Recent Account Bannes for HackingFollow

soe should never ban anyone for grouping with a hacker. unless there's chat text proving the group mates knew about it.

it's not easy for new, nor experianced players to know someone is cheating.
if group mates are just sitting there while the one guy is doing all the killing and easily , then banning could be ok but not without a gm saying something in game.

i had a GM show up in a dungeon i was in beside shadowhaven it think. he asked what we were doing. "we being me 5 boxing" i told him i was 3 boxing one computer and 2 boxing another. using 3-4 characters to do the killing and the other 1-2 to heal when needed. he asked why. i said look at the time 2am weekday and less then 10 folks in POK. no-one to group with at level 20-30. so i box a lone.

i told him i wasn't macroing , and i could send him a live photo of him and my 5 characters , just take a pic of the 2 computers he said he belivedme. but had a petition that someone was macroing here.

i told him no need to macro. i have lvl 65 enc 51 cleric 50 druid i log in to buff my characters and rez when needed

he watched me play for a few min and left or went invis not sure. but i can see how others would think one is using a program to macro. or do these ghost killing or other odd things i heard about in the past.

but to get banned for grouping and activly fighting, how can they assume you'd know others in your group are cheaters? and to take away claimed LON items in a roll back. is 100% wrong those cost real money. and are owned items by the user not SOE.

about 5 months ago i bought a box of cards for lon and then bought loot cards mounts off ebay. i think $500.00 worth of LON stuff in total. $300 of the loot cards are claimed. i have 4 mounts and many other items. i enjoy on my accounts. i have 8 accounts 5 i play. although i haven't played since NOV 12th or when ever the new expansion came out, i bought it for the accounts and quite. just to try other games and save a bit of money.

with all those items that cost realy money. if i start playing or reactivae the accounts just to find them banned or get banned soon cus i grouped with a cheater. i would lawyer up fast. and it it workded, never group again. i'dbox only and if that didn't get my items and accounts back. i would get new accounts and cheat the **** our of he games and power lvl . plat farm do what ever i had to quickly and sell on ebay or other sites to get my money value back.

i know 2 wrongs don't make a right. but SOE needs to check things better and they should contact in game and emails and phone calls befor doing anything. if i got contacted about the cheating and i knew it couldn't be me. and they said a group mate may be the cus i'd just stop grouping or find guilds who work hard on making sure no cheaters are in.

BUT the whole point is sercure the game better. spend some money and make it impossible to hack. hire MAC apple programers. hire bill gates do something instead of banning 50% cheaters and 50% inocents

(sorry if spelling and gramer is bad it's late. and i've noticed my keyboard has missed many letters i hit. over using this keyboard. need new one soon)

hope you get your stuff back, and i hope my stuff is all there when i come back some day

well, When I posted I had one acct left that I was playing, As soon as I logged off Saturday morning at 4:56 am I thought to log back in and say something to a guildie. Well i was greeted with your acct is closed call customer service. So now I miss yet another weekend of raids with my guild. I now cannot petition because I cant log into the account. I was told on 19 april I was definitely cheating. Well I spent 6 hrs in the guardian and died a few times we invised past mobs. And we killed seeinvis. Yes I have seen many strange pathing issues and no SOE never does anything about it,"thats what the mobs are supposed to do" so I don't make bug reports when a MOB is faded on a pull and it "SHADOW STEPS" ON TOP OF MY CAMP, I either win the battle or I loose, I use hot keys I don't use macros. As far as known problems, or exploits, I have no idea what the known problems or exploits are. In Crystallos the pathing is Crazy, the pathing in the S.H.I.P. is crazy the pathing in MMM is crazy the pathing with the Golems and such to get the Crystalllos key was crazy aggro radius and and spawns, in almost every zone I have played pathing has been weird at one time or another, I don't report such things because I just figured that was the way they programed it. I am not a programmer but I have played EQ for over 7 years and I am sad to say they have basically taken my accts away and I have no recourse, it seems. One acct has 21 months left on the subscription the other two have 6 months left on the 2 year subscription.
You all can tell me I am lying but I actually thought I was doing well or I thought I had my characters almost to where I wanted them I have maxed my aas almost completely (except in trade skill stuff)had my damage mitigation modifiers in my gear
Then SOE comes in and says you are a hacker, you are a cheat: when I have done nothing wrong and they shut down My Paid for accounts. What recourse do I have? I can't petition because the accts are closed and I can't log into them (NONE)
I use a AMD TL-56 with nvidia 7950 video card and a Pentium 4 - 2.6 with and x1600 8x agp 512 memory on both video cards I use windows XP pro on the AMD and xp home on the Pentium any suggestions to yet another delema would be appreciated.
And BTW The same GM flagged my accts that flagged Polleys'
I hope it doesn't happen to anyone else because it doesn't feel good at all.Spend money to upgrade your computer so SOE can call you a cheat.

Edited, May 3rd 2008 7:09am by rmahnee

Edited, May 3rd 2008 7:25am by rmahnee

Edited, May 3rd 2008 8:11am by rmahnee

Bans by association are only given in cases such as when someone zones in to anguish with everything dead and only one other person in zone and loots it all. They -aren't- given for situations where it's a mostly legit group.


There is 100% no way that anything but ghostkilling is getting picked up as ghostkilling. Any apparent bans in error are either someone at SOE making a typo or other stupid mistake (like, accidentally banning "timmy" instead of "timym," or for some reason just the wrong account altogether) or the person lying.


nosir

Edited, May 3rd 2008 8:54pm by Groogle

I wasn't there when this occurred but Rmanee/Ozman are part of my fellowship. I still think there is something that the SOE screening software is picking up from newer comps that it is reading as a Hack when in fact it is not... Lord know the mess they have with EQ Players and are unable to fix it. We have seen the patch messes that require fixes. Now the screening software that they refuse to discuss with anyone is supposed to be flawless and certainly error free! Give me a break! I'm not that gullible to believe they have perfect scanning software that has no chance of making an error.

I think we need to look at all the people that have been banned that we know in our hearts are not cheaters and hacks and try and establish a common thread of what machines they are running and their configurations because I really think this is where the problem lies. Certainly SOE isn't going to do it so it's up to the community to ferret out this problem brought down on innocent people by the real hackers.

The only thing I could think to do was head for the top. Still no response but it went by snail mail. So I'm waiting..... Might not help but sure couldn't hurt. I wrote to:

Lyman Tuttle Account Administrator SOE.
Sony Online Entertainment LLC
8928 Terman Court
San Diego, California 92121

i'd like to ask. is it possible that some GM's are sick of sony and are just being A**holes banning folks randomly

i'm starting to think of two things mabe some out there are trying to kill the game getting folks banned and other quiting dropping the population to where someday the game will be gone.

the other thing i'm thinking is we all need a desktop video recorder. for when we play. if we ever get banned just copy the vids to a dvd disc of all your play time in question and mail it to them and have them point outwhere your cheating.

i left in november to retry wow and other games. i was plannning on coming back to eq soon. but with 8 accounts 5 of them i like active at same time. i don't want to come back till these bannings are 100% proper.

i'm in the conan beta now so at least i have something to do for now

They know 100% exactly what is going on, and there have only been two major hacks. Both of these are extremely easy to track once they decided they wanted to do so, and there is absolutely no way that anything else anyone could possibly do would show up as either of them. Both of them involved packet editing, and sending packets that no legitimate program would send to SOE.

This really depends on how they're flagging the hacks though. Packet editing is tricky stuff, and the variations of what can be done are virtually endless. Based on the reports of the GMs statements by polly, I suspect that SoE is simply flagging any malformed packets with specific header types. So a set of packets comes in with a header that indicates that this is positional data, but the data doesn't match correctly, they'll flag that. It's unlikely that they're scanning the data itself for specific patterns since that can vary wildly.

If that's the case, it's quite possible for someone to "accidentally" trigger such a flag, without ever doing anything wrong. Packets do get mangled during delivery sometimes, assembled in the wrong order, bits dropped, etc. Usually this is picked up at the network layer via simple checksum. However, occasionally, a packet will get mangled in such a way that only the data is affected (headers intact), and the data contains the same number of bits as it was sent with. This sort of thing would almost certainly trigger any ghosting flag in their system. It's rare, but when you think about the number of packets being sent by clients into their servers every day, it's a statistical certainty that it'll happen.


It's also possible that a virus/trojan on the client host can trigger this as well. Many hacks out there attempt to take advantage of buffer overflow exploits. It's arguably the most basic hack in the world. You send some data to a port on another computer. The program handling that port can only take X data at a time before its "blows its stack". You make sure the first X data is garbage, and then follow it with Y bits of instruction code. When the buffer overflows the remaining bits will be executed with the permissions of the process that just overflowed. For most port handlers, that's going to be an administrative process, giving you the ability to further hack the system.

Hacks of that sort can be automated (via the "zombie" cluster concept). What you do is create a program that checks network connections. Everytime you send data to another external host, it piggybacks the signal. A typical method to use would be to take whatever data was sent legitimately, and copy it multiple times to fill up to some buffer size, then follow it with code you want and send it. To a server that's properly patched, this will come in as a malformed packet. To someone looking at particular types of data, it'll look almost *exactly* like ghosting since it's the same positional (or whatever) data, but it's going to appear "shuffled around" (cause it's randomly repeating whatever data was sent legitimately).


I could probably think of about a dozen different things that could cause a data stream to arrive from an EQ client to an SOE server that would look on the surface like an attempt to ghost that have nothing to do with actually ghosting. Like you said, ghosting is simply the client sending legitimate packets with the correct application headers, but with wrong information in the data. Any such packet with data that isn't "correct" with regard to the server's records will be virtually indistinguishable from an attempt to ghost. The only way to be sure is if you actually had someone who knew which bits of the data meant what and could determine that the exact bits that were "wrong" were wrong in a way that would make the client appear to be in the wrong spot to the server and not just "randomly wrong".

I'm going to go out on a limb and guess that the average GM does not have the skill to make that determination. Heck. I'm betting almost no one does. Because you'd have to compare what the data is supposed to be to what it actually is, and know not only which bits are significant, but in what way they are significant. Does the fact that this set of 6 bits are wrong indicate random data? Or would those 6 bits make the server react in a way that would help the client in some way? That's incredibly hard to tell, and would be virtually impossible to automate. The best you can do is flag any set of clearly "wrong" data...

They aren't flagging any and all malformed packets, they are looking for one specific packet that was being exploited to trigger attacks with essentially no delay. It used to be used the packet used to trigger a legitimate intimidation, but intimidation has used a completely different packet for some time. The packet that was being used in this is not used in any portion of the legit eq client at this point -- and is not similar enough to anything used in the eq client that a couple bit corruptions would trigger it. It would take header corruption and quite a number of bit corruptions to transform an innocent packet in to a noninnocent packet.

It is literally about as likely as trying to attack a large rat and accidentally shouting "I AM A PACKET HACKER, PLEASE BAN ME."

It is possible someone was a Richard and wrote essentially a virus to spam the packets in question with no visible effect to the client I suppose -- but that'd be really out there. I don't really have any sources to back this up, but I would be surprised if there were more than thirty or forty people capable of doing so. It would have taken really pissing off the utterly wrong person. A non-targeted approach would see a lot more people effected. I find sony making a stupid booboo a lot more likely than this.

They aren't doing this by looking at weird movement packets -- though they do log those (and thus log warps, etc) they don't break them out 99.9% of the time, and if they had would have busted these guys for warping, not ghosting.

Since they are looking for one very specific thing and not just a malformed packet, it would be pretty shocking if this were data corruption or something else weird inside the eq client.



Edited, May 7th 2008 4:18am by Groogle

I wonder if someone can provide some clarification on what exactly "ghosting" is. I was under the impression that "ghosting" was basically taking advantage of the LD mechanic of the game. Basically using a program to report a false LD to the server to move past certain areas/mobs or fighting a mob without it agroing or taking damage.

I am also curious as to the quality of the packets being sent during an affinity error with the AMD duel cores.

The reason I ask is that I have experienced the affinity errors and have noticed some odd things between the server reporting to the client and the client not responding to the incoming data.

One of the minor things I noticed was in PoK receiving multiple falling damage messages from jumping down from the library but not actually taking the damage. Also, a fall in another zone that delivered enough damage to kill me but didn't, no damage received according to the client.

Since this isn't a graphical error but an error in the way the data is being processed it might produce some interesting data but unlikely to fall under the ghosting hack guidelines.

Groogle, how much does soe pay you
My war was banned because he is owned by me and the two accts that were banned are a cleric and a shaman hmmm lots of melee power there. The cleric/shaman both zoned into the instanced late because I didn't have a task invite to the shaman at first and she died by the kick of the guardian then the cleric rezed her. The rest of the group zoned in and started clearing the first level. Once I got the shaman to a safe area to rez with the cleric I did so, and got her looted and spells up, and then gated to gl to get some caster crack. I then zoned the cleric into the instanced and began healing while I was buffing the shaman in the guildhall. So 5 in the guardian now clearing level one then after getting buffs in gh I zoned the shaman to DSH and got added to the task. I then lev'ed and invised her and ran her to the guardian and zoned in. We killed 1-2 mobs more on level one and then took the elevator to the second level. We killed there took elevator to next level killed some more mobs then took ramp invised past as many as we could then killed at seeinvis mobs.

What SOE said about Rmahnee and Tilomini is,

"There is undisputable proof here that a character on both accounts was using the ghost kill hack. This type of thing cannot be done by mistake, and these accounts will not be released"

"The incident in question which lead to the disciplinary action occurred on 4-19-2008, when the characters Rmahnee and Tilomini entered the Mechanamatic Guardian with a group and proceeded to utilize a known exploitive software package to clear the zone of the mobs in the area. Due to the nature of the third party software package, it's use is considered a gross violation of the terms of service and a single offense will result in the banning of the account in question. Hence the issuance of the disciplinary action in question."

Well the area was cleared except for a few mobs when they zoned in by the rest of the group. and they didn't zone into the task at the same time, rmahnee was at least ten minute earlier than tilo who had to rebuff and go through all the zoning bs you know sit 30-60seconds while the zone updates.

We killed one named about 1 hour in and the loot from that was given to one of the druids in the grps' alts a week later Ozman was banned for "receiving something from the guardian" is what I was told over the phone. My war received nothing but xp from the Guardian but, they decided to ban him since I was sending petitions from that acct IMO, of course thats not the reason given. I was actually never sent an email explaining why the acct was banned. When I called customer service I was told i must have gotten some loot from there so the acct was banned, Which is wrong in fact and in practice (if anything they could have taken the item I received, which I didn't receive btw)

AND BTW when I say BANNED they CLOSE my acct so I have no way to petition in game or anywhere else.

And another thing they <SOE< ban(CLOSE) my accts on logout on Friday evening: (In my case Sat morning at 5am both times. the cleric/shaman, and a week later the War "with an active petition" ). At a time when I can do nothing for the weekend due to SOE being closed on weekends.

I have also been told That GMs don't bann accounts. So who does? if GMs don't.
I am sure you have some perfectly good reason that soe has banned me groogle.

They have made a mistake in my case and all I can do now is wait for e-mail as to why they have closed my acct s. I too have emailed ltuutle and have received no reply by email as of today.

More than one player has explained what we did, which was all above board but I have yet to get any response that would explain exactly what I did to ghost kill with a cleric and a shaman when I had a war and a paladin in the grp that were tanking the mobs.
This is just an exhausting ordeal over a game I really used to enjoy.

I still do not know what the GHOST KILL HACK is either.

Regards,
Rmahnee

Edited, May 8th 2008 3:23pm by rmahnee

Edited, May 8th 2008 3:25pm by rmahnee

You're assuming that they're actually looking at the data bits inside the packet, and not just the header.


Looking just as the statements made by polly (and assuming the entire thing isn't fabricated), it would appear that this isn't a case of the folks just mixing up a name or something. They were able to list exactly the times she was on, the zones she was in, and the loot they gained. Clearly, they didn't typo a name.

That leaves us with some other form of mistake. And IMO, it's vastly more likely that whatever methodology they're using to flag ghosting is somehow occasionally getting a false positive. We can sit here and speculate about what that is all day long, but it's pretty clear that it is happening. This, of course, assumes that polly didn't make up the entire thing, and that her account was reinstated after the fact. If they actually did examine the packets and determine conclusively that ghosting was used, I can only assume they wouldn't have done that. Which leads me to assume that they aren't really looking at the packet data. Certainly not directly. They're using some kind of filtering software to catch them (hence the "X lines of hacking client" statements). That immediately sets alarm bells in my mind since there are a huge number of ways to get false positives when you do that.


I know what you're saying. Yes. It would be impossible to accidentally happen to actually replicate the exact headers and data bits to ghost. However, the two cases before us are not saying that their clients suddenly starting killing mobs across the zone at super speed all on their own. You're correct. That would be impossible. But all that's required is for *any* packets to be received by the SoE server from your computer with the same packet header formation as that used by the ghosting hack. The data inside only needs to be correct to actually ghost kill stuff. And, as I pointed out earlier, that's almost impossible to detect automatically since that data is dynamic (changes based on what's going on in the game at any given moment). I highly doubt that they're actually looking at that. They're simply counting packets coming in with that header.


Um... And that's entirely possible to have happen accidentally. Doubly so if that particular header actually "does something" in the game (which apparently it does). If the server interacts with the client based on data sent with that header, then it's quite possible that a single bit flip in a header file could trigger a cascade of back and forth communications also using that same header. A bit flip in a header will not be picked up by most checksums, so it'll pass the network layer just fine, but the application wont know what to do with it. If it's a "valid" header in the sense that the software reacts to it, but the data is mangled, most systems will send a request for a resend. This will then prompt the client to resend data with the same header in response to that request. Possibly saying something like "Nope. I didn't send you anything with this header" (sent to that header!). Of course if the server isn't properly set up to error correct for that case (like say, it's not supposed to be talked to by a client directly anyway), it may just interpret it as garbage and do another "say again?" request. Repeat eternally (or until some event resets stuff like when you zone).


Again. Just looking at lines of code sent with a specific application header does *not* give sufficient evidence of a hack. If that's what they're doing, they are going to get false positives. They really should follow that with a check to see if the account in question is actually doing something like massively higher dps rates then normal, or taking out mobs located at position X, while they're at position Y, or any of a number of other things you could check to see if ghost killing is actually being used.

After reading this post, I've got to say i'm a littler nervous. I am planning to hopefully make a return to EQ at some point, and I'm wondering if the GM's and other EQ Police Officers have shunted my account.....

ugh.

-----------------------
Norfare Fae`Oallon- 66 Mage (epic)
Atheldur- 55 Monk (epic)
Anldar Ve`eurlen- 52 Druid (epic)
Valdain Fea`Amael- 51 Rogue (epic)
Erellont Alcarin- 47 Bard