today 15:01:39
36 TMAAS 132456 Today 15:01:29
37 Escargone 132456 Today 15:01:22
38 Laby 132456 Today 15:00:11
39 1992 132456 Today 14:59:38I say that they have been forced, i would say that the db is hacked, but it dosnt seem to fit.. so it could be a secuirty bug... would your logs show anything usefull about mysql?
Er... How can I check?
i have reason to belive their is a secuity bug in the mod... What version are you runing?
this person going by the name of halloww has hacked other punbb sites with arcades around 15:00 to 16:00 so their is a secruity hole in the arcade.
could you email me his ip. cheers 
Moved as it appears to be mod related.
Here is the mod I am using:
http://www.berger-feld.de/index.php?opt … ;Itemid=37
Smartys told me before that it had serious DB bugs apparently.
If he said it has, then it won't be apparently, but fact.
yes, I use that mod, and I can cheat on my own forum. From my localhost, I run the following cheat.php (doesn't need to be php, any web server will do, i.e. its simple html) page. Just change the action to your newscore.php url location, then enter the game name and desired score:
<html>
<Body>
<form action="http://www.sample.com/newscore.php" method="post">
game_name <input type="text" name="game_name" /> <br />
score <input type="text" name="score" /> <br />
<input type="submit" value="go" />
</form>
</body>
</html>
There are several things that need to be done to the arcade_play and newscore.php page in that mod, (I haven't bothered, because my users haven't bothered and /or aren't informed enough to cheat).
cheeky! wow...
how do you stop this, confirm refurrer??
confirm_referrer can be faked if the client is knowingly doing this.
From my limited knowledge of this area, you need to
A. Make the games difficult to decompile
B. Have a method that does not submit the scores in plaintext, but instead uses some kind of encryption scheme.
That means the only way to cheat is to reverse engineer the encryption. Of course, since this is open source, the scheme has to work even with the algorithm being known.
is their a meathod that punbb uses? on 1.2.X ?
The info about the cheating is in the post of matt1298. I deleted the account of that member, and thus his scores, so the link above won't show anything anymore. After I banned him, he actually registered with another similar account today.
I appreciate all your feedback on the matter. And I also would love to know if there is anything to be done to stop the cheating.
The info about the cheating is in the post of matt1298. I deleted the account of that member, and thus his scores, so the link above won't show anything anymore. After I banned him, he actually registered with another similar account today.
I appreciate all your feedback on the matter. And I also would love to know if there is anything to be done to stop the cheating.
You'd have to do something like:
On the arcade_play.php page, generate a new uniquekey for the user/game combo. Save this key to a table. Pass the key to the game similar to how the game name is passed, and then modify each game to pass this back to the newscore.php and mod newscore.php to compare the key to the one in the table. A lot of effort (particularly modifying the games) that may not be worth the trouble unless you are having a tourney for cash based on these game score.
Edit: Nevermind, this wouldn't work either, because they could probably scrape the uniquekey off the page where it's passed as a param to the game.
Some Googling turned up
http://www.hellboundhackers.org/forum/s … 647_0.html
http://ricardocabello.com/index.php?postid=286
Cheer for this.
Im creating an arcade mod for 1.3 and will need to look into this.
I had a quick browse of what you posted Smartys and looks like they havent come up with anything solid either.
Currently I use 2 ways of finding cheats. First is that I time the moment the page is entered and the time the score is submitted... Then I also compare it with 3 forums that I run that has an arcade on it. I also monitor scores for games on my forums to compare them with my other forums.
This is not solid either... but I have caught many cheats from it. 
Ideally in 1.3 I will have this all built in and even a site where you can compare your info to that. Its the best I could come up with without having a proper look.
PS. Have been away on holiday (orlando) for a month. So will be back and posting regular again.
PunBB Forums → PunBB 1.2 modifications, plugins and integrations → Arcade scores "hacked"?
Powered by PunBB, supported by Informer Technologies, Inc.