Silkroad Online Forums

A community forum for the free online game Silkroad Online. Discuss Silkroad Online, read up on guides, and build your character and skills.

Faq Search Members Chat  Register Profile Login

All times are UTC




Post new topic Reply to topic  [ 104 posts ]  Go to page 1, 2, 3, 4  Next
Author Message
 Post subject: [READ]SRO Account Hacks: How it's done and how to stop it.
PostPosted: Fri Jan 26, 2007 8:01 am 
Hi, I'm New Here
Offline

Joined: Jan 2007
Posts: 1
MODERATOR AND/OR ADMIN : I say this message deserves a sticky. I certianly don't need to take the time to post or write this - but - I am, for everyone's good. Many people can benefit from my advice - this deserves attention.

This is real insight into the problem. I did this for your users, and ALL users of SRO. I also did this to reassure a few people that my intentions were NOT bad, and I do NOT intend to wrong them.

========[START MESSAGE]=========

I've noticed a rash of hackers running about SRO - and truthfully, it pisses me off. I was confronted by one in-game, warning me to "watch out and don't try to offend the wrong people."

Yeah, right.

Well, the guy didn't know who he was dealing with. My curiosity was sparked. So - a few days ago - I set out to test my skills once more, it's been a long time ... but hey, once they're there - they're there for good. If you care to get an idea of what I am & what I do, this sums it up:

http://en.wikipedia.org/wiki/White-hat

I picked a few people. I ravaged their accounts. I gave them back when I was done. Why, why do all of this when you don't need to? Why waste so much time when you have nothing to gain? Do you want to know how long I've spent doing this?

Account 1: 10 minutes

Account 2: 6 minutes

Account 3: 5 minutes

Account 4: 1 hour ( This guy was a L70+, 33 years old - and a *programmer* no less. I dug up his secret question, I prepared a dictionary attack. If I wanted this guy's account - it was mine. I'm not about to go as far as bruting someone's account. But, I can. I left him alone.)

Account 5: This guy was smart. His snotty posts on boards pissed me off... I had a tough time digging up info on him. Lucky for him - he didn't publicize an e-mail address... except for one that he did not use as his login.

*Gasp* e-mail address.

Let me shed some light on this "hacking" we're all hearing about. Most everyone online, even the so called "bad" people in-game, are pretty good folks. I really - after getting to know people - haven't found a single person I did NOT like. There ARE people that I do not like - and that's braggards, script-kiddies, and goldfarmers. So you want to know what I'm going to do today? I'm going to potentially destroy the SRO account hacking problem. I'm going to let YOU know how THEY do it. Why? Because when you KNOW how people can DO something, you also can figure out HOW TO STOP IT. This is especially true when you _ARE_ the security hole.

Here we go:

HOW a SRO account gets hacked & stolen

1- A victim is picked.

2- Find their username

3- Find their e-mail address

4- Owned


Your secret answer is irrelevant at the moment. Your password does not matter. Once they have your username and e-mail, your account is theirs. So, I'd like everyone to take a moment ... and think of how you can correct this problem......

YES!

You need to treat your E-MAIL ADDRESS as your new SRO PASSWORD - DO NOT USE YOUR USERNAME(S)

You need to use a STRONG password on top of this. Use at least 8-10 characters, numbers AND letters. DO NOT USE A WORD IN A DICTIONARY.

People _CAN_ figure out your secret question. One person ... took "birthplace" as a question on their account. I found out the user's country.
I pulled up a list of the 10 major cities in that person's country. (towns & villages don't have hospitals). They were born in city #4. Account is hacked.

Another person - they listed their pet as their secret answer. So, I searched for their username - and an animal. Found their pet's name. Account is hacked.

Are you following a trend here?

The more you post online, the more information there is about you, the easier it is for people to "hack" your account. Yes, this *IS* what hacking *REALLY* is. Taking all of the facts you have available. Building on them. Finding out more information. Building on it ... keep building ... build more ... until you have the answer. My success rate was 80% in taking accounts I set out to take - using my head alone, and NO hacking tools, NO programming, NO cracking.

Let me sum this up for you, in a SHORT list of things you should keep in mind to safeguard your account from someone like ME.

1- Strong password. Press random keys on your keyboard, or use a password randomizer.

2- RECORD YOUR PASSWORDS. Write them down, that way you can use STRONGER passwords.

3- TREAT YOUR E-MAIL ADDRESS LIKE A PASSWORD. Use a NEW e-mail for ALL of your SRO accounts. Under NO circumstances should your username be in your password.

4- Don't fill in public profiles. People use them to hack your account.

5- Don't use the same username to post on boards as you use as a login. Can't stress this enough. That's 50% of your account lost.

6- Search for your OWN information on google. Anything you find - DON'T EVER USE IT AGAIN. This information is now INSECURE.

7- Watch out for XFIRE accounts. They show how much of a PRIME TARGET you are. (1K hours+ logged into SRO? You've got a fat account.)

If you've made a mistake with your account, DON'T PANIC. You can still save it - even if it has been compromised before.

Change your e-mail to something completely out of the ordinary. Something you've never used before.

Make it NOT a word, or a combination of 2 words and some numbers - the longer it is - the harder it is to figure out.

Change your actual name. Use the same fake name for _all_ of your logins.

When you set your passwords - don't be afraid to combine things. If your old pass was dog133 - change it to a combo of words plus numbers: car133bird331 - dumb as it looks - is a GOOD password VS a brute force attack. It's simple for you to remember, and it's HUGE when a scriptkiddie goes to attack it.

Nobody can advise you like someone who is REALLY into security. Joymax's security is shoddy. They suck. You have to take measures for your own good. You've just gotten advice from someone who's pretty good. I won't say I'm one of the best - as there are many better than me. Hey, give me credit - at least I'll admit it.

[ PS: About those guys who claim to break into Joymax's databases: 100% bull. I read that "chat with a hacker" - the guy either bruted or engineered. Trust me on that.]

Good luck everyone. I sincerely apologize to anyone whose account I've gotten into. You know who you are man. I hope you can forgive me. I took 1 global of yours - if you want the dime back, I'll send you a quarter. :)

I've also tried to give Joymax some of my own insight on their problems. You want to know what they say?

Nothing. They don't give a **** about anyone. Keep that in mind.

Peace.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 8:09 am 
Advanced Member
User avatar
Offline

Joined: Jan 2006
Posts: 2296
interesting. quite interesting indeed.

so, if all this is true, why dontcha take out those who cheat and bot etc?

what you dont work for you dont deserve right?

*shrugs*

_________________
<<banned from SRF for disrespect of the mod team and rules violations. -SG>>


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 8:10 am 
Active Member
User avatar
Offline

Joined: Oct 2006
Posts: 639
Location: Texas
Nice post , but horrible format.

Don't forget also that since GG is disabled, you could easily trick someone with an "innocent" program that steals their account in game.

Here's the thread I made to try to help: http://www.silkroadforums.com/viewtopic.php?t=26424


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 8:11 am 
Elite Member
User avatar
Offline

Joined: Feb 2006
Posts: 6119
Location: A den~
Shenanigans lol.

That is just guessing and researching thier info, not really "hacking" its not much better then having a prgram guess it for you(bruteforcing).

_________________
Image


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 8:23 am 
Retired Admin
User avatar
Offline

Joined: Jan 2006
Posts: 8004
Location: World of Warcraft
formatting fixed, and stickied. let's not have this be a discussion of ethics, just take the information for what it's worth - and i feel like it's worth a lot. to me, it's worth as much as my character is. Thanks whpwnage.

_________________
Image
Thx IceCrash for my awesome sig :)
SRF Name Change Policy
Having trouble accessing SRF?

dom wrote:
RuYi wrote:
Are you from outer space or something?
He's from Jersey. Close enough.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 8:35 am 
Regular Member
Offline

Joined: Sep 2006
Posts: 276
Location:
Olympus
Thanks for this info. Feels good I have a random login name and pass :)

_________________
IGN: Skurken
Level: 7x
Build:Hybrid Int Spear
Guild: _Pure_ (Full)
Union: JustSkillz (~8 Guilds)
Union & Guild Forums
Union Team Speak Server


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 8:58 am 
Valued Member
User avatar
Offline

Joined: Jan 2007
Posts: 419
Location:
Red Sea
:) thanks

_________________
Image
I wanna wrote:
i love fonts is size 24 and bold


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 10:31 am 
Active Member
User avatar
Offline

Joined: Aug 2006
Posts: 679
Location: South West London
Thanks for the tips, will duely note this info and then start changing my security around, with the 1337 hackings in greece, ima need it, lol..

_________________
Yarkan locations Updated 12th Feb


Top
 Profile  
 
 Post subject: Re: [READ]SRO Account Hacks: How it's done and how to stop i
PostPosted: Fri Jan 26, 2007 10:36 am 
Frequent Member
User avatar
Offline

Joined: Jul 2006
Posts: 1025
Location:
Off Topic
whpwnage wrote:
I've also tried to give Joymax some of my own insight on their problems. You want to know what they say?

Nothing. They don't give a **** about anyone. Keep that in mind.


So god damn true :banghead: :cry:


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 11:56 am 
Frequent Member
User avatar
Offline

Joined: Sep 2006
Posts: 1391
Location:
Alps
you got me...

twice.
Email wrote:
Hi -

You probably have noticed that your account has been trounced.

Please read this whole message through - it's important for your account, and any future accounts you

may decide to make. Pass the information around to anyone you know as well - I'd appreciate it.

Feel free to edit out _EVERYTHING_ personal, and to even slap your own name on this text. You've

earned the right to do it. You can call me Kumadori - if you'd like to refer to me.

=============================================================================================

I have no interest in keeping your account. You seem like a decent guy, and I don't really like

stealing things ... so I guess you're lucky I got it - rather than someone else.

Now, I'll give you step by step advice on how to protect your account from ME getting it again, and from

other people getting it. Other people won't be as nice as I am.


1- Change your e-mail address(es) to non-public ones.

These days - this is a _KEY_ thing you should do. With SRO - this is one of the main weaknesses.

For your accounts that have monetary value - use a *different* e-mail for them. NOT the one you use for

chatting online. You have no idea. Never post your e-mail address you use for your account. Never give

it out. Keep it close.

2- Use a strong password.

It sounds like you had this down. I have no idea what your password was. I didn't need it.

3- Change your name to a fake one.

Lying is OK online. You're just covering your arse. Make sure you either use the same fake name, or

keep a record of names you use.

4- Don't be afraid to write down your fake usernames, alternate e-mails, and passwords .... on paper.

Old things - like notebooks, pens, and paper - are good. They're not online. Stick it in a safe

place, and refer to it when you need to.

5- Your new information is as follows:

user: edited
pass: edited
email:edited (By me.. not the guy who sent this)

You'll never hear from me again - and your account is safe if you follow these instructions.

Now, I'll answer a few questions you most likely will have.

1: How did you do it?

That's for me to know, and you to wonder about. I'm not teaching people how to do this.

2: Did you take anything from my account?

No. I have no interest in that.

3: Are you a hacker?

Yes. It's been a long time since I've done something like this ... but I was challenged online. The

knowledge of how to do this - is all I care about.

4: How long did it take you to get my account?

6 minutes the first time. 4 minutes the second.



Welcome to the real internet.

Don't bother trying to find me. Everything is fake over multiple layers. Not even I could trace this

message.

If you want to respond to me -

Don't be cocky - remember - I could have taken your entire account - twice. I didn't even *use* my full

resources - if I did, lol, you don't want to know. You can post your reply on http://www.silkroadforums.com -

Just title your message "Response to the person who hacked my account". Don't bother asking them to

trace me either. :) I'm already on top of that before you thought of it.

Hope this never happens to you again. If you paid attention and follow that step-by-step guide up

there, you're safe.

Don't mess up again.

PS: My apologies for involving you in my game. Someone challenged me to play - and I did.

Be careful, and have a nice day.


Second email :
Quote:
You can still visit pr0n sites if you don't got the real thing yet.

I didn't use a keylogger :)

Just my skills & brain.

peace. (Sorry again. T_T - man - watching the real person just makes me feel horible T_T ~ said like a true white-hat ~ )

~ Kumadori ~


Now. I dont want to shout and swear and raise the roof becuase it was so easy for you ro gain access to my account... I want to thank you.
Thank you for opening my eyes to how easy it is to get hacked...

I wont try and trace you, though im sure i could.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 1:48 pm 
Common Member
User avatar
Offline

Joined: Nov 2006
Posts: 124
Location:
Alps
wouldn't you need their password to be able to login into silkroadonline.net and get there email addrress?

_________________
Server: Alps
IGN: J3FFz128
Build: Pure Str Glavie/Fire
Level: 48
Weapon:+3 LVL 48 GLAVIE
Guild: Elite lvl 5

____________________________

Thanks For Sig Draquish :D

There Is No Spoon

- The Matricks
Image


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 2:21 pm 
Addicted Member
User avatar
Offline

Joined: Jan 2007
Posts: 2547
Location: The Netherlands
Only thing i can comment, you just rock thanks for clearing this up.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 2:33 pm 
Elite Member
User avatar
Offline

Joined: Feb 2006
Posts: 5573
Location: Netherlands
So hack back phulshof's account if you're all so nice and stuff

_________________
Image

<< :giveup:>>


Last edited by woutR on Fri Jan 26, 2007 2:37 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 2:35 pm 
Ex-Staff
Offline

Joined: Feb 2006
Posts: 3003
Location: Khadgar
you need account name email and secret question, thats it. With that the password and email address can be changed then they log in and you can never do so again.

I agree that this is the easiest way to lose your account (aside from being a noob and d/ling a 3rd party program with a keylogger). psholf from my guild lost his this way.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 2:36 pm 
Banned User
Offline

Joined: Jun 2006
Posts: 4143
Location:
Babel
good luck getting my e-mail

_________________
<<banned from SRF for bot admission. -SG>>


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 3:14 pm 
Frequent Member
User avatar
Offline

Joined: Sep 2006
Posts: 1391
Location:
Alps
Karlos Vandango wrote:
good luck getting my e-mail


itiskarl@hotmail.co.uk

What do i win?


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 3:17 pm 
Banned User
Offline

Joined: Jun 2006
Posts: 4143
Location:
Babel
ziddy1232 wrote:
Karlos Vandango wrote:
good luck getting my e-mail


itiskarl@hotmail.co.uk

What do i win?


not the 1 used for my sro account :P

_________________
<<banned from SRF for bot admission. -SG>>


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 3:45 pm 
Active Member
User avatar
Offline

Joined: Sep 2006
Posts: 986
Location:
Athens
is this you?

http://www.dontstayin.com/members/karlos-vandango

_________________
CAPPED, but not farmed :/
Level 4x Rogue

Image
A Joymax Guild Leader? -->
Raiden wrote:
You were inactive for 3 days, and one of my Co. Leaders kicked you. I apologize for the inconvience.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 5:05 pm 
Regular Member
Offline

Joined: Jun 2006
Posts: 251
That's what I've said :p

He forgot to add:

Create a good secret answer to begin with.

How to prevent getting hacked in the first place:
Use an email address no one knows or would guess (you can change it right now). Don't include your real name, or your nick names, or your user names as part of your email address.
Create a strong Password.
Create a strong Secret Answer (don't use common answers like dog's name as "spot", or birth place as NYC or Los Angeles). Create a good fake or unrelated answer.

After you're hacked, or if your current SA is weak, all you can do is:
Change your email address to something no one knows or would guess again.

I think the best password is even a password that foils keylogging by using letters and numbers that look similar. It can be countered but every bit helps. Add characters like lIi10Ovvw


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 6:00 pm 
Addicted Member
Offline

Joined: Jan 2006
Posts: 2888
Location:
Red Sea
Nice info, yeah most people are hacked cuz they reveal too much info about themselves. A mistake I learned a long time ago, years before I found this game. I wasn't hacked in any way but it brought upon other problems with people online. Number 1 rule on the internet is never tell anyone your real name, real town, real country, just fake the lot and keep track of it all. Use different aliases for every forum, site, emails etc. I've never used actual words as anything, I usually fill every box in with random letters and numbers even when it says name and write it down in a book.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 6:28 pm 
Active Member
User avatar
Offline

Joined: Jan 2007
Posts: 966
Location:
Azteca
Dumb post. Only commonsensical ideas listed here. Have been reiterated thousands of times here.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 8:05 pm 
Ex-Staff
User avatar
Offline

Joined: Sep 2006
Posts: 5245
Location:
Off Topic
I think the email thing is a good point.

I made an account on my moms website, and created the name and made it completely random, made it as long as possible. Before anyone can even try to guess my username on that account they would first need to know my moms website, which I pretty sure nobody on SRO knows.

Even if you cant do that, make an account on hotmail.com or something, and make a completely random name like j2j1nxq91210n.212.sd@hotmail.com, write it down, and write down the password to it also. Your all set.

_________________
Ooh, I got a sexy ex-staff title!


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 8:25 pm 
Senior Member
User avatar
Offline

Joined: Nov 2006
Posts: 4526
Location: Life.
This REALLY got a sticky? Wow general discussion has really gone down

_________________
Image
^Thanks 0l3n!
Gone. Never really gone, but never really here.
"If Pac-Man had affected us as kids, we’d all be running around in dark rooms, munching pills and listening to repetitive electronic music"


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 9:00 pm 
Active Member
User avatar
Offline

Joined: Dec 2006
Posts: 919
Location:
Iris
i also reccoment alt codes

because they may knnow the symbol, but not how to get it, eg ‡

someone give me the code for that

_________________
Iris: 2x wiz
Iris: 1x 5:1 str glavie


(don't be fooled by my post count & join date, i've only started playing again after over 2 years, so I am a total noob once again)


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 9:35 pm 
Forum Legend
User avatar
Offline

Joined: Nov 2006
Posts: 6816
Location: Anything goes
dude, ur awsome, fantastic thing u have done in postin that, u rock the shit out of everything, honestly.
Plz everybody, say A BIG THANK U for this man/women, he/she deserves it, thank you very much.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 9:58 pm 
Advanced Member
User avatar
Offline

Joined: Jul 2006
Posts: 2483
Location: Changing
absolutely wonderful. I have been following most of these tips and I recently thought of some of these, and learned some more from this guide. Incredibly nice of you to post this! :) Thanks man!


*spams Bakemaster to make whpwnage a pie*

_________________
McCain, he (Barack Obama) said, will soon "be accusing me of being a secret communist because I shared my toys in kindergarten."


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 10:14 pm 
Casual Member
Offline

Joined: Jan 2007
Posts: 98
the issue with security is very simple, never base anything secure on everyday data. (having designed and broken a few networks i can atest to this).

alot of people think they cant have their password written down or put in a file on a computer and must memorize them because its more secure.

heres how i do stuff.

my style of password : 4tvy43w2a4 my style of secret question : 3c4t3erag4. both are kept in a text file on my home server.
i keep it txt file on my server at home. at this point people scream 'what if someone hax0rs my machine!' . well reality is A - you dont 'hack into machines' you trick people into running trojans and virus that you've written. now lets say one gets on to your box, it has to know what to look for. and by the time you have a trojan on your box, you can have a keylogger on there anyways. and with a keylogger its game over anyway.


i just thought id throw that in from experience and all that


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 10:34 pm 
Elite Member
User avatar
Offline

Joined: Mar 2006
Posts: 6423
Location: ____
I refuse to call this hacking.


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 10:36 pm 
Ex-Staff
User avatar
Offline

Joined: Oct 2006
Posts: 2732
Location: Waterloo
Oh my god. This is what I've been waiting for all my life.

Thanks so much to the original poster. =( I could have offered my account information for you to hack if I knew it would produce these ..... wonderful results.

I can finally play SRO on Greece *cough* without having to worry about anything. And tell the lame idiots I got hacked twice but I am still legit.

_________________
DID YOU KNOW? Milly has retired!!!!


Status: Into Minecraft

ImageImage


Top
 Profile  
 
 Post subject:
PostPosted: Fri Jan 26, 2007 10:42 pm 
Advanced Member
User avatar
Offline

Joined: Jul 2006
Posts: 2483
Location: Changing
draquish wrote:
I refuse to call this hacking.

so...what are you trying to say? Hacking is exploiting a flaw in the system usually, from what I know, and although JM's security isn't great what he is saying is that it is the fault of the user. So what are you trying to say? Are you agreeing with him? :?

_________________
McCain, he (Barack Obama) said, will soon "be accusing me of being a secret communist because I shared my toys in kindergarten."


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 104 posts ]  Go to page 1, 2, 3, 4  Next

All times are UTC


Who is online

Users browsing this forum: No registered users and 9 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group