Page 1 of 3 123 LastLast
Results 1 to 15 of 39
Like Tree22Likes

Warning - You Might Get Hacked!

This is a discussion on Warning - You Might Get Hacked! within the Private Servers forums, part of the Knight Online (ko4life.com) category; A new server named PureKO was recently released for beta-testing. The first thing we noticed was the launcher acting weird. ...
Page: 1


  1. #1
    Senior Member HenkaN75's Avatar
    Join Date
    Apr 2013
    Location
    Sweden
    Posts
    162

    Default Warning - You Might Get Hacked!

    A new server named PureKO was recently released for beta-testing. The first thing we noticed was the launcher acting weird. It was generally slow and after a while error messages starting popping up.

    Name of the launcher/anti cheat: Pvpknight Anti Cheat (PAC)


    We started debugging the process and noticed that data was sent from the process to a sever located in Turkey (Not the game-servers IP). The data was encrypted, but we managed to find out that the packets was in fact a keylogger because the data was larger when we typed more frequently.





    After investigating a bit more, we decided to hit up the owners of PureKO to chat in IRC to find out what's up with the anti hack-shield logging keystrokes and program data. We never got any answers from them and they started to act weird, they haven't responded since.




    And to end it all, we managed to get into the database where we noticed there were tabled prepared to store credit card information. We cannot gurantee this will be used for evil, but the impression we got from them in general makes us think that it's just as fishy as the keylogger.





    Special thanks to KataNoob and TheTompa for helping me expose these bad people!
    Last edited by HenkaN75; 11-28-2016 at 12:16 PM.

  2. #2
    KataNoob Senior Member blood_warrior's Avatar
    Join Date
    Jun 2006
    Location
    Home
    Posts
    460

    Default

    White knight online aka Henkan I guess the lesson to learn here is to be watchful of servers like these (i.e servers with "turk-developer" origins). I'm willing to bet there are more of them out there using this setup. Keep your sensitive information protected!

  3. #3
    Senior Member
    Join Date
    Mar 2006
    Location
    Finland
    Posts
    133

    Default

    Makes you wonder how many PSKOs has done something similar to this..
    HenkaN75 likes this.

  4. #4
    Polak Extraordinaire Senior Member
    Join Date
    Nov 2013
    Posts
    1,130

    Default

    I feel like every server should post a https://www.virustotal.com/ scan from now on to prove they aren't fishy.

    Good shit henkan, now you can put Murat back into your signature.

  5. #5
    Senior Member HenkaN75's Avatar
    Join Date
    Apr 2013
    Location
    Sweden
    Posts
    162

    Default

    No scans detects it though

  6. #6
    God. Moderator Kallop's Avatar
    Join Date
    Aug 2008
    Location
    Above you.
    Posts
    5,749

    Default

    PureKO topic closed, accounts related to the server banned.

  7. #7
    Global-myko Senior Member deadhealer1's Avatar
    Join Date
    Oct 2016
    Location
    Usa
    Posts
    195

    Default

    Wow Thanks a lot, glad I never tried this.

  8. #8
    Polak Extraordinaire Senior Member
    Join Date
    Nov 2013
    Posts
    1,130

    Default

    Quote Originally Posted by HenkaN75 View Post
    No scans detects it though
    really? you ran the launcher and the exe through virus total and it didn't pick anything up? that's pretty scary damn

  9. #9
    Senior Member TankxD's Avatar
    Join Date
    Aug 2009
    Location
    U.S.A
    Posts
    299

    Default

    wow.... nice post man

  10. #10
    Banned Senior Member
    Join Date
    Jun 2013
    Location
    Czech Republic
    Posts
    477

    Default

    Quote Originally Posted by SkyHunter View Post
    I feel like every server should post a https://www.virustotal.com/ scan from now on to prove they aren't fishy.

    Good shit henkan, now you can put Murat back into your signature.
    For example, virustotal gives more "positive" results for original SOACS then for cracked SOACS (which is more vulnerable, because it is used by untrusted people). All virus programs using a heuristic analysis so the false positive detection is quite common for knight online as the anticheat itself needs to monitor all running programs for detecting KOXP and other softwares. So by virustotal you usually finds nothing except a random number. You really need to do scan like this, to see what packets are send and to where.

  11. #11
    God. Moderator Kallop's Avatar
    Join Date
    Aug 2008
    Location
    Above you.
    Posts
    5,749

    Default

    Quote Originally Posted by SkyHunter View Post
    I feel like every server should post a https://www.virustotal.com/ scan from now on to prove they aren't fishy.

    Good shit henkan, now you can put Murat back into your signature.
    The problem with that is that most servers using updated anti-cheat will be flagged, even if they aren't doing anything fishy. Also, there would be no point having a keylogger if a virusscan was able to detect it. If anybody is going to try pull something like this off (there have been attempts in the past) they would make sure to hide it well.

  12. #12
    SEXIEST NOSE ON EARTH Senior Member SheldonCooper's Avatar
    Join Date
    Jan 2010
    Posts
    2,794

    Default

    That's utterly fucked up lol. But that's custom files I think, it's like there are false positives on soacs but soacs is verified anti cheat. There's a problem when people make custom stuff like this one here and packs a keylogger in there. You can't know with these new servers if they packed an actually key logger. And they made Credit cards procedures storing infos directly into db so he has a clean overview. That's really bad xD I hope these people don't get fhawked up after putting these infos outthere. Cause that guy has them all now.

    How did you get the screen shots from the dedicated server tho? Like one of you guys have dedi access? or a dev there exposed it to you? cause if someone of you had dedi access, and you verified that this shit is real, you should have deleted all these tables where people got real info from CC saved in there.

    if you have chance to check that cclogs table, and you see there are actuall numbers of ccs there you should delete it instantly if they hadn't backuped up several times already. All tho I think there aren't really CC information in there. There's probably just a bridge or how should a say link up made, where they probably donate through a legit provider, and there's a script marking account id and the payment procedures let's them know payment was succesfull and it makes a log in the database. That way the owner knows the payment was made and he can track the payment ID to verify if he hasn't made it automatically.

    But if it's the first case in he somehow scans all the card info and stores it there. That's serious felony lmao.

    However the keylogger seems real on the first part. So whatever the crime coming out of this, and since it's a turkish server i'm pretty sure turks in the "area" gonna track the dude down and report him.

  13. #13
    Banned Member
    Join Date
    Apr 2016
    Posts
    26

    Default

    how do you know that the server locate in turkey ?

  14. #14
    SEXIEST NOSE ON EARTH Senior Member SheldonCooper's Avatar
    Join Date
    Jan 2010
    Posts
    2,794

    Default

    Quote Originally Posted by TeLara View Post
    how do you know that the server locate in turkey ?
    You can get by the IP geolocation.

    IP Address: 37.247.105.69

    Country: Turkey
    Region: Istanbul
    City: Istanbul
    ISP: DGN Teknoloji A.S.
    Latitude: 41.01383972168
    Longitude: 28.949659347534

  15. #15
    Senior Member HenkaN75's Avatar
    Join Date
    Apr 2013
    Location
    Sweden
    Posts
    162

    Default

    I went back in my footsteps, researched a little more and it dont look like they would store the CC's in that database.
    BUT, since they log all your keypresses in every application you have open they still get that info... Topic still valid!

Page 1 of 3 123 LastLast

Similar Threads

  1. Replies: 160
    Last Post: 03-01-2008, 11:38 PM
  2. Wut do you do when when you get hacked?
    By Mercyful in forum General Chat
    Replies: 16
    Last Post: 11-07-2006, 03:27 PM
  3. What can you do if your account gets hacked ?
    By nz_venom in forum General Chat
    Replies: 15
    Last Post: 08-19-2006, 06:33 AM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •