Bug - Players got GM commands

[Bluewolf]

Hello all!
Two days ago players have reported that a knight and a paladin have been one-shotting players and monsters in my server. We had to close our server because of this bug. I don't know the details yet and what else have happened but right now we know few things. After doing an investigation we have found one katana, which had like 999999 attack damage. We still don't know which weapon the paladin have been using, but I assume that he had similar weapon as the knight had.

After seeing all this I strongly think that someone have been able to use GM commands. Possibly /attr command. We are sure that none of us have created those weapons and there are not any other GMs than us. Right now we have no idea, how all this have happened. However, it seems like that any other commands haven't been abused, no items have been created even if we have some powerful donation items.
So we think that the bug is in /attr command, but we can be wrong. We have tried to find some information from here and other forums but we couldn't find any. So I am asking if someone knows this bug or know how to fix it or even have some idea, please. We would be grateful. I don't know much about these things because I am mapper and quest scripter. We are using TFS version 0.3.6 cryingdamson.

I hope these things could give you some kind of clue where to start. Thanks.

-Bluewolf

 

[dominique120]

If you log commands you can open your /data/logs folder to see who has been using commands. Also could be that someone gained access to your database and upgraded themselves, did these edits and downgraded themselves.

 

[Bluewolf]

Well, we checked that and found only our talkactions but not anything else. Also if they were able to get into database, i think they would have done something else than just making insane weapons. So players may not have been able to directly use /attr command but it might be similar thing which server register it as the /attr command and that is the bug, which we are chasing. It also might be in TFS. But thanks anyways.

 

[Limos]

If someone used that talkaction, it should be in logs. If it's not there, then it's not done with that talkaction.
Could be some other script, like an upgrade script that can be abused to be used unlimited times.

 

[EvoSoft]

nvm

 

[Bluewolf]

Yes Limos, we have an upgrading system. If you see any possible bugs let me know.

local conf = {}

conf["level"] = {
-- [item_level] = {successParcent=PARCENT FOR UPGRADING SUCCESS, downrageLevel = IF UPGRADING FAIL - ITEM WAS DECRASED TO LEVEL HERE}
[1] = {successParcent = 85, downrageLevel = 0},
[2] = {successParcent = 70, downrageLevel = 1},
[3] = {successParcent = 60, downrageLevel = 1},
}
conf["upgrade"] = { -- how many parcent attributes are rised?
    attack = 2, -- attack %
    extraAttack = 2, -- extra Attack %
    defense = 2, -- defence %
    extraDefense = 2, -- extra defence %
    armor = 2, -- armor %
    hitChance = 0, -- hit chance %
}

-- // do not touch // --
-- Upgrading system v.3.1 by Azi [Ersiu] --
local upgrading = {
    upValue = function (value, level, parcent)
        if(not(value>0))then return 0 end
        for i=1,level do
            value = math.ceil(((value/100)*parcent)+value)+1
        end
        return (value > 0) and value or 0
    end,

    getLevel = function (item)
        local name = string.explode(getItemName(item), '+')
        return (#name == 1) and 0 or math.abs(name[2])
    end,
}
function onUse(cid, item, fromPosition, itemEx, toPosition)
    local getItem = getItemInfo(itemEx.itemid)
    if((getItem.weaponType > 0 or getItem.armor > 0) --[[and not isItemStackable(itemEx.itemid)]])then
        local level = upgrading.getLevel(itemEx.uid)
        if(level < #conf["level"])then
            local nLevel = (conf["level"][(level+1)].successParcent >= math.random(1,100)) and (level+1) or conf["level"][level].downrageLevel
            if(nLevel > level)then
                doSendMagicEffect(toPosition, 30)
                doPlayerSendTextMessage(cid, 22, "Congratz! Your upgrade was successful, your item has become stronger; remember to not stack it with other items of the same type!")
            else
                doSendMagicEffect(toPosition, 2)
                doPlayerSendTextMessage(cid, 22, "Argh! Your upgrade failed... you item has weakened!")
            end
            doItemSetAttribute(itemEx.uid, "name", getItem.name..((nLevel>0) and "+"..nLevel or ""))
            doItemSetAttribute(itemEx.uid, "attack",  upgrading.upValue(getItem.attack, nLevel, conf["upgrade"].attack))
            doItemSetAttribute(itemEx.uid, "extraattack", upgrading.upValue(getItem.extraAttack, nLevel, conf["upgrade"].extraAttack))
            doItemSetAttribute(itemEx.uid, "defense", upgrading.upValue(getItem.defense,nLevel, conf["upgrade"].defense))
            doItemSetAttribute(itemEx.uid, "extradefense", upgrading.upValue(getItem.extraDefense, nLevel, conf["upgrade"].extraDefense))
            doItemSetAttribute(itemEx.uid, "armor", upgrading.upValue(getItem.armor, nLevel, conf["upgrade"].armor))
            doItemSetAttribute(itemEx.uid, "hitChance", upgrading.upValue(getItem.hitChance,nLevel, conf["upgrade"].hitChance))
            doRemoveItem(item.uid, 1)
        else
            doPlayerSendTextMessage(cid, 19, "Sorry this item is on max level.")
        end
    else
        doPlayerSendTextMessage(cid, 19, "You cannot upgrade this item.")
    end
end

 

[WibbenZ]

Well if the "upgrading.getLevel(itemEx)" is working there shoulden't be any problems, have you tried to upgrade more then once yourself? My guess is either some corrupted script(yes ive done and used some on people I wanna get back at) they might think its a simple shovel script while its actually a simple script that gives the weapon unlimited attack etc. Another thing it could be is someone else then you that has access to your dedi that does ex. /attr ingame and then removes it from your logs, im pretty drunk but can't find any bugs in your script so my guesses in one of the above.

 

[Limos]

He already tested it and was unable to add unlimited attack with this, so it's something else.

 

[Bluewolf]

Yep, as Limos said I did some in game tests and couldn't find any way to get unlimited stacks. Only bug which i found was that if you remove ranged weapon like assassin star or enchanted spear from the hand it will lost all of its upgrades. But it is pretty easy to fix just make them unstackable. Still it is a mystery how player was able to get katana with 999999 attack damage, because there were no bugs in melee weapon's upgrading system.

 

[WibbenZ]

Well does someone else then you have access to the dedi? My guess in that case is that someone used the /attr command and then removed it from the logs by logging in to the dedi.

 

[Bluewolf]

Only my friend has that access. I think that its not the problem, but I'm not sure. I will check that later today when my friend come online. However, I still believe that the problem is in the upgrading script. I just don't know how to bug the system. It might have something to do with stacking paladin weapons such as enchanted spears. The bug has to be somewhere in our files. I have tried to search all files which we have and only possibly things is upgrading system or some bug in GM commands but they haven't been directly used. Our upgrading system is a little bit unique because I haven't seen it on other servers and also they don't have this kind of bug.

 

[WibbenZ]

Well a way to try it out is to disable or even better temporarly remove the attr command, I can't see how its the script tbh.
Ive cleaned alot of servers that has had the same problems as you do, you could add a keylogger and see if its your friend who changes the logs or recompile and add the logs to a hidden folder where the name is his own name but sha1 incrypted. And if he did this he won't admit to it, atleast I woulden't.
Another way to do it is to set a max value in your source so the items can't have over lets say 200 atk.
If its unique why would the other servers have it?