Hello guys I sorta have a question about fourDeltaOne (IW4M). Now me and my clan used to play alterRevolution and our servers were hosted in alterRevolution aswell.When there was this one guy who could XUID spoof the super-admins, and that way He got full access to b3 commands and started doing *cough cough* "THE USUAL SHIT" So we thought since alterRevolution was buggy/full of hackers, we would move to fourDeltaOne. And Soon enough host our servers on fourDeltaOne aswell, Now I know fourDeltaOne is wayy more Superior to alterRev, But I don't want to intervene on which is best and which is not...My question is... can the hacker come to our servers and when we are all using the fourDeltaOne client, will the hacker be able to "GUID" spoof us? and get access to our b3 and our information?? I surely hope not! I don't want to get Spoofed and then get in trouble and go through some shit again, and after awhile I did meet the hacker when I was using fourDeltaOne, he was like he could Spoof us "Changing values" or something. Now I am not a big nerd on these tech/coding stuff. So I have no clue what he meant, so if you guys can add some sort of extra layer of protection that would be nice

 

//|dZiRe|Hidaaan

Before I was told to cease and desist by Activision, I had a couple of ideas for server authentication that couldn't be spoofed. Unfortunately, no one else liked my ideas, so I never bothered to make it.

 

So yes, people right now can spoof and gain super admin privileges. The only way to protect from it is to authenticate by IP, provided your admins have static IPs. If they don't have static IPs, bad luck.

Dear god. My eyes. Have you heard about paragraphs?

 

On topic: I don't know if that is still possible with the FD1 client, though I think there is some extra security stuff with b3 which you can use against that.

 

Edit:

Like Pigo said, use IP auth.

Dear god. My eyes. Have you heard about paragraphs?

 

On topic: I don't know if that is still possible with the FD1 client, though I think there is some extra security stuff with b3 which you can use against that.

 

Edit:

Like Pigo said, use IP auth.

Hahaha I could care less about para's atm,

 

Unless

 

You want it that way??

 

I see IP auth,

 

Is it a B3 plugin? and How does it work? wait nvm I'll

 

Google

 

It

Before I was told to cease and desist by a large gaming conglomerate, I had a couple of ideas for server authentication that couldn't be spoofed. Unfortunately, no one else liked my ideas, so I never bothered to make it.

 

So yes, people right now can spoof and gain super admin privileges. The only way to protect from it is to authenticate by IP, provided your admins have static IPs. If they don't have static IPs, bad luck.

I can see the subtle messaging inside there but I really wish you can add those extra layers of security! I don't want shit to happen again and I will see what this IP auth is about Cheers!

I can see the subtle messaging inside there

uhhh, what subtle messaging?

I really wish you can add those extra layers of security!

no can do.

After moving the servers to FourDeltaOne, get on the database (using phpmyadmin or such) and remove admin rights from your arev xuids on "clients" filed on the database (group_bits field from 128 to 0 or 1)

Then, after getting on the server with your FourDeltaOne's game client, give admin rights to your new database accounts, the same way that you removed from the old ones (0 to 128 on group_bits)

Now B3 admins will be identified by FourDeltaOne's IDs, rather than an xuid.

Ok. But when we move out our servers to 4d1 we are going to be getting new b3 db's from our host, so should

I go over your steps still?? Because i will be connecting directly with the 4d1 client...

If it's a new database, then you don't need to do all that.

That was just to remove the admin rights on xuid identified accounts (accounts that won't exist if it's a new database)

Is there a password authentication plugin for B3? I remember possibly seeing one, but that might have been wrong - you can then have the admins use the / command hiding feature to 'identify' in addition to their SteamID being used.

Why do random hackers know your admin's guids?

Also, try making your own dll that spoofs your admin's guids to something that changes every hour or so (like a random number generator php script).

Why do random hackers know your admin's guids?

Because he's still talking about xuids

I remember that in the old times there were some methods to get a player's xuid (for cheat reporting purposes).

With the xuid spoofing being an easy fashion nowadays, "hackers" just get the admins xuids and spoof it on their game client.

Why do random hackers know your admin's guids?

Because he's still talking about xuids

I remember that in the old times there were some methods to get a player's xuid (for cheat reporting purposes).

With the xuid spoofing being an easy fashion nowadays, "hackers" just get the admins xuids and spoof it on their game client.

Yeah.. stupid question... If I remember correctly its just a hexadecimal representation of your forum username (well at least based off of it in any case)

Why do random hackers know your admin's guids?

Because he's still talking about xuids

I remember that in the old times there were some methods to get a player's xuid (for cheat reporting purposes).

With the xuid spoofing being an easy fashion nowadays, "hackers" just get the admins xuids and spoof it on their game client.

Yeah.. stupid question... If I remember correctly its just a hexadecimal representation of your forum username (well at least based off of it in any case)

No, it's not. Also, getting an XUID now is just as easy as it was before. You can just read off XUIDs from the game and end up with a full list of Names with their respective IDs with a couple of minutes work.

Yeah.. stupid question... If I remember correctly its just a hexadecimal representation of your forum username (well at least based off of it in any case)

No, it's not.

Yes, it is?

well the id

Is there a password authentication plugin for B3? I remember possibly seeing one, but that might have been wrong - you can then have the admins use the / command hiding feature to 'identify' in addition to their SteamID being used.

 

There is actually a plugin, I have told our server hoster to configure this plugin when we put our servers up. Ahh ofcourse the / is a very useful command to hide also I could try to hook up the mask option and make us all look like we have mod position

 

If it's a new database, then you don't need to do all that.

That was just to remove the admin rights on xuid identified accounts (accounts that won't exist if it's a new database)

 

Alright mate thanks but I remember you mentioned something about changing the (group_bits field from 128 to 0 or 1) Should I still do that once I do !iamgod or something, after we get the new databases?? Or will it automatically save as 0 or 1. Since I'm using the 4d1 client?

 

Because he's still talking about xuids

I remember that in the old times there were some methods to get a player's xuid (for cheat reporting purposes).

With the xuid spoofing being an easy fashion nowadays, "hackers" just get the admins xuids and spoof it on their game client.

 

Yeh getting anyones XUID is really really really easy, there was a cheat report tool people can use. I think it was released by alterRev themself (but we all know who really made it ) and the other RIP OFF aIWRepz or something.....I'm starting to hate that tool now >.< Even though it can be used for a good purpose, douchebags use it for some other reasons...

I am familiar with this happening before. I witnessed a hacker spoof a server's b3 and starting banning everyone. Well we found out the solution before I was next in the hitlist, through RCON. These guys installed b3 and RCON in their server and they got to ban the spoofer with their RCON right in time because the main admin of the server was about to be banned. Permanently.

It doesn't matter if the hacker does ban any admins, as much as it can annoy us. We can still unban any person through echelon. But the problem here is, the spoofer takes his place as the MAIN ADMIN. as In if I had the XUID: 123, he would spoof it into 123 and have all the rights I did. My K/D on the b3, my admin rights and everything. I just wanted a solution fix over that

Alright mate thanks but I remember you mentioned something about changing the (group_bits field from 128 to 0 or 1) Should I still do that once I do !iamgod or something, after we get the new databases?? Or will it automatically save as 0 or 1. Since I'm using the 4d1 client?

That field stores the information about the client's permissions.

When you use !iamgod, that field will pass to 128, because you're superadmin. If you go there and change it to 0, you'll no longer even be a registered user.

That was to take off permissions from xuid based guids. Off course you won't want to have your new FourDeltaOne's account server admin permissions removed. So, when you use !iamgod, just let it be 128.