Lapo wrote:The only thing that connects your database to SmartFoxServer is your server-side code.
If you remove that, your DB cannot be attacked.
The first place I would investigate is the server code that interacts with the DB. For example do you handle scenarios such as SQL injection?
If not that's likely to be an attack vector.
cheers
We have been discussing to sniff for packets, which I will do later.
Yet, since this user can basically do anything, but it is very hard to record packets from the user that has a different timezone and keeps messing with the database. There will be some in-game events this weekend and i will record any packet with Winsock 2.0. This would include any user that sends a packet or responses from the server. When I have any confirmed packets containing the issued code, I will quote back on this thread. I did a little research and as I know, it could be XML injection. I am not sure and not charging him of using it. Could also be XPath, since he has access to Config.xml. Also, he was bombing the server:
http://pastebin.com/raw/8tpPTknC (Packets)
He made himself admin and kicked all the mods. Send a couple of GlobalMsg:
{"b":{"r":-1,"o":{"msg":"Global Message~Guess whos back!","_cmd":"gameMsg"}},"t":"xt"}.
{"b":{"r":-1,"o":{"msg":"Global Message~Taking over this server again!","_cmd":"gameMsg"}},"t":"xt"}.
{"b":{"r":-1,"o":{"msg":"Global Message~Bye everyone!","_cmd":"gameMsg"}},"t":"xt"}.
The packet sizes of the bombing:
7974 bytes
8192 bytes
4096 bytes
1448 bytes
Since he has access to the Config.xml, he must be using XPath combined with some unknown CDATA queries and XML bombing.