PDA

View Full Version : EqEmu Safe?


lokidecat
01-21-2002, 10:02 AM
Has anyone checked this product for safety. Not to say i don't trust anyone, but shortly after using this, my friend (who gives no one his password) found his real EQ acct pW changed and now he cannot play.

The only variable is this emu. I guess i'm just going to have to not use it on any system that I run actual eq on until i have proof it's safe.

respectfully..

devn00b
01-21-2002, 10:30 AM
Well since the emu comes with the source code any 1/2 wit could look through the code and see if it captures pwd data and does anything with it..

I have checked several times and this isnot the case. besides what fool would use the same account data for the emu that they did in eq live


/sigh

your friend prob gave his password to somone. or got some kind of backdoor....

lokidecat
01-21-2002, 10:39 AM
1.) he uses different login/pw for his 'test' servers, never his actual.

2.) i'm the only person who knows his PW.

So the only conclusion we were thinking was some trojan on the Emu that either did keyboard tracking or some other sniffing for the PW. Again. Not outright accusing, just tracing our steps. Because we've both been in the industry a long time and take all the precautions.

Only mistake he made was installing the EMU on the same PC he plays EQ on. (and he did have a seperate EQ directory for this, not using the same one)

Odd.
Hmm. He tried calling but ofcourse they're customer service has the day off for MLK, Jr. Day (shrug) it's not a "real"holiday.. it's a memorial observance.. gah..

out...

devn00b
01-21-2002, 10:55 AM
Well as i said...check the source code...if you have infact been in the industry a long time reading some source files should be no problem...but i can say 100% that this has nothing to do with the emu.

madborg
01-21-2002, 11:25 AM
well...I was going to say the same thing as far as code is concerned.

BUT I did see a slight security problem just a while ago. I picked up a user name on my world.exe. I find that really interesting given that I am behind a firewall. I can't even get on my own server so how could someone else get on?

The user is tyco and was trying to get into qeynos zone (I believe). At the time I had no zones running (on purpose) and tyco got a zone down message. I have no idea how tyco, if such a user actually existed, seem to be trying to access my system.

The "tyco" message worries me somewhat. I also see where at some point there is an attempt by the login server to enter a user in my database based on my login name for frags and no password. This means that somehow my private IP is getting transmitted and hooked into something.

I am not even close to being a security expert, but the behaviors this afternoon seem very strange.

Shawn319
01-21-2002, 11:41 AM
Well i can tell you for a fact EQEmu (the version put out by http://www.eqemu.net) is NOT a trojan or password stealer in any way. If you dont believe me then look at the source yourself (its right in the zip).

Now, there is a chance you could have gotten a doctored version form an un-supported site (the source code can be found almost anywhere).


And to madborg: Everytime someone tries to connect to you even if server is locked, down, or your connecting locally but still using the loginserver you will probably get a message saying soandso is trying to connect and a few opcodes. even though you may think theres no connection from your computer to another.

madborg
01-21-2002, 12:37 PM
And to madborg: Everytime someone tries to connect to you even if server is locked, down, or your connecting locally but still using the loginserver you will probably get a message saying soandso is trying to connect and a few opcodes. even though you may think theres no connection from your computer to another.

Easy way to avoid any name/password stealing is to Never use real ones. But unfortunately not everyone will follow that rule and altough eqemu itself is not a security problem, I believe there is some security concerns with the way the login server is set up.

Tyco aside -- I have verified that no such user ever existed on my system-- there are some holes that concerns me. The fact that the login server can read/write to my database leaves me completely open. The fact that the login server can get to my database and my world server, means that I have a big hole in my network. So now I have to find the hole and shut it down.

that means that my posting about how to set up 0.2.0 is wrong for the people with private IPs.

Windcatcher
01-21-2002, 01:42 PM
Could this just be the login server telling world.exe through the socket connection to manipulate the DB and world.exe dutifully obliging?

I raised something akin to this in another thread; I think there needs to be a way to set some permissions for your server:

- whether your server is VISIBLE on the server list (i.e. you should be able to make it visible only to certain accounts)

- whether someone can login to your server (see my first point; if it isn't visible, then no one should be able to log in). I consider this separate from the first one, though, as a second line of defense in case the login server were to become hacked or otherwise compromised. By this I mean activating login-ability on an account-by-account basis, not locking the whole server, which can be done already.

Windcatcher

lokidecat
01-21-2002, 01:51 PM
Another question:

How trustworthy are the folks at gotfrags.com?

I mean i used something like login "noway" password "yousuck" or something liek that, but is there someone on the other end who loads EQ and tries each and every login that comes by?

Just in case some unsuspecting guy does the wrong thing?

Guess my biggest concern is just a few pieces of cobalt i loaned my friend's warrior.. i hope he doesn't get on and his characters are naked. (sigh).

As for where we got it, it was DL'd from sourceforge directly.

Again, i didn't want to outright accuse the program, it's just he downloaded 0.1.9 and within 24 hours his acct pw was changed.

Thanks for the info.

Shawn319
01-21-2002, 03:28 PM
Very few people have access to the Gotfrags loginserver DB (Only pyrotek himself and a few very trustworthy coders).

and whenever a person logs into a server it creates the login for that person on the servers DB without a password. so your password never leaves eq.gotfrags.com.

DrArkaneX
01-21-2002, 07:53 PM
In all honesty, I believe your friend may be mistaken. I you sir are trying to give good coders a bad name. There is no where in the code that hands out yer password. If your friend signed on with his username and password that he uses on the live servers, then he is a dumbass... sorry to be so blunt but hey.. stupid is as stupid does gump always says.

My live EQ account hasn't been hacked so that can't be it. Maybe your friend is running spyware on his system.. yeah, that can attribute to it..

Tell yer friend to format his hard drive and replace with another version of Windows. Clean his OS of all the porn he's been looking at.

lokidecat
01-21-2002, 10:32 PM
Do not loose your venom on me, DrArkane. I'm not trying to give good coders a bad name.

I merely am trying to trace steps, this was one possible. You do not have all the facts, so do not presume to be so omniscient.

Your comments are as immature as they are irrelevant. You do not need to directly attack anyone to butter up the dev team here.

As I said. Just tracing steps. Was curious if anyone had looked at that part of a code. It's a worthy question.

You can, from a point of view, see how people who would code server software, most likely against the owner's policy, could have the moral ethics necessary to perform a malicious act of stealing passwords. But I did not accuse, I merely asked if anyone had, indeed, looked into the possibility.

Don't get so bent out of shape.

Zeitgeist
01-22-2002, 03:57 AM
I can understand where you are coming from =) However I have seen nothing to suggest that anything like this could happen with the current codebase. Give the guy a break, folks, he's not trying to make trouble, he just had a legitimate question. Let's not act like a bunch of zealots and destroy anyone who asks a simple question.

He is right btw, the dev team have already made examples of what happens when people antagonize others to get on their good side. It doesn't work, they will kick you off the boards and IRC so fast your head will spin.

So, Loki, hope your friend figures out what it was. Good luck friend and don't let the reactionary types scare you off =)

cheers,

Z-.


Do not loose your venom on me, DrArkane. I'm not trying to give good coders a bad name.

I merely am trying to trace steps, this was one possible. You do not have all the facts, so do not presume to be so omniscient.

Your comments are as immature as they are irrelevant. You do not need to directly attack anyone to butter up the dev team here.

As I said. Just tracing steps. Was curious if anyone had looked at that part of a code. It's a worthy question.

You can, from a point of view, see how people who would code server software, most likely against the owner's policy, could have the moral ethics necessary to perform a malicious act of stealing passwords. But I did not accuse, I merely asked if anyone had, indeed, looked into the possibility.

Don't get so bent out of shape.

DrArkaneX
01-22-2002, 05:33 AM
I'm not bent out of shape. Knowledge is key here.. Knowing about such things is half the battle.. Basically, in essence, there is no way the server can be sending out your passwords. After doing a packet dump of the EQEmu server in action, there is no requests by the server that releases such information. I am not trying to get on the good side of the Devs, actually, I could care less. This project is very worthy and I spend some time testing it out and putting my 2 cents worth in. The Devs on this seem to be very responsible indivduals and I hardly doubt they would put malicious code in there to thwart would-be EQ Players that are still playing on the live servers. I even doubt that if your friend did in fact use his real username and password on the gotfrags.com account that the Devs would have had any time to check to see if that account was active on a real EQ Server. So put 2 and 2 together. I see some discrepancies with your postings already therefore marks them invalid. I doubt within 24 hours of your friend installing EQEmu and his account being hacked.. I just find this a bit hard to believe. Look in other directions as well. Find the truth before spouting off there is malicious code in a dev project.. It's easier to point fingers at someone that has nothing to hide.

Yodason
01-22-2002, 08:58 AM
there is NO code associated with eqemu otherwise what is nessesary to make it work. The encryption used by eq is weak, I recomend that you do NOT use your eq user/pass as anyone sniffing packets could POSSIBLEY steal it. If you do not trust the exe, compile it yourself, otherwise quit making trouble


-- Yodason on devteam

lokidecat
01-22-2002, 09:40 AM
Your post doesn't warrant a response, ArcaneX. You're going off on an irrational tangent. Good luck with that.

Thanks Zeit for understanding, I've the constructive responses I desired already from the Dev guy here.

Appreciate the time Shawn. Moving right along.

Zeitgeist
01-22-2002, 09:45 AM
I have to commend you for keeping a sense of humour about the whole thing. Cheers, loki. ;)

DeletedUser
01-22-2002, 11:26 AM
We have no spyware in anyway inside our emulator, the gotfrags website can be very easily trusted, owned by Pyrotek, and only a few coders have the db information. First of all, we cannot find out your password even if the password and username was in the same directory on your computer (that you were using to connect to the emulator). Second, if your using the same password and username as you use on the live servers, stop now, you should not in the first place, considering you would be using a different username/password this should "comfort" the users in a way. Third, if you come into our chat rooms or host a emulator server you are in the risk of having your account possibly suspended or banned, this is against the EULA which states that they can do this to your account, but this is their limitations. Please do not accuse our emulator of doing such things unless you have actual proof of this. Saying "Well he played the emu" or "the emu could have a trojan" (thats telling me that the however many amount of people who have downloaded the emulator hasn't had a virus warning, HAH) is not proof.

Topic Locked.