SFS Spamming

Need help with SmartFoxServer? You didn't find an answer in our documentation? Please, post your questions here!

Moderators: Lapo, Bax

Goddes
Posts: 15
Joined: 25 Jan 2014, 21:08

SFS Spamming

Postby Goddes » 01 Feb 2016, 04:54

So someone created something like a spamming program that connects to the server using python file and spams packets, here's the code, is there any way I can fix it?
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Spamming

Postby Lapo » 01 Feb 2016, 10:35

Hi,
for starters, I have removed the script from your post. It doesn't look like a great idea to put it out in the public, doesn't it? :wink:

The main problem I see here is that the attacker can gain access to your server by passing an empty String as username, in other words you don't seem to have a credential check for people logging into the server.

I highly recommend that you implement a login system so that users can gain access only with a valid login/password pair. This alone will render the attack useless.
Also you could track down the IP address of the attacker and block it, either via the IP blacklist in SmartFoxServer or, even better, at firewall level.

cheers
Lapo
--
gotoAndPlay()
...addicted to flash games
Goddes
Posts: 15
Joined: 25 Jan 2014, 21:08

Re: SFS Spamming

Postby Goddes » 01 Feb 2016, 16:29

Hello Lapo, thank you for answering me and I apologize for posting the script.
The username isn't an empty string, he generates it as random strings here

Code: Select all

"strUsername": self.randomString(9),
            "strPassword": self.randomString(9),


he uses that to register to the mysql database connecting to the "signup.php" file and then he just defines them

Code: Select all

self.Username = params["strUsername"]
            self.Hash     = params["strPassword"]


and so heres the login code once he connects to the server

Code: Select all

self.sendData("<msg t='sys'><body action='login' r='0'><login z='zone_master'><nick><![CDATA["+self.Key+"~"+self.Username+"]]></nick><pword><![CDATA["+self.Hash+"]]></pword></login></body></msg>")
User avatar
Lapo
Site Admin
Posts: 23008
Joined: 21 Mar 2005, 09:50
Location: Italy

Re: SFS Spamming

Postby Lapo » 01 Feb 2016, 16:42

I suggest you block automated user registrations in the first place.
Add a CAPTCHA in your sign up form and also make sure you request a valid email address where to send a confirmation link for the user.

This will help ensure only humans will be able to create new users in the system with the added bonus of requiring further confirmation via a valid email address.

cheers
Lapo

--

gotoAndPlay()

...addicted to flash games
Goddes
Posts: 15
Joined: 25 Jan 2014, 21:08

Re: SFS Spamming

Postby Goddes » 01 Feb 2016, 18:46

Once again you are amazing, thank you Lapo :P <3 much love

Return to “SmartFoxServer 1.x Discussions and Help”

Who is online

Users browsing this forum: No registered users and 54 guests