FancyJack

[Anonymous!!!]

Well, FancyJack is the reason that my server is in deep Chocolate Cupcake...
I want to know has anyone else had him attack their servers?
I have suspicions but have not asked many people that FancyJack is trying to attack TMW.

Okay, so let me explain: FancyJack turned up on the other worlds, he had a crown and golden warlord plate.
I checked the GM logs and a GM had not summoned him them. He told me that he found them lying on the ground but there were no crowns created at that point. I banned FancyJack from the server until I found out what happened. Details can be found on the other worlds forums here. I asked my friend (who is also a developer of my server) on TOW Emostar and he explained that FancyJack admitted to him that he had swapped item IDs or something.
Sure enough I checked the item DB and it was stuffed up and I had to replace it.
I permanently banned him on the spot and was about to block his IP when I noticed that he'd corrupted account.txt: he has his email set at noemail@address.com and his IP was set to 0.0.0.0
A week and a bit later I saw him again on TOW, using the banned account.
Sure enough GM logs stated that he hadn't been unbanned... I tried to ban and block him, but nothing happened and he kept taunting me. I tried @kick and it failed. He started taunting me again but then the server suddenly crashed and when I rebooted it the characters were gone, the global variables were gone and several NPCs were corrupted. Ever since he has made several almost identical attacks and normally leaving something in a file for me to read like a threat. I'm not jumping to any conclusions but it seems like he must be receiving money or something for doing this, otherwise he wouldn't go to all the trouble. These attacks looked like they would have taken a while to do. He mentioned something to me once in a message in athena.txt: TMW is going down.
I'm starting to think he is planning to attack the official server and that he has attacked several other servers.
He always replaces any IPs of his in the server with 127.0.0.1 or 0.0.0.0

Okay, additional details are that I'm using linux, running ubuntu and the attacks were all timed for when I'm offline.

Now, firstly I want to know if anyone else has had attacks like this and secondly is there anything I can do to stop them? It would also be nice to know who he is if possible

Sorry if this is the wrong place to put this.

[yourmistakes]

make the admin and ladmin passwords 16-25 chars (or more!). require rsa keys for ssh access. use a high port for ssh access. encrypt your wifi with wpa2 or radius using a fairly long password as well. adopt a policy of minimal access levels necessary for your devs and admins. of course, these seem like basic precautions, but you'd be surprised at how many people fail to follow them.

having said that: if you are following these practices then there is the possibility of a couple of really nasty scenarios: unreported shell exploits existing in the server code, one of your devs or admins messing about and trolling you.

there are of course other possibilities, but i just woke up and . . . blah

[Anonymous!!!]

Yeah, I'm still a bit puzzled... I worked out he was using ladmin somehow but Emostar told me he thinks FancyJack was using some altered client that has built in hacks such as sending packets and even possibly a username/password hack.

I'll take the precautions and I'll report any following attacks in hope we can stop him.
I'm fairly certain he is just using this as 'practice' and that he is hoping to get at the official server sometime.
Emostar is fairly certain that this guy is paid and has a theory that FancyJack is doing this sort of thing to try and get better and better until he can attack big-shots. I'm not too certain on the theory.

Anyway for now I'll just hope he doesn't attack again.

[yourmistakes]

i find your surplus of speculation disturbing.

[Crush]

Emostar told me he thinks FancyJack was using some altered client that has built in hacks such as sending packets and even possibly a username/password hack.

Emostar thinks too narrow.

As yourmistakes pointed out there are tons of possible security holes in a server setup which are completely unrelated to eAthena. There are hundreds of mistakes you can make when setting up a linux server before installing tmwAthena on it. It is much more likely that you have a security hole somewhere else.

When there would really be a huge security flaw in tmwAthena which allows to take over the host system like you are describing, do you really think that we wouldn't have felt it in the past? How many users do you have? How many users does TMW have? How long does your server exist? How long does TMW exist? It's not like nobody ever tried to attack TMW. We got tons of different attacks in the past, but none which abused a security hole as severe as you are describing.

Emostar is fairly certain that this guy is paid

Paid?? Sorry, but that doesn't make sense at all. Why would someone pay someone to hack some unimportant open source MMO? Sorry, but that's just unjustified paranoia.

and has a theory that FancyJack is doing this sort of thing to try and get better and better until he can attack big-shots.

Also very unlikely. When you would try to find a security hole in tmwAthena, you would do so on your private server. It doesn't make sense to practice on a server of someone else.

[Frost]

I wholeheartedly agree with Mistakes and Crush. You asked what you could do to stop this from happening, and I'd like to reply.

First, an analogy. You own a game store, and you have a long-running game of Monopoly in the back room. After you go home at night, someone puts a new game piece on the board, grabs some title cards from you and other players, and robs the bank blind. None of your paying customers are doing this, so clearly it's a cheat.

Don't spend your time trying to catch the person cheating at Monopoly (or cheating on the server). Your problem isn't a dishonest player, it's that apparently you've left a door unlocked and someone just dances in every night and is messing with your game.

I suggest you learn how to secure your Linux system. A good place to start is the checklist from SANS (a very respectable organization) at http://www.sans.org/score/checklists/linuxchecklist.pdf

Basically, you want to:
1) Know which places on your server can be attacked. In the previous "store" analogy, you should find the doors and windows.
2) Have a basic security system, starting with iptables (Linux firewall).
3) Have enough knowledge and information to know when someone has broken into your computer and to know if they've changed or stolen something.
4) Know your options if a real crook hits you and steals or destroys important things. (Do you have backups? Can you learn how the crook broke in? Can you reinstall the OS and programs?)

It sucks that there are dishonest people like this FancyJack person. Unfortunately, by setting up a game server you've made yourself more visible than just a plain old desktop computer. As any store owner will tell you, petty crooks and stupid pranksters are part of the business.

[Frost]

Well, FancyJack is the reason that my server is in deep Chocolate Cupcake...
...
Now, firstly I want to know if anyone else has had attacks like this and secondly is there anything I can do to stop them? It would also be nice to know who he is if possible

Other servers get attacked, but perhaps not with such success.

For an example of how a total freak might secure a server, see http://forums.themanaworld.org/viewtopi ... =7&t=13046 Don't use it as a laundry list, just observe the thought process ("nothing I do is truly secure") and the multiple layers ("after he breaks through this, then I'll stop him here").

One way to identify the schmuck is to configure iptables to log connections to your server, then start watching for unusual login activity around the time of these attacks. Keep in mind that FancyJack knows you're looking for him and is trying to make this task difficult for you. For example, he might log in at normal times too, or he might log in at 6pm and wait until 11pm to mess with you. In other words, he wants you to blame the wrong person, so don't be impatient.

Those aren't easy answers, but this is not an easy problem.