complaints

Forum > Complaints > skipper II
Reply To Thread (login)
Ender [1]
Administrator
2011-08-26 01:20:57
[13 years, 122 days ago]

So it was a little after midnight here when I finished putting the final touches on some basic forum moderation tools...basically the ability to mute players. I'd warned skipper this morning when I left for work that if he continued acting up, I'd mute him. Naturally, he was thus the first person I muted. This was 30 minutes ago.

Then I noticed skipper had been online for the past 5 hours or so, yet hadn't made any forum posts. Kind of strange for a spammer, no? I also noticed he's pretty high level, top 10 in fact. So I decided to run a little investigation.

I changed the captcha page only for skipper to say "navigate to the documentation to prove you are not a script-using cheater", instead of the usual recaptcha form. This resulted in an interesting pattern:

95.76.230.84 - - [26/Aug/2011:01:03:57 -0400] "GET /captcha/train/25/54211 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:03:57 -0400] "GET /showroom HTTP/1.1" 200 63388
95.76.230.84 - - [26/Aug/2011:01:03:58 -0400] "GET /train HTTP/1.1" 200 40374
95.76.230.84 - - [26/Aug/2011:01:04:00 -0400] "GET /showroom HTTP/1.1" 200 57075
95.76.230.84 - - [26/Aug/2011:01:04:01 -0400] "GET /train/25/35530 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:01 -0400] "GET /captcha/train/25/35530 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:02 -0400] "GET /train HTTP/1.1" 200 40373
95.76.230.84 - - [26/Aug/2011:01:04:05 -0400] "GET /train/25/45880 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:06 -0400] "GET /captcha/train/25/45880 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:07 -0400] "GET /train HTTP/1.1" 200 40343
95.76.230.84 - - [26/Aug/2011:01:04:10 -0400] "GET /train/25/61751 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:10 -0400] "GET /captcha/train/25/61751 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:11 -0400] "GET /train HTTP/1.1" 200 40373
95.76.230.84 - - [26/Aug/2011:01:04:14 -0400] "GET /train/25/63960 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:14 -0400] "GET /captcha/train/25/63960 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:16 -0400] "GET /train HTTP/1.1" 200 40343
95.76.230.84 - - [26/Aug/2011:01:04:19 -0400] "GET /train/25/7357 HTTP/1.1" 302 437
95.76.230.84 - - [26/Aug/2011:01:04:19 -0400] "GET /captcha/train/25/7357 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:20 -0400] "GET /train HTTP/1.1" 200 40343
95.76.230.84 - - [26/Aug/2011:01:04:23 -0400] "GET /train/25/27175 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:24 -0400] "GET /captcha/train/25/27175 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:25 -0400] "GET /train HTTP/1.1" 200 40373
95.76.230.84 - - [26/Aug/2011:01:04:28 -0400] "GET /train/25/62491 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:28 -0400] "GET /captcha/train/25/62491 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:30 -0400] "GET /train HTTP/1.1" 200 40373
95.76.230.84 - - [26/Aug/2011:01:04:32 -0400] "GET /train/25/45439 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:33 -0400] "GET /captcha/train/25/45439 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:34 -0400] "GET /train HTTP/1.1" 200 40373
95.76.230.84 - - [26/Aug/2011:01:04:37 -0400] "GET /train/25/60071 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:37 -0400] "GET /captcha/train/25/60071 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:39 -0400] "GET /train HTTP/1.1" 200 40373
95.76.230.84 - - [26/Aug/2011:01:04:41 -0400] "GET /train/25/58723 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:42 -0400] "GET /captcha/train/25/58723 HTTP/1.1" 200 6594
95.76.230.84 - - [26/Aug/2011:01:04:43 -0400] "GET /train HTTP/1.1" 200 40373
95.76.230.84 - - [26/Aug/2011:01:04:46 -0400] "GET /train/25/37743 HTTP/1.1" 302 438
95.76.230.84 - - [26/Aug/2011:01:04:46 -0400] "GET /captcha/train/25/37743 HTTP/1.1" 200 6594

So I locked and reset his bot. And now I'm getting this:

95.76.230.84 - - [26/Aug/2011:01:09:07 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:10 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:14 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:17 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:21 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:24 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:28 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:31 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:35 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:38 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:42 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:45 -0400] "GET /showroom HTTP/1.1" 200 40544
95.76.230.84 - - [26/Aug/2011:01:09:45 -0400] "GET /train HTTP/1.1" 200 8333
95.76.230.84 - - [26/Aug/2011:01:09:47 -0400] "GET /showroom HTTP/1.1" 200 59115
95.76.230.84 - - [26/Aug/2011:01:09:49 -0400] "GET /train HTTP/1.1" 200 8330
95.76.230.84 - - [26/Aug/2011:01:09:52 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:56 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:09:59 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:03 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:06 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:09 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:13 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:16 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:20 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:23 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:27 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:30 -0400] "GET /train HTTP/1.1" 200 8332
95.76.230.84 - - [26/Aug/2011:01:10:34 -0400] "GET /train HTTP/1.1" 200 8332

Cute, it even goes to the showroom every now and then.

Don't let the door hit your ass on the way out.


 
Warbringer [89]
2011-08-26 01:22:34
[13 years, 122 days ago]

Good riddance.


 
Badger [87]
2011-08-26 01:29:03
[13 years, 122 days ago]

Hahaha, I actually started thinking how can someone who spams so much possibly still have the time to train.

Can't say I'll miss him.


 
smeg [30]
2011-08-26 01:30:47
[13 years, 122 days ago]

Ahha! justic is served!

~Hobo


 
Orion [33]
2011-08-26 01:39:52
[13 years, 122 days ago]

what does all the highlighted text mean?


 
smeg [30]
2011-08-26 01:42:13
[13 years, 122 days ago]

means he's a cheater


 
Ender [1]
Administrator
2011-08-26 01:43:26
[13 years, 122 days ago]

Those are web server logs. Each line represents an individual request for some resource (page, image, stylesheet, etc.). In this case, they each represent a page request. You can see from the timestamps that in response to the new captcha page (no recaptcha, just message saying go to documentation page), his script goes into a tight loop where it bounces between the train index, the train page (where it is redirected), and the captcha page. After being locked out, it just continuously refreshes on the train index.

I IP banned him for now to avoid wasting bandwidth because it's going to keep refreshing that page every few seconds until he wakes up. I'll lift the IP ban when the DoS stops.


 
Orion [33]
2011-08-26 01:44:27
[13 years, 122 days ago]

o rly?


 
Orion [33]
2011-08-26 01:44:47
[13 years, 122 days ago]

thx ender


 
Off [118]
2011-08-26 02:00:08
[13 years, 122 days ago]

Wow, I didn't expect this of him :D I thought he was only a dumb spammer ^^

Nice work Ed :)


 
WhiteFang [110]
2011-08-26 02:28:28
[13 years, 122 days ago]

Nice work Ed! But seriously, IP ban? If you IP ban scripters you should ban at least 30% of the active people.

~skipper


 
WhiteFang [110]
2011-08-26 02:31:44
[13 years, 122 days ago]

oh, It is just now I read that part with lifting the IP ban. kk


 
Smeagol [179]
2011-08-26 03:12:45
[13 years, 122 days ago]

Well done \o/


 
silencer [82]
2011-08-26 04:03:11
[13 years, 122 days ago]

You are muted until 2011-09-02 03:10:12 for reason already muted by Ender for excessive spamming. Attempting to evade this mute by using other bots to post will result in loss of all bots.

cute ^_^


 
Jans [84]
2011-08-26 04:16:09
[13 years, 122 days ago]

Kudos for catching that sad wanker cheating.

And dont tell us too much about your investigation methods ;)


 
MarvoloRiddle [82]
2011-08-26 04:17:41
[13 years, 122 days ago]

Jans you gay for a chance?


 
conquerer [41]
2011-08-26 04:38:42
[13 years, 122 days ago]

I'll just leave this here

en.wikipedia.org/wiki/Denial-of-service_attack


 
neps [166]
2011-08-26 04:57:41
[13 years, 122 days ago]

I'll just leave this here:

http://en.wikipedia.org/wiki/Nightjar


 
Durr [80]
2011-08-26 05:00:10
[13 years, 122 days ago]

the only thing that intrigues me is how come you're the only Chinese on this site


 
neps [166]
2011-08-26 05:01:23
[13 years, 122 days ago]

The only thing that intrigues how anyone got the idea that I am Chinese.


 
nosebleed [38]
2011-08-26 05:03:11
[13 years, 122 days ago]

and second best question is: how can someone as smart as neps sit down at his computer 20 hours/day and train bots. this is just unexplainable


 
Tintin [73]
2011-08-26 05:14:50
[13 years, 122 days ago]

Nice catch!


 
neps [166]
2011-08-26 05:43:37
[13 years, 122 days ago]
and second best question is: how can someone as smart as neps sit down at his computer 20 hours/day and train bots. this is just unexplainable

Don't you wish you knew. Well, not by cheating, I can tell you that much.


 
Rico [90]
2011-08-26 06:51:40
[13 years, 122 days ago]

this cheating thing is relative, this game is after all name "battle of the scripts" so I created a script to battle :). + there are no written rules anywhere on this site. No?


 
stewie [75]
2011-08-26 07:05:46
[13 years, 122 days ago]

bahahaha!

apache access logs = the ultimate troll


 
Angry Dutchman [53]
2011-08-26 07:12:17
[13 years, 122 days ago]

nah, forget it. You guys win, I leave forever. I will never ever bother you again

~ Skipper


 
LotsOfWaffles [61]
2011-08-26 08:50:09
[13 years, 122 days ago]

Thank god for muting and banning him or whatever I never really post on threads but most of the ones I do read they have a few good posts then 70% of them become skipper spamming useless verbal diarrhea. I don't really know anyone here but out of the people I do know even by name I defiantly felt the group hatred towards him :P


 
Ecoueses [168]
2011-08-26 11:15:00
[13 years, 122 days ago]

nice catch, indeed.

you catched him cause of human factor, not only based on system protection, that makes it more awesome.


 
neps [166]
2011-08-26 11:19:58
[13 years, 122 days ago]

Ender's spider-sense saves the day. \o/


 
CheerPuppy [43]
2011-08-26 22:09:05
[13 years, 122 days ago]

Ender is now my hero.

Sorry Jans. =p


 
Force [39]
2011-08-27 01:30:16
[13 years, 121 days ago]

Ender has a spider sense so i think he is actually GOD. he sees all you cheaters in here >.>


 
Xhale [74]
2011-08-27 01:50:55
[13 years, 121 days ago]

Ought to keep the forum spam down a little


 
kenlith1 [66]
2011-08-27 01:53:56
[13 years, 121 days ago]

am i good at not forum spamming ender?


 
DREAM [128]
2011-08-27 01:59:48
[13 years, 121 days ago]

woohoo \o/ well done Ed !


 
Ecoueses [169]
2011-08-27 08:37:40
[13 years, 121 days ago]

hm, i just got something on my mind... tought it wont hurt to share..(not defending him) so: tehnically, he might train train train... then captcha comes, then he sow: navigate to documentation etc.., and he refreshed page...again..and again. So, there would be not any prove that he really cheated. Ok, he did, but real proves came after locking bot, right?


 
Forum > Complaints > skipper II
Reply To Thread (login)