HOW SOE IS BUSTING US! ! ! (1 Viewer)

[CodeCompiler]

This only happens when someone sends a form of chat.... So besides regular firewalls soe puts up.. the care monitoring the actual CHAT COMMANDS ! ! !
TY TY TY VERY MUCH WOOHOO I HAVE NOW TOLD ALL THE MQ2 SITES HAVE AT IT BOYS AND GIRLS.. Ohh yeah show some luv... Build it up and figure out a way to keep the chat from being in eq and we good cause they change the IP address every night... but it is coming accross a TCP not UDP so we can choose to block all chat or something i donno...


BUST OUT YOUR FAVORITE CODECOMPILER A RED CENT HAHA MUAHZ THATS FOR YOU ALL.

 

[nijhal]

Dude, your my new God.

*were not worthy*

 

[hotdog]

Awesome! But, what does this mean to the laymen MQ2 user?

 

[nijhal]

If Im reading it correctly, the "You have been disconnected" is happening and logging the last commands given in the way of hacks then disconnecting you. This is all based on chat and what your typing or putting in. So I think what hes saying is isolate this and make it not send the info out your typing and its all fixed and everythign will go back to normal.

Correct me if I am wrong but thats what it sounds like to me.

 

[fatal!]

195.27.11.135?


Youre saying that whenever you type a chat command, SOE is sending something on port 80 to an Akamai web cache?

If you dump the packet I'm sure you'd see the actual url and whether you are doing a get or a post.

I'd bet on a get.

 

[alabama20]

Are you saying that even the passive stuff like map commands could get us caught?

 

[Ccomp5950]

You show me what's in that packet and quit making wild claims. Because all I see right now is a packet to port 80 on a netblock that doesn't belong to sony.

akamai...

root@slack102-01:/var/log/apache# nmap -O 195.27.11.135

Starting nmap 3.93 ( http://www.insecure.org/nmap/ ) at 2007-05-04 04:09 CDT
Interesting ports on rsvd-akamai-135.11.27.195.in-addr.arpa (195.27.11.135):
(The 1664 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
443/tcp open  https
500/tcp open  isakmp
No exact OS matches for host (If you know what OS is running on it, see http://www.insecure.org/cgi-bin/nmap-submit.cgi).

Nmap finished: 1 IP address (1 host up) scanned in 18.013 seconds

So tell me, what from all this leads you to run around and scream that all slash commands are being reported?

$5 says you have a trojan, I'd be interested in seeing your netstat -a with nothing running.

If you actually want to see what packets your computer is recieving and sending and what is in them go download wireshark.

 

[CodeCompiler]

CComp at 12:01 it changes dude first off secondly I am willing to bet i dont have a Trojan cause i Run NoD32 but then agian... you got the good stuff and thirdly know your crap cause Wireshark is ok but if you go look at ethicalhackers.net it will tell ya they dont care for it cause it doesnt work so well.. and here is the kicker How come i wasnt the only one with a different computer and different location and different program and completely different compile that saw this.... Hrm.. weird... I would so definately say. Try Changing the /warp command name .. And Ccomp how long would a simple cache macro take to process to look for /warp and have it save and another to dump the rest ? couple seconds?

 

[raistlin8989]

12:01 what time zone? and I am not coming up with anything being sent to any ip address that is different if mq2 is loaded or not. I have used ethereal, wire, and anx pm. If you know these people who are testing with you, is it not possible that you transferred a trojan to their machines unintentionally? perhaps you all have the same or a similar trojan. All you are showing with your screenshots is that you have another connection made sometime after you loaded up mq2, one that wasn't there before you loaded it up. How or why that connection was made is anyone's guess, but like cc said, it is most likely due to a trojan you have. Support yourself more if you are going to make such "wild claims".

 

[Zero0003]

Even if that is true, it still doesnt change the fact the opcodes for movement are changing which without a stable opcode you can't keep a working warp.

The packet is not only changing but if it is logging it that still doesnt get around it.

 

[CodeCompiler]

Wild Claims awesome thats great.. Here is a claim if you know so much then why dont ya have it solved? If you are doing so much what are you doing.... I been blowing through accounts till buddy changed names of things to like /cont for warp and be doing it alot in open zones and why would these be chat servers that these messaging.. Hrm I dont know.. But hell all you IT guys right.. Who has been doing anything about anything. Noone except me and a couple others sadly enough MMOBUGS has definately been doing alot. Needless to say about RG there has been 2 others that have been trying and checking things out. But your right im prolly only dealing with a trojan thats in a MQ2 COMPILE THATS BEING SHARED ON YOUR FREAKING WEBSITE ! ! What a coincidence??hrm then that mean the 900 users that downloaded all have the same thing and that my nod32 and other tools didnt catch... /shrug right..

 

[raistlin8989]

I honestly don't care enough to work on it and get it solved myself. Will i use it when it is? yes. Have I played the game without warping? yes, for six years. Have i had accounts banned from testing things for people since the last patch? yes, 3 banned 2 suspended. Currently mmobugs is the only site like rg that has something really working and not having people suspended for warp. And yes i'm a lifetime member on that site, not that it is relevant. Kudos for you for trying to help, though try to back up your 'claims' with more information.

if:

How come i wasnt the only one with a different computer and different location and different program and completely different compile that saw this

then why say:

But your right im prolly only dealing with a trojan thats in a MQ2 COMPILE THATS BEING SHARED ON YOUR FREAKING WEBSITE ! ! What a coincidence??hrm then that mean the 900 users that downloaded

PS: ethicalhackers.net isn't gospel

 

[odessa]

This is what happens when you give everyone tools like packet sniffers, they have zero fucking clue what to do with them but they'll be damned if they don't try to stir some shit up.

 

[Tribunalite]

http://www.akamai.com/html/technology/index.html

They load balance for the most major companies and ISPs / backbones. ANY program you were running could pass through one of their systems. I have it show up on my traces with or without MQ2.

 

[CodeCompiler]

Ccomps comment.. and if i had this issue then a shitload of others would 2 and... never said it but how about this.. if your not going to work on it or give positive feed or suggestions and what not to fix then shut you fawking face up... =) Cause to come in here running your burbbleing sperm dribble to the boards that has no real boundary except to hear yourself talk then why do it.. So take your little "lifetime membership" and stay on the mmobugs boards. And except handouts and not work on something that can affect 1000's of eq'ers lifes. IMO people can help some offer and its apperiacted others sit back and complain and others just do it for a sencless dribble if your either of the last 2 dont post is my advise. I have a packet offset also i was talking to nijhal about and been working yet still busted then we started looking at other things and damn onlything the group of us found was this..

 

[Alatyami]

I agree who cares about ehtical hackers. Basic network forenics will tell you that the referenced packet has nothing to do with EQ or MQ2.

I have linux black box loaded up with snort, and it doesn't show any TCP packets while I have EQ loaded up with MQ2.

Here's my network topology:

Windows Xp -> Linux Black Box -> Cisco Switch -> Router -> DSL Modem

As I control I started with just EQ1 running on my windows box. Note: this was with out any IM's running, only your standard Windows services. They only activity was UDP with a source port of 2429 and 1419 and vice versa.

I downloaded the latest MQ2 vanilla and complied it .... same activity ....

I downloaded the latest RedQuest .... same activity ....

I downloaded the latest CodeCompiler version ... same activity ....

Seeing activity on port 80 when you do not have web browser open is very odd I too would lean towards a possible trojan.

The changing at 1201 everyday is also symbolic of a trojan. It's destination server could have dynamic IP range.

However, there are a number of other things that could really be going on.

Long story short ... kudos on passing on the information ... but don't get offended when others challenge your claim.

 

[thez]

Listen to me very carefully, fucknuts.

You want to go babbling about packets that are being sent, well, odessa nailed it -- that's why we don't distribute that shit to the public, because every time we do, we get a thread like this. But you just like to take this a step further by saying:

But your right im prolly only dealing with a trojan thats in a MQ2 COMPILE THATS BEING SHARED ON YOUR FREAKING WEBSITE ! !

Okay, now let's look at the logic here. As of time of posting, RQ v9.3 has 1250 views. Now, I obviously don't know much about the law of averages, but LOGIC tells me that if ONE THOUSAND, TWO HUNDRED AND FIFTY PEOPLE DOWNLOADED A FILE AND DIDN'T REPORT A PROBLEM WITH VIRUSES THEN THERE PROBABLY ISN'T ONE.

Furthermore, I'm so offended that you would say something like that there are no words to express how angry I am. That said, there are some choice phrases. I spend so much time working on that compile that could easily be spent elsewhere, like working on my goddamn grades or some shit. I maintain that entire thing on my own, and always have, and I'm NOT going to take it from some punk ass fucker with a packet sniffer who comes in here like the crazy old man screaming about Armageddon on a city street corner. You ignored the things that are being said by people who know a whole lot more than you, who are running tests on computers running Windows, EQ, MQ, and nothing more.

Now let's take it a step further. There are people who maintain this program and make fairly nice money for it. You're a fucking retard if you think that Lax & Crew would allow something like what you're talking about to occur. DKAA, in particular, still puts a lot of work into our source, as does IEA, and what the hell makes you think that you or your pet network engineer know more than they do? Even more, Lax makes a whole hell of a lot of money maintaining InnerSpace...you don't think that he'd have realized by now that something was up?

Oh yeah. If your virus software is so nice, why didn't you detect the "virus" in RQ?