I have been playing for about 4 hours tonight ...then I kept getting synch problems...so I decide to just quit and re-log...I get Incorrect Password...Goto neocron.com and do a password recoverery and it says the password is now "reserve"... (now its changed again so thptttt)

I am 25 and have a spouse and 9 month old...I have never given out my account to anyone EVER. I am not some little 12 year old who exchanges accounts with ppl cuz they have too much free time on their hands.

MODS/KK tell me some good news...what are you doing about this problem?

[EDIT] OK now Im really fucking pissed off...some of my cabs are empty...my armor has been taken, weapons, rares....and my character who was at MB at the time was at my apt with my entire inventory full of id'd parts my 2 FL's and PE...

Aw man thats messed up, my condolences.
I can't believe that people would bother to do that :confused: some people eh?
I hope KK do sort out this security problem, i see a lot of posts like this and it sucks!

Looks like only my immediate weapon I was carrying (ROG), my armor I was wearing (battle3's, heavy energy and SPYPA3), and one apt full of id'd rares (of course this would be my main apt I kept these in).

Well from now on my primary apt is for crap like ammo, medkits, etc. I know not a real deterrant, but it'll take em a bit longer to go to my other apts.

If you didn't tell anyone...Only way I know of is a keylogger.
Download any 3rd party Neocron programs?

If I was you I'd run some spyware removal program like adaware and a virus scan.

ok lemmie give you some info
Im a 25 year old Network Admin
I am running WinXP ontop of Redhat 8.1 using IPchains going through a Webramp700s true-firewall, completely locked down. I have zero spyware/adware, and at the time this was happening netstat only had the nc server on port 12000 and the neocron website, all running processes were examined also which came out negative.

now most people including KK want to believe that most of us playing this game are 12-17 year old kids, truth be told a whole hellavalot of us are Computer Professionals.

Originally posted by Phiberdelic
ok lemmie give you some info
Im a 25 year old Network Admin
I am running WinXP ontop of Redhat 8.1 using IPchains going through a Webramp700s true-firewall, completely locked down. I have zero spyware/adware, and at the time this was happening netstat only had the nc server on port 12000 and the neocron website, all running processes were examined also which came out negative.

now most people including KK want to believe that most of us playing this game are 12-17 year old kids, truth be told a whole hellavalot of us are Computer Professionals.

Shit man that REALLY sucks, had it happen to me before aswell... If theres anything you need give me a shout and im 99.9% sure I can replace it for you :)

Thats fucked.... we should have a rollback for this mans sake!

and i bet KK still say...."our server has not been hacked, it must be client side so there is nothing we can do about it"

They have the shittest customer service staff in the world.

the cock that works on helpdesk doesn't know his ass from his elbow (SB).

Mit Freundlish Grussen

Andy

crist phib now u to.. been reading about ppl getting hacked for some time now.. so anybody know who it can be ? i know a few of sxr are hacked and i thought some TG guys to.. i'll help ya replace anything i can mate :(

Did you use the shttp: link to change your password?

Have you checked your contact email to ensure the hacker hasnt changed it?

I'd be curious to to see a poll, have you been hacked, I wonder what the numbers would be, I guess it'd just get closed though.

Thats fucked.... we should have a rollback for this mans sake

If they rolled back the servers everytime someones accnt got hacked .. we'd be back in beta by now.

Ack, I'm very sorry man :(

I'll do a pwd change raid on my accounts right away :)

Originally posted by Dajuda
If they rolled back the servers everytime someones accnt got hacked .. we'd be back in beta by now.

KK have the ability to roll back individual parts of the game, like a single apartment or a character's status (Location, stats, inventory).

With a system as secure as Phiberdelics I find it impossible to believe that someone hacked him. To analyse this coldly this means either a) he's lying, or b) the NC servers themselves have been hacked somehow.
I don't know Phiber from Adam, so I can't comment on A. B, however, I'm starting to wonder about. There have been a number of hack claims recently, and they can't ALL be liars (Which I think is KK's base assumption based on prior experince of people on the blag). There has to be something going on here.

I think KK need to start looking through their logs for some of these usernames and checking them against the IP they were using at the time to see if there are any discrepancies. Phiber's account seems like a prime one for this, as he strikes me as the sort of person who either has a CM with an IP that doesn't change very often, or a static IP. Any odd IPs will at least give KK the ISP a hacker is using, and an email to their Sysadmin ought to be enough to get them to check who was using that IP at that particular time.

Does KK have a record of trades done between players over a 24h period? If so then they can track down the hacker. If not, well thats something that just about every other MMORPG has and they need to implement it soon.

I make sure my extra apartment (I only have 1 so far) has a different password to my starter, and I keep nothing worth anything in my starter. Would be nice if we could change the password to our starter, assuming we can't already (I can't see how).

But anyway, really sorry that happened to you :(

Ok, I'm not sure how hard it is to implement with the current login system, but I would gladly use an option to make my account accessible from ceratin IPs only.
This is a problem for people with dynamic addresses I know, but perhaps give us the option still?
Dunno though, it might introduce too much workload :)

Originally posted by Shockwave
To analyse this coldly this means either a) he's lying, or b) the NC servers themselves have been hacked somehow.

There are any number of reasons what caused it. For all you know it could be a rogue GM. The only important factor here is why did they change the password? If they were going to change the password, they would change the Email address too.

Btw, being a system admin make you immune to getting hacked. Its like saying you have an unhackable system.

For example did you know that IE6 had a hack in it which allowed hackers full access. Only patched today.

But one thing about his story. It is possible to protect your rares from everything except a keylogger. Store the rares in the apartments and store the apartment keys in another apartment other then your starter apartment. This way they will have to guess the passwords (it is easy to find your apartments).

Originally posted by Archeus
There are any number of reasons what caused it. For all you know it could be a rogue GM. The only important factor here is why did they change the password? If they were going to change the password, they would change the Email address too.

Btw, being a system admin make you immune to getting hacked. Its like saying you have an unhackable system.

For example did you know that IE6 had a hack in it which allowed hackers full access. Only patched today.

But one thing about his story. It is possible to protect your rares from everything except a keylogger. Store the rares in the apartments and store the apartment keys in another apartment other then your starter apartment. This way they will have to guess the passwords (it is easy to find your apartments).

Oh, I know there could be a host of other reasons for what's happened - a rogue KK or Level3 employee, database corruption, an NC player breaking into Phiber's house, hardware keylogger etc, but those are the two most likely causes in my opinion. I'm also aware that there's no such thing as an unhackable system, but with Phiber's setup I'd say a hacker would have to REALLY, REALLY go some to get into it.

IE=bag of shite. Universally accepted fact. Microsoft are to security what Terry Wogan is to particle physics. They STILL haven't got that RPC hole fixed yet.:rolleyes: And they wonder why the mid-high end business market doesn't even consider their OSs...:lol:

Originally posted by Archeus
For example did you know that IE6 had a hack in it which allowed hackers full access. Only patched today.

Exactly.
And ipchains won't help you in that case.

Originally posted by ericdraven
Exactly.
And ipchains won't help you in that case.

No, but the fact that his base OS is Linux and he's running a locked-down hardware firewall/router will.

Originally posted by Shockwave
No, but the fact that his base OS is Linux and he's running a locked-down hardware firewall/router will.
Yup.
And XP on top of it. ;)

Originally posted by Archeus
But one thing about his story. It is possible to protect your rares from everything except a keylogger. Store the rares in the apartments and store the apartment keys in another apartment other then your starter apartment. This way they will have to guess the passwords (it is easy to find your apartments).

and you need to make sure that the apartment is not the one you've tagged as "apartment" in genreps. Otherwise, they're in there.

I never use my main starter for storing rares. If I got hacked, that would be it. I dont think I'd want to play any more. It takes MONTHS to get stuff when you work full time and if some greasy, snotty fucker hacked my account I'd wish he'd burn in the hottest fires there is in hell while I beat the git about the head :mad:

I know this has probably been said before, but arent the forum accounts linked to the game accounts? Is there viable link from one to the other?

I don't know how they did it but I was looking at neocron.com for accounts and its seems very possible to just brute force the changepw.php even with the simplist of scriptkiddie programs out there like wwwhack or Brutus by just slapping in the form script below. I tried on my account to see if neocron would ever lock me out but after 23 wrong passwords and still no lockout I assume there is none. This is just one way they could do it, or they could get a debugging program like Softice and trace each function in the client.exe to find the exact hex when it asks for login & pass and brute force it from there. I guess the more extreme way, which may be easier, but I'm not sure, is if the forum accounts and client accounts are tied together (which is the stupidist thing ever) and jafc.de has a hole in the database/website. Or they just plain out found a flaw on neocron.com or the client servers themselves. In any case it should be relatively easy to find the hole.

Now Im not sayin my system is un-hackable, but I ran my traces at the exact time this was happening with screenies for KK so they couldn't say "nonono KK is secure, you is teh evil", so I seriously doubt it came from my machine. Oh and I don't use IE too many holes all the time, I use Opera, which is faster anyways.

ThanX to those offering help, but I always keep at least 2 of every weapon and armor so at least I had spares, and the ID'd rares well I can get those prolly within a week, I just have to start huntin WB again (boring).

So KK what the fuk are you going to do about all this???

[ edited for violation of the forum rules - how is this helping? ]

You must be pissed, man, but i don't think that it's really the brightest idea in the world to post that on an open forum..

edit it and send a pm maybe?

Originally posted by Phiberdelic
[B]
So KK what the fuk are you going to do about all this???


KK aint gonna do jack shit to help u, its policy.....

Infact KK does care about such security leaks.

Till now everything on this board about this was like, "uhm ohh, the html form is not HTTPS" (tho the transmission is). So it wasn't really something that would fix anything.

But i see a prob with the password changing tries.

On the other side are there enough places to try to. Ingame, Passchange, address-changes etc. You cant lock them all dependend from each other without bitchslapping the normal fatfingered user.

if there is a possible AND userfriendly way of blocking, KK will do it.

Forum and game account has nothing to do after register, so it's not that, it's been said.

call em

Originally posted by Conduit
You must be pissed, man, but i don't think that it's really the brightest idea in the world to post that on an open forum..

edit it and send a pm maybe?

He sounds as pissed as I do, but he's right. [ edited for violation of the forum rules - discussion of hacking is against the rules ]

This is a White Hat way of posting it. If KK doesn't shape up, it's their own fault everyoen leaves. This punk who's hacking is the perfect example of why hacking needs to be an international crime that's prosecuted to a much deeper extent.

Originally posted by -FN-
This is a White Hat way of posting it. If KK doesn't shape up, it's their own fault everyoen leaves. This punk who's hacking is the perfect example of why hacking needs to be an international crime that's prosecuted to a much deeper extent.

No it's not the white hat way. Telling them first would be better. Granted he hasn't posted that much important but may get other muppets ideas.

Btw, wouldn't they have to brute force your username + password?

Well, either way, if this hacker gave a shit a *all* about the community, you would think he'd tell KK the ABCs of how he's doing it.

Instead he picks and chooses people who make him cry and exploits them. He obviously cares nothing for the game and KK obvoiusly doesn't care in return that he's tearing it down.

Again I don't know much about hacking, I certainly don't know much about writing scripts, however a thought that has come about is whether or not people are using logical usernames, for example if my main character was 'Fred', is my account also named 'Fred'? If it was, then that would give a hacker somewhere to start.

Also are people using passwords that they commonly use, it's an easy habit to use the same username/password on different sources, for example the neocron forums, whose security is probably easier compromised than the main servers, especially as there is a cookie stored on everyone's computers that holds this login information.

Any sysadmin's know whether it is possible to fake a cookie call?
As a rule I block cookies from all but trusted sites, but any one could be requesting the main forum cookie information.

If the letter in the SXR thread is to be believed, the hacker, or at least one of them, seems to think that the attempts are easily avoidable. Is the lesson that he is trying to teach an in game one as SXR believe, or a simple one of internet security?

Are people registering using hotmail, or other commonly used e-mail addresses? I have heard, not verified mind, that these addresses are easily hacked.

Anyway those are my thoughts on the situation,

Ransom

EDIT: as account information is needed, does the neocron cookie hold the account name?

Originally posted by Ransom
as account information is needed, does the neocron cookie hold the account name? No, of course it does not.

@Phiberdelic: Okay, it appears to be obvious that _something_ has been hacked here. We could change the password change system so it wouldn't allow any brute force attacks for a start.

The server itself is most likely even better secured than your system. But since you appear to be an IT expert, we might probably work together on finding the loophole. If you PM me your email address, then I will forward it to our net guys and we can work together on this.

I know that this doesn't bring back your stuff, but you should at least know that we actually _do_ care.

ONOZ H4x0r3d

Shits its like y2k all over again!!!


*puts on a raincoat*

[QUOTE]Originally posted by Martin J. Schwiezer
[B]No, of course it does not.


Just a thought as you need it to register for full forum priviliges.

Ransom

Originally posted by Martin J. Schwiezer
No, of course it does not.

@Phiberdelic: Okay, it appears to be obvious that _something_ has been hacked here. We could change the password change system so it wouldn't allow any brute force attacks for a start.

The server itself is most likely even better secured than your system. But since you appear to be an IT expert, we might probably work together on finding the loophole. If you PM me your email address, then I will forward it to our net guys and we can work together on this.

I know that this doesn't bring back your stuff, but you should at least know that we actually _do_ care.

@MJS - YGM :)

Anything I can do to help keep this game alive and kickin!

Originally posted by Phiberdelic
@MJS - YGM :)

Anything I can do to help keep this game alive and kickin!

Change the green on that bloody avatar then :p that just winds me up :(

This may seem like a stoopid question but, since you've previously stated that you bought your account off EBay, did you change the password straight away?

N

Something that should already be implemented is the standard "3 tries and you are out" password attempts, this would stop / severely slow down brute force attempts.
Something like a 1 hour lock-out wouldn't effect legitimate users.

I have been thinking over this issue..
It seems that for this person to do this you would need a way to match character name to a account name else it would be stupid to try to brute a username.
If I recall, GM's can log any character on in a legitimate way to fix characters as part of a help request.

There must therefore be a list where the character name and corresponding account name (and password) are stored.
How secure is this list?
Are the passwords stored in plaintext or are they encrypted?
Has the password to this list been changed at all lately?
How secure is the machine with this list?

Some important questions I think.
(As stated in the other threads, some of the people that have been hacked know exactly what the hell they are doing regarding computer security to keep the script kiddies and hackers out of their machines)

Thus the website and any servers security need an overview, along with internal staff security policies.

Originally posted by Nidhogg
This may seem like a stoopid question but, since you've previously stated that you bought your account off EBay, did you change the password straight away?

N


bwahaha

aww teh niddy makes me laugh at times :p

Im sure he'd think of that straight away, mind you that was a fair while ago

Ive got 3 accounts, 1 of which i share with rizzy, i barely keep much on that account as its a shared one, most my shits on my main account that i dont share, change my pass every few weeks etc

my PC's pretty tight aswell, only thing i ever have a problem with is my ISP cause NTL are rabid jackasses... but their cheap like the budgy... O_o

phiber knows his shit, extremely doubtfull it was a hack, or to his own negligence, also if you notice every time these hacks come across theirs always 4 or 5 of them then a quiet phase, personally i doubt its NC's coding, more likely something with the website, or possibly the forum like stated above, you need to input your pass to register etc.

Originally posted by Nidhogg
This may seem like a stoopid question but, since you've previously stated that you bought your account off EBay, did you change the password straight away?

N
Oh ya that was done the same minute the dude emailed it to me, cuz I was pissed off he gave me the account name but didn't send me the password so I gave him negative feedback then started filing Ebay Fraud Protection forms....he decided to give me the password after that, which was really dumb he actually had it set to this "dog", I mean comeone, some ppl...

[edit] well i supposed he could've changed it to dog just so I wouldn't have a paswword he uses for other purposes too...

just thinking out loud - are the current users getting hacked all from the same general geographical area?

it might be possible that a route has been poisoned redirecting certain KK urls to a fake site that logs your account info.

Trojan sites are the latest fad - hell I get about 50 ebay email redirects a day it seems (for example)...

Originally posted by phunqe
Ok, I'm not sure how hard it is to implement with the current login system, but I would gladly use an option to make my account accessible from ceratin IPs only.
This is a problem for people with dynamic addresses I know, but perhaps give us the option still?
Dunno though, it might introduce too much workload :)
Man that would be great for me since I have a static IP...hrmmm, wondering if the NC logs show login accounts matched with the IP that logged?

[edit] hey Kuj. Futurama is back...its on every night on Cartoon Network at 10pm CST...Faithful watcher here, then of course after that is the ever funny Family Guy...did anyone else happen to watch "When You Wish Upon A Weinstein"...that was teh funniez.

Originally posted by Kugero
just thinking out loud - are the current users getting hacked all from the same general geographical area?

it might be possible that a route has been poisoned redirecting certain KK urls to a fake site that logs your account info.

Trojan sites are the latest fad - hell I get about 50 ebay email redirects a day it seems (for example)...

Very unlikely. Man-in-the-middle-attacks are nigh on impossible without access to one of the end-points. If someone had that level of expertise and access they would probably be doing something more profitable with it than pissing off gamers.

Trojan sites are a possibilty for getting spyware onto people's PCs but Phiberdelic seems plenty capable of spotting such a threat.

Originally posted by \\Fényx//
Change the green on that bloody avatar then :p that just winds me up :(

Maybe if he likes this..

http://www.psychosisnet.freeserve.co.uk/Phiberdelic.jpg

Then our eyes can be at peace again? :D

I still would like an answer to my questions though from KK ;)

Originally posted by Cypher_Psy

I still would like an answer to my questions though from KK ;)

Not much point KK giving a list of handy-hints to anyone else wanting to pull this kind of crap.

I'd like to know if any non-Plutonians have been hit though. If not it certainly looks like tracing the hacker may be possible through social as well as technical means (in private of course - not on this public forum).

Originally posted by Cypher_Psy
Maybe if he likes this..

http://www.psychosisnet.freeserve.co.uk/Phiberdelic.jpg

Then our eyes can be at peace again? :D

I still would like an answer to my questions though from KK ;)


oooo me likey that avatar...thanx

hey Kuj. Futurama is back

yea Adult Swim kicks ass - Futurama got canceled I thought so everything is just reruns - still funny as hell though ...


Man-in-the-middle-attacks are nigh on impossible without access to one of the end-points

Ok what about DNS redirects? Unpatched DNS servers are notoriously vunerable to exploits especially if a local server to their area is managed by a twit. It would only take a couple of hours running a redirect to a fake site to log enough account information to have plenty of account info to play with.

this would require all the accounts to originate from the same 'local' route path however (and a different SSL certificate of course) ... your right unlikely but should be ruled out as a possibility ...

I guess we could on and on and on listing all the nefarious methods so ... man this sucks :(

Originally posted by Kugero
Ok what about DNS redirects? Unpatched DNS servers are notoriously vunerable to exploits especially if a local server to their area is managed by a twit. It would only take a couple of hours running a redirect to a fake site to log enough account information to have plenty of account info to play with.

this would require all the accounts to originate from the same 'local' route path however (and a different SSL certificate of course) ... your right unlikely but should be ruled out as a possibility ...

I guess we could on and on and on listing all the nefarious methods so ... man this sucks :(

I was going to say what you said in para 2 to rebutt para 1, now what should I say.....;)

Originally posted by Martin J. Schwiezer
We could change the password change system so it wouldn't allow any brute force attacks for a start.

We have something like this now.

Well, phib, I can't help you with any of this, and my condolences go to you because I know that must have taken weeks of work to get all of that stuff that you lost. gl