Beware of galaxyworlds.ga

[kchoman]

What is Galaxyworlds.ga?
Krunix told me about this in my Beware of fantasy-kings.gq thread about 2-3 weeks ago.

I didn't bother going to go through with a full security audit of their site when I was made aware of it since it didn't have much on the site except for some HTML and Flash content.

Now they have a login/registration page and brought back the infamous "Top 100" members area which is almost always the point of vulnerability in these AQW private servers. (Overproject and fantasy-kings was vulnerable in their top 100 members area as well)

The reverse-ip lookup of galaxyworlds shows that it's another Amazon EC2 instance running PHP 5.4.26. The database layout contains the same "meh_" table prefixes from the DeltaWorlds pack that I'm still revising (replacing the insufficient MySQLi connection method with PDO and converting the simplistic MD5 password hashing method with a more sufficient bcrypt method as well as refining the overall PHP code from the current mess that it is at the moment)




What can we do?
This is another instance where I should pressure all of you to either grab an encrypted password keychain or encrypted text container so you can make a unique password for every single one of your site without having to remember a bunch of complex passwords. (You just need to remember 1 password to access your encrypted password keychain/text container)

If you own galaxyworlds.ga, then get in contact with me and I'll assist in patching these vulnerabilities. Even though you didn't bother to extend a hand to me in my previous thread, I still hope you will consider my offer for the sake of your future endeavors.

What do I think about all of this?
Honestly I've seen less vulnerabilities in a Brazilian porn site than I have seen thus far in some of these private servers. I believe that this is due to the private server packs that are being used (there's a lot of reuse in these servers just judging by the database layout) which haven't been patched in years from what I'm assuming.

That's why I'm spending a large amount of my time fixing these issues and I'll be making a new thread when I feel that my pack is secure enough to be put in remote use. Here will be the server requirements for my upcoming AQW private server pack:

• PHP 7.0+ (Latest version recommended)
• MySQL 5.7+ (MariaDB 10.1+ recommended)
• Comodo SSL Certificate (At least something equivalent to protect password information leakage from man-in-the-middle attacks)

You could get away with PHP 5.6 and no SSL certification on your private server, but I will always recommend PHP 7.0+ and some form of SSL for your site. (Comodo SSL comes for free for a week or two if my memory serves me correctly)

[Arsenius]

There are always going to be exploits with these private servers due to them using the same files and server (Mext V2 or V3) sadly none of them know how to code,

All they do is change the html template and design!

[Rothien]

There are always going to be exploits with these private servers due to them using the same files and server (Mext V2 or V3) sadly none of them know how to code,

All they do is change the html template and design!

Pretty much. xD