Admin Hacking

[pavansss91]

Hi all,

  I was wondering about the things codestryke and toto said in one of the topics.

If I had a penny for every time one of my games was hacked I'de have enough to own my own private island LOL.

Game development is a difficult business - one day, you can be at the top of online games, and the following day, a hacker can access your systems and destroy some of the things you have created.

As i have never managed a game i would like to know about some points here.

Do these guys steal your game scripts ?
Do these guys change values in database to get virtual money ?
Do these guys hack your admin account and shut u out of the game making it his own ?? (generally this doesn't refer dedicated servers)

[Chris]

I was hacked only once, it was during the first week of the launch and was caused because I didn't know "SQL injection" term yet
After that, never. But I use cheap and effective tricks to avoid it, for starters I use only managed servers from reputable companies (so no way for me to break something in server security because I don't even touch it) and magic quotes and convering all integers into integers or safe strings.

I don't understand this whole "hacking" buzz, its very easy to protect yourself from hacking, even with quite low knowledge.

[Mufasa]

If you check out the crowd over at ceforums, a lot of them are so-called hackers, but really they just prey on the fact that many newbs use crappy software like mccodes which is not only full of holes, but so widespread, any can get their hands on a copy and find them.

[codestryke]

Do these guys steal your game scripts ?

We've never been hacked to this level, not saying it will never happen (I'm not as arrogant about security as Chris). A good server company and knowing what software you have installed on your server (not including your game) is the best way to prevent this.

Do these guys change values in database to get virtual money ?

This is where I have been hacked the most. When I started writing games the term Script Kiddie only applied to IRC kids, sql exploits were known but rarely talked about. Since then the term script kiddie has been used for a lot of various low forms of hacking which now include SQL injection. Now that I always use either ADODB or my own DB wrapper neither has been injected yet.

Do these guys hack your admin account and shut u out of the game making it his own ?? (generally this doesn't refer dedicated servers)

We've had someone get into our admin panel via a SQL injection once. On our games you cannot turn the game off so the only thing they were able to do is view and change values, which they could of done via the DB but the admin panel made it easier for them.


In the end though it really comes down to how competitive is your game, what is your community like on the game and how big your game really is. We've had games up for years with no one even attempting to try and hack the game. That doesn't make the game is secure all it means is it's not worth the bother. Other games that are highly competitive seem to attract  script kiddies quickly as they don't want to actually "play" the game rather just try and hack it to get the best player stats.

[zykal]

yeah usually its SQL injection that gets ya in trouble

just leaving user inputed data purified can get ya in trouble with the database.


rather simple to avoid most of the time as stated and shown above.


Other problems that occur would be exploits that are account based re-refreshing and such and closing the browser out.