Need script that blocks proxies

June 28th, 2004, 6:02 am

They must have been fixed (bravo!) because the site works fine for me (on Firefox).

Anyway,:

Quote:

The more people you get to click the link, the more money your character will generate.

You game is pretty might designed to be exploited in this way. You need to devise some new rules or ways to validate that the link was clicked by a human. As has been stated, the only way to block proxies is to start blocking IPs, or blocks of IPs, from access. This will have the unfortunatly effect of also blocking legit traffic as well.

I'd suggest doing something like the domain name registrars and many spam blocking validation systems have done. Use a non-machine-readable keywork to validate a human clicked the link. Basically it's a random set of graphics that display short (4 or 5 digit) passwords that a user has to type in. Go do a whois at Network Solutions (https://www.networksolutions.com/en_US/ ... ndex.jhtml) and you'll see what I mean. I haven't looked, but there's bound to be some sort of GPL version of that somewhere.

.c

June 28th, 2004, 5:00 pm

Ok he is not getting into the system. No one has been in our cpanel I don't know how hacking came into this post but he has not hacked us. He got our info a while back from an admin that worked for us because he got on my aim screen name, Got my pass from another game got on my aim screen name and talked to an admin and said i was at a friends house and needed intro to the cpanel so my admin gave him it. That's why we have no more admins only 2 of us working on the site and we are family. Anyways, There is alot of people that use proxies to do better in the game and they also use proxies to get into the site. How is he getting into the site? We have blocked his ip but he uses a proxy now.....That's the main question I know there are ways to block proxies so how? http://www.outwar.com blocks them try to enter there site with a proxy. Phpb forums or w/e they block proxys try to enter there site. Alot of sites block proxies but how?.....

Btw carnix that sounds like an ok Idea but remember we have a private domain so you can't do a who is on us and find out our info. There may be ways around the system who knows...lol

June 29th, 2004, 12:59 am

xfrozenxsoulsx wrote:

I don't know how hacking came into this post

In the last post you made:

xfrozenxsoulsx wrote:

He keeps getting on peoples accounts too

xfrozenxsoulsx wrote:

But now he is getting on everyones accounts and wasting peoples points that they pay for. Yes they pay for points

xfrozenxsoulsx wrote:

We have over 7,000 players and it's very annoying when this kid comes into peoples accounts and he messes with their points.

Three times you say he is getting into people's accounts? Is he authorised to do so? I doubt it. Lets see a definition of hacking:

google wrote:

<b>Hacking: </b> Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system

The information system being the game and it's component scripts, not the server in this instance. The security measures being the ones for users to log into their acounts most likely.

Anyway, my point is that <b>it is not proxies</b> allowing him to gain access to other peoples accounts. If you block him by this method, I'm sure someone else will find out how to exploit the same security holes. Or he will find another way to gain access to the site. IMO blocking the proxies is treating the symptoms rather than the illness.

The proxy blocking may well prevent the link clicking, but I would consider this a minor issue in comparison to the account hijacking.

[Rabid Dog]

June 29th, 2004, 1:08 am

The amount of comments here and the time spent trying to find a script to block proxies what I would have done (maybe because I am an extremist) is shut the site down and hacked it myself. Found all the holes, come up with a way to stop people from circumventing the security and released the site once it had been sorted out.

Close the site! Get a few people together that know what they are doing and hack it to pieces, find the holes, the security flaws and fix them. Don't pull a microsoft and try patching things up, it just leads to more problems.

As RTM said, prevention is better than cure

Seems like alot of work but I think the paying customers would appreciate it more if you shut it down and stopped the abuse on their accounts.

But as I said that is just me

June 29th, 2004, 1:36 am

Rabid Dog wrote:

what I would have done (maybe because I am an extremist) is shut the site down and hacked it myself. Found all the holes, come up with a way to stop people from circumventing the security and released the site once it had been sorted out.

Yes, I think you are very extreme for wanting to fix the problem. Oh yes indeed

[Rabid Dog]

June 29th, 2004, 1:43 am

Just noticed that you guys store all user inf (password and name) on the client machine via cookies.

Assume this is the way you tell whether or not someone has clicked the link!

So now say I had to delete that cookie, would I be able to carry on clicking links?

What if I had to set my headers to echo that cookie with a different password or user name? would the errors it generates give me a little insight into your file structures?

Just wondering

RTM :- meant I was extreme for shutting the site down

June 29th, 2004, 2:20 am

lol, fair enough - missed that, I was just glad to see someone was on the same wavelength as me, I was starting to wonder if I had totally the wrong end of the stick.

However, I still wouldn't say it was extreme. I would call it an intrinsic part of the systems life cycle, another stage in the testing/evaluation process. I suppose the alternative would be to make a complete copy of the system on a separate server (pref. local) and attack that one while leaving the existing one in use. Post a message apologising for any disruption, the probelms are currently being addressed, thank you for your understanding in this matter. Or something.

[Rabid Dog]

June 29th, 2004, 2:38 am

Or you could just say 'We are currently trying to save you a fortune'

June 29th, 2004, 6:10 am

xfrozenxsoulsx wrote:

Btw carnix that sounds like an ok Idea but remember we have a private domain so you can't do a who is on us and find out our info. There may be ways around the system who knows...lol

I didn't mean to do a whois on you, it was just an example. Do it on any site...

Out of curiosity, have you sent an e-mail to the outwar site admins to ask how they do it? I think that would be your best first step. Ask them to explain in detail, then if you don't understand something, come back, post what they said, and we can probably help you from there.

.c

June 29th, 2004, 6:29 am

Well outwar are millionaires and they make and have made a ton of money. They have a building with about 50 employees for there game and it's called rampid interactive.Asking them wouldn't work. They would atleast want 1,000.00 and they don't sell there scripts which is what they would have to do to give us the proxy blocking script. They would have to give/sell us that one script.Next shutting down the site? There is no option to do that, We aren't going to do that. The problem here, What I was wanting to know is how to block proxies. We are having people with proxying there secret link and them getting into the site using proxies when we block there ip. I know there are ways to block this because some sites block proxy ips and blocking proxy ports isnt an option because proxy sniffing is illegal.

This kid gets into peoples accounts because when he did go into our site in beta round when we first started working and we had around 2,000 members he got into the player database {Remember he got into the site by getting on my aim screen name etc...} and he took all of the screen names and players in the database and he uses the old players passwords. We had to do a password change when he did all of this and we had to put up password change for peoples accounts to where when they logged in they had to change password. Anyways, The scripts and passes are now encrypted in the site and we have no more admins anymore now it's just a family owned business and my brother works 24/7 on the php and he does an awsome Job. I don't know alot of php and I probably shouldn't be acting like I know what im talking about but I do know about all of this and I do know that we need a proxy blocker, A way to block proxies from entering the site. I know there are ways you can do it so you can't say there isn't. It's just a hard thing to find.

Anyways this kid isn't a big problem we are mainly wanting to block people proxying there secret link to get more clicks because it slows down the site.My brother is going to be working on a script tonite and I hope it works. If you want to learn how these kindof games work go play http://www.outwar.com or http://www.foxwar.com or http://www.neuage.net or games like that. Businesses.....Anyways thanks for trying to help everyone.

[Rabid Dog]

June 29th, 2004, 6:38 am

I am still wondering why you store sensitive information in a users cookie?

I would still e-mail the guys to find out because you never know, you might get lucky.

I'm willing to bet (especially if they are so big) tht they have written some form of cgi or equivelant piece of software that does the detection, I honestly don't believe that it can be don via scripting - only a slightly lower level, yeah, but via scripting - well I hope I am proved wrong.

Don't alot of ISP's use proxies?

June 29th, 2004, 6:40 am

Ah, I didn't realize it was a big company. You might just send an e-mail to their webmaster and ask. You might be surprised.

Anyway, I decided to actually do a little legwork for you, fancy that:


http://www.bigwebmaster.com/2325.html
http://www.andromeda.com/people/ddyer/public-proxy.html

I don't know who this poster was, but you might send them an e-mail or something asking how they did it (sorry for the long url...):
http://www.webmaster-talk.com/showthrea ... #post53708

This is a phpNUKE package. If you're site is on phpNuke already, you might be in luck. If not, you could always send an e-mail to the guy who built the module to ask how he did it (You catching a recurring theme in my posts? heh)
http://protector.warcenter.se/postt11.html

That was just after a couple Google searches without going past the first couple pages...

.c

June 29th, 2004, 6:49 am

Rabid Dog wrote:

Don't alot of ISP's use proxies?

AOL, may it's routers and switches rot in hell, makes extensive use of proxies. It make makes doing accurate unique visitor tracking pretty much impossible with a standard log analyzer. We use WebTrends Log Analyzer Advanced with the add-on SmartSource package that designed specifically to do just that. We found that once we started using that, our unique and returning visitor counts jumped a full third again from the AOL users being accurately differeniated...
.c

June 29th, 2004, 6:55 am

Carnix that post was by me. When we did this we did block proxies for a while. We blocked the ports and then it would make peoples firewalls go off saying we where trying to hack someones computer. If they had a firewall it would scan for certain ports which we found is illegal and it just messed us up in the long run but it worked. We are going to try to do another proxy ip block soon, We will try something like http://www.tekwar.net does. They block proxies or im thinking we can do a anti-spamming system that may work who knows....eh we got to do something about the proxies that's all I know...lol

Thanks for all of yall's help I will email outwar and try to get ahold of them. They have over 1,000 support tickets in there site in the support rite now. I talked with an admin yesterday they said they have been so busy lately but Im hoping they reply to me soon. I have outwar's number I may just call and talk to torax the owner.

[Rabid Dog]

June 29th, 2004, 6:57 am

Okay so if an ISP is using a proxy surely by blocking proxies you will be cutting out a genuine client base?

I noticed that the BWM proxy script runs on the .NET framework(aspx).

Wonder if it could be ported to PHP.

If you wanted to write something like this carnix what would you use?