• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!
  • 2026 staff recruitment is open! Check it out and consider applying!

Hackers Issue

C

Calon

Experienced Member
Joined
Feb 6, 2009
Messages
1,070
Reaction score
21
Hello,
I just wondering about weird thing happened to me recently.

so my issue is: Some Sweden guy called Eliminator anyway in somehow he's hacked my database and got the password of my main email, Paypal, Zaypay i lost alot of money, so those happened because i was using a bad rev with old gesior AAC with unsafe scripts.

so i formatted my laptop after that i switched now by using a safe dedicated server(DD) to run a rl map in safe rev 0.3.7 SVN ot, changed all passwords and emails with safe scripts and gesior 2012 for web (i dont have any scripts need a database login username or password, i never download or receive any files from ppl, but still the Sweden guy got my database password but Not the phpmyadmin Url,

Could someone tell me what is this ?
i need to know the reason to fix it, its rly weird.
 
Sort by date Sort by votes
Might be an SQL injection. A user can send parameters to you're database and theese parameters can manipulate the data and get out information. Wanna learn more about SQL injections? Just google it!

If you're using a MySQL database can information in your folders be taken and then sended to the database:
PHP: 
<?php

$anvandarID = $_POST["anvandarID"]; 
$password = $_POST["losenord"]; 

$query = "SELECT username FROM usertable WHERE username = '$anvandarID' AND password = '$password'";

?>
which is sending information to the mysql-database which lookes like this:
PHP: 
 SELECT username FROM usertable WHERE username = 'root' AND password = 'tibia1881881'

To prevent this you could use
PHP: 
mysql_real_escape_string
.

If you're using mysql_real_escape_strin then will the hacker get another answer which should look like this, after the injection :
PHP: 
 SELECT username FROM usertable WHERE username =
'\' OR \'1\'=\'1' AND password = '\' OR \'1\'=\'1'

Should look like this in you're folder:
PHP: 
 <?php

$anvandarID = mysql_real_escape_string($_POST["anvandarID"]); 
$password = mysql_real_escape_string($_POST["losenord"]); 

$query = "SELECT username FROM usertable WHERE username = '$anvandarID' AND password = '$password'";

?>
This one should help you out:
OBS: change account's & password's to whatever your table's is named:
PHP: 
 $values = array();
foreach( $strs as $str ) {
	$Accounts = mysql_real_escape_string($str['Accounts']);
	$Passwords = mysql_real_escape_string($str['Passwords']);
	$values[] = "('$Accounts', '$Passwords', NOW())";
}

$query = "INSERT INTO table (Accounts, Passwords, time) VALUES " . implode( ',', $values );
mysql_query($query);

Like I said earlier, If you wanna know more about theese injections just google it. Remember that this wont prevent them to get the information but it's a good start, and the hacker need's to go deeper and deeper to figure out the username/password.

And in your sever config make sure to use:
PHP: 
 -- SQL
	sqlType = "sqlite"
	passwordType = "plain" SHA1 INSTEAD OF PLAIN. Like this: (passwordType = "sha1")

Kind Reegards,

CyrusGNetWork.
 
Last edited:
Upvote 0 Downvote
Back
Top