AAC Hacked Website, Deleted adm give access
- Thread starter Joker Man
- Start date
He found 1 hack he knew. You can ask/pay him, so he will tell you how to fix it on priv.
Hackers may know other hacks, so I recommend to replace current acc. maker with some official acc. maker version.
Also hackers could already abuse current hack to get permission to some files and install other hacks on your machine.
I've just noticed you are running it on XAMPP on Windows. Don't waste time hosting on Windows.
You can try to get free VPS:
How to get FREE VPS from Oracle Cloud
About registration: In last month a lot of people tried to register to mine crypto on free servers. Now many credit cards are not accepted in registration form. Probably, because these bank users tried to create multiple accounts. I think it's still worth trying, as you can get free VPSes and it...
From my 15 years experience: you will faster learn Linux, than secure Windows.
You can start here - not the best Linux security tutorial, but none of 100+ servers configured using that get hacked in last 5 years:
tutorials/polish/konfiguracja-serwera-linux at master · gesior/tutorials
Contribute to gesior/tutorials development by creating an account on GitHub.
github.com
Gesior 2012
buychara
buychara
Lua:
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<?PHP
if($logged) {
if ($action == '') {
$main_content .= '<center>Here is the list of the current characters that are in the shop!</center>';
$main_content .= '<BR>';
$main_content .= '<TABLE BORDER=1 CELLSPACING=1 CELLPADDING=4 WIDTH=100%><TR BGCOLOR='.$config['site']['vdarkborder'].'><TD CLASS=white width="64px"><CENTER><B>Name</B></CENTER></TD><TD CLASS=white width="64px"><CENTER><B>Vocation</B></CENTER></TD><TD CLASS=white width="64px"><CENTER><B>reset</B></CENTER></TD><TD CLASS=white width="64px"><CENTER><B>Price</B></CENTER></TD><TD CLASS=white width="64px"><CENTER><B>Buy it</B></CENTER></TD></TR>';
$getall = $SQL->query('SELECT `id`, `name`, `price`, `status` FROM `sellchar` ORDER BY `id`')or die(mysql_error());
foreach ($getall as $tt) {
$namer = $tt['name'];
$queryt = $SQL->query("SELECT `name`, `vocation`, `reset` FROM `players` WHERE `name` = '$namer'");
foreach ($queryt as $ty) {
if ($ty['vocation'] == 1) {
$tu = 'Sorcerer';
} else if ($ty['vocation'] == 2) {
$tu = 'Druid';
} else if ($ty['vocation'] == 3) {
$tu = 'Paladin';
} else if ($ty['vocation'] == 4) {
$tu = 'Knight';
} else if ($ty['vocation'] == 5) {
$tu = 'Sorcerer';
} else if ($ty['vocation'] == 6) {
$tu = 'Druid';
} else if ($ty['vocation'] == 7) {
$tu = 'Paladin';
} else if ($ty['vocation'] == 8) {
$tu = 'Knight';
}
$ee = $tt['name'];
$ii = $tt['price'];
$main_content .= '<TR BGCOLOR='.$config['site']['darkborder'].'><TD CLASS=black width="64px"><CENTER><B><a href="index.php?subtopic=characters&name='.$tt['name'].'">'.$tt['name'].'</a></B></CENTER></TD><TD CLASS=black width="64px"><CENTER><B>'.$tu.'</B></CENTER></TD><TD CLASS=black width="64px"><CENTER><B>'.$ty['reset'].'</B></CENTER></TD><TD CLASS=black width="64px"><CENTER><B>'.$tt['price'].'</B></CENTER></TD><TD CLASS=black width="64px"><CENTER><B>
<form action="?subtopic=buychar&action=buy" method="POST">
<input type="hidden" name="char" value="'.$ee.'">
<input type="hidden" name="price" value="'.$ii.'">
<input type="submit" name="submit" value="Buy it"></B></CENTER></TD></TR></form>';
}
}
$main_content .= '</TABLE>';
}
if ($action == 'buy') {
$name = $_POST['char'];
$price = $_POST['price'];
$ceh = $SQL->query("SELECT `name` FROM `sellchar` WHERE `name` = '$name'");
if ($ceh) {
if ($name == '') {
$main_content .= '<b><center>Select a character to buy first/b>';
} else {
$user_premium_points = $account_logged->getCustomField('premium_points');
$user_id = $account_logged->getCustomField('id');
if ($user_premium_points >= $price) {
$check = $SQL->query("SELECT * FROM `sellchar` WHERE `name` = '$name'") or die(mysql_error());
$check1 = $SQL->query("SELECT * FROM `players` WHERE `name` = '$name'") or die(mysql_error());
$check2 = $SQL->query("SELECT `oldid` FROM `sellchar` WHERE `name` = '$name'");
foreach ($check as $result) {
foreach($check1 as $res) {
foreach($check2 as $ress) {
$oid = $ress['oldid'];
$main_content .= '<center>You bought<b> '.$name.' ( '.$res['reset'].' ) </b>for <b>'.$result['price'].' points.</b><br></center>';
$main_content .= '<br>';
$main_content .= '<center><b>The character is in your account, have fun!</b></center>';
$execute1 = $SQL->query("UPDATE `accounts` SET `premium_points` = `premium_points` - '$price' WHERE `id` = '$user_id'");
$execute2 = $SQL->query("UPDATE `players` SET `account_id` = '$user_id' WHERE `name` = '$name'");
$execute2 = $SQL->query("UPDATE `accounts` SET `premium_points` = `premium_points` + '$price' WHERE `id` = '$oid'");
$execute3 = $SQL->query("DELETE FROM `sellchar` WHERE `name` = '$name'");
}
}
}
} else {
$main_content .= '<center><b>You dont have enought premium points</b></center>';
}
}
} else {
$main_content .= '<center><b>Character cannot be buyed</b></center>';
}
}
} else {
$main_content .= '<center>Please log in first!</center>';
}
?>
@Joker Man
otland.net
[Gesior ACC] Buy / sell characters
These scripts do work, but they are so easy to exploit. By 1 simple edit client side I managed to sell a a char on the main account, for 0 coins on a fresh account then buy it on it thus transferring to my new account. You can also put a char up for sale at 10000 points, and buy it for 1 point...
I haven't noticed it's VPS, not home PC. XAMPP made my think it's home PC.
Maybe no one can hack Windows VPS, but any internet user can DDoS it using 1 mb/s connection and it will go down. It's Windows.
Even Microsoft hosts THEIR sites on Linux.
Open 10k connections in same time? Send 10k requests to www? Windows will go down. Good luck looking for Windows firewall that will detect simple attacks like that and block them.
What can detect attacks like that? Linux. You just need to use
iptables to tell Linux to block specific actions:
How to get FREE VPS from Oracle Cloud
even though I only used the free tier plans, credits from the 30-day bonus were consumed. I'm afraid I'll start the project I'm planning to create and lose it in a few months. (the avalue costi analysis informs that is by "Block Storage".. but i dont know why yet. I create my machine within the...
Nice@Joker Man
[Gesior ACC] Buy / sell characters
These scripts do work, but they are so easy to exploit. By 1 simple edit client side I managed to sell a a char on the main account, for 0 coins on a fresh account then buy it on it thus transferring to my new account. You can also put a char up for sale at 10000 points, and buy it for 1 point...
I've forgotten about that bug.
Last edited:
Sorry my brother, i have full protc, like Shield for any ddosI haven't noticed it's VPS, not home PC. XAMPP made my think it's home PC.
Maybe no one can hack Windows VPS, but any internet user can DDoS it using 1 mb/s connection and it will go down. It's Windows.
Even Microsoft hosts THEIR sites on Linux.
Open 10k connections in same time? Send 10k requests to www? Windows will go down. Good luck looking for Windows firewall that will detect simple attacks like that and block them.
Nice
vps like 20$
You also had OTS that was not hackable, until someone hacked it.
Datacenter DDoS protection may protect you from basic DDoSes (only OVH anti-ddos does it! other datacenters anti-ddoses fail even vs. very weak attacks), but not from website DDoSes (OVH fails on website DDoSes too).
You are running XAMPP (A after X is for Apache web server).
It's like saying DoS/DDoS me with anything,
can be - first Google result - Ataki Slow HTTP DoS (cz. 1.) – Slowloris (https://sekurak.pl/ataki-slow-http-dos-cz-1-slowloris/) (yes, it's 2014 post and XAMPP still cannot handle this attack).
It's first attack in Google, but you can easily find 10 others. All of them will turn off web server, some of them will turn off whole VPS.
Google's 3rd result is OTLand's post about XAMPP and it already mentioned
nginx - Apache replacement, easy to install on Linux - in 2012 Xampp - ataki (https://otland.net/threads/xampp-ataki.175332/) (https://www.google.com/search?q=xampp+slowloris).I've never DDoSed any OTS and I'll not change it to prove that your VPS can be taken down with 4 (or 1) lines of Bash (Linux) script in console on home 1 mb/s internet connection.
Ready to run Python script [much longer, but also easily configurable]: GitHub - gkbrk/slowloris: Low bandwidth DoS tool. Slowloris rewrite in Python. (https://github.com/gkbrk/slowloris)
What distro of linux do you recommend? I'm a linux virgin. So I need one that has a lot of support/info. I just got everything working and compiled on windows. And now I want to cry lol.
Edit: I settled on ubuntu 20.04.1LTS to get me going. Maybe switch to something lighter and more bare once I pop my cherry a little.
Last edited:
