(Hacking) web scraping or web crawling

noonn · Nov 6th 2025, 5:35am

Hello.

This is 2moons 2.0.
Over the past few days, our admin page (admin.php) has been hacked.
They accessed the site without logging in and changed all database data.
This caused us to be unable to operate, but we've now fixed it so that if authentication fails when accessing the admin page, an error message will appear and the site will be shut down.
This appears to be web scraping or web crawling.

At least some defenses are needed.
For example, if you do the following, access will be blocked without your username and password.

admin.php add

PHP Source Code

$useBasicAuth = true;
if ($useBasicAuth) {
$basicUser = 'idminjjfj%@'; // ID
$basicPass = 'hj$@kkfldkd'; //PASSWORD
if (!isset($_SERVER['PHP_AUTH_USER']) || $_SERVER['PHP_AUTH_USER'] !== $basicUser || ($_SERVER['PHP_AUTH_PW'] ?? '') !== $basicPass) {
header('WWW-Authenticate: Basic realm="Admin Area"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
}

It seems like something is needed to prevent hacking of the admin page.

Qwa · Nov 6th 2025, 12:56pm

Well isn't rocketscience that 2moons has it's own vulnerabilities.

Best way around is make your own skeleton and use 2moons or whatever ogame clone as inspiration.

yamilrh · Nov 7th 2025, 8:51am

He visto esto, estoy mirando un poco en el access y puedo ver algunos accesos raro
[06/Nov/2025:03:14:35 +0000] "GET /index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 200 96031 "-" "libredtail-http"
[06/Nov/2025:03:13:44 +0000] "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 493 "-" "libredtail-http"
[06/Nov/2025:03:13:46 +0000] "POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 200 96575 "-" "libredtail-http"
[06/Nov/2025:03:13:47 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 492 "-" "libredtail-http"
[06/Nov/2025:03:14:25 +0000] "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 492 "-" "libredtail-http"
[06/Nov/2025:03:14:38 +0000] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\"hi\"));?>+/tmp/index1.php HTTP/1.1" 200 96132 "-" "libredtail-http"

Qwa · Nov 7th 2025, 10:15am

There are plenty of ways to solve this - anyone who wants to take their business/game seriously wouldn't risk a remote any location access to their own system:
- remove remote admin access, use it local only (xampp wamp mamp) with db remote access whitelisted to your machine
- or if you persist admin access remote to any location, build 2fa logger at database
- create a specific public private key to access admin panel, likely a file or a passphrase ciphered
- or use db only and scrap the admin page - anyway what you do on admin page, with knowledge of code, you can do manually at database. to ease database access, use an IDE like phpstorm which allows db

Furthermore:
- keep your vendors updated, people use 2moons like still living in 2018, where php 8.2+ is still a myth and breaks the game due to smarty, or relies on a setup of php 7.4. If you persist to use those php versions, there are known smarty exploits or vendor security vulnerabilities that has been patched for php >= 8.3
- 2moons by default isn't safe against curl calls or logged connections. someone can spam your game with curl calls until it gets what desires.

noonn · Nov 10th 2025, 5:47am

yamilrh wrote:

He visto esto, estoy mirando un poco en el access y puedo ver algunos accesos raro
[06/Nov/2025:03:14:35 +0000] "GET /index.php?s=/index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=md5&vars[1][]=Hello HTTP/1.1" 200 96031 "-" "libredtail-http"
[06/Nov/2025:03:13:44 +0000] "POST /hello.world?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 404 493 "-" "libredtail-http"
[06/Nov/2025:03:13:46 +0000] "POST /?%ADd+allow_url_include%3d1+%ADd+auto_prepend_file%3dphp://input HTTP/1.1" 200 96575 "-" "libredtail-http"
[06/Nov/2025:03:13:47 +0000] "GET /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 492 "-" "libredtail-http"
[06/Nov/2025:03:14:25 +0000] "GET /admin/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1" 404 492 "-" "libredtail-http"
[06/Nov/2025:03:14:38 +0000] "GET /index.php?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?echo(md5(\"hi\"));?>+/tmp/index1.php HTTP/1.1" 200 96132 "-" "libredtail-http"

In my case, there were countless attempts to access my account by changing my IP address in the logs, and I was hacked. Below is a sample log.
The hacking generated a huge amount of logs.

=== Logs ===

176.97.210.32 - - [02/Nov/2025:21:45:03 +0900] "GET /new.php HTTP/1.1" 302 399 "-" "-" www.site "73 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:03 +0900] "GET /wp-links-opml.php HTTP/1.1" 302 399 "-" "-" www.site "60 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:04 +0900] "GET /flower.php HTTP/1.1" 302 399 "-" "-" www.site "53 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:04 +0900] "GET /info.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:05 +0900] "GET /k.php HTTP/1.1" 302 399 "-" "-" www.site "48 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:05 +0900] "GET /r.php HTTP/1.1" 302 399 "-" "-" www.site "48 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:06 +0900] "GET /file.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:06 +0900] "GET /file2.php HTTP/1.1" 302 399 "-" "-" www.site "52 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:07 +0900] "GET /nc4.php HTTP/1.1" 302 399 "-" "-" www.site "50 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:07 +0900] "GET /past.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:08 +0900] "GET /abcd.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:08 +0900] "GET /fast.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:09 +0900] "GET /al.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:09 +0900] "GET /vv.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:10 +0900] "GET /mar.php HTTP/1.1" 302 399 "-" "-" www.site "50 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:10 +0900] "GET /chosen.php HTTP/1.1" 302 399 "-" "-" www.site "53 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:11 +0900] "GET /10.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:11 +0900] "GET /content.php HTTP/1.1" 302 399 "-" "-" www.site "54 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:12 +0900] "GET /cache.php HTTP/1.1" 302 399 "-" "-" www.site "52 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:12 +0900] "GET /w.php HTTP/1.1" 302 399 "-" "-" www.site "48 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:13 +0900] "GET /load.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:13 +0900] "GET /oxshell.php HTTP/1.1" 302 399 "-" "-" www.site "54 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:14 +0900] "GET /2.php HTTP/1.1" 302 399 "-" "-" www.site "48 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:14 +0900] "GET /worksec.php HTTP/1.1" 302 399 "-" "-" www.site "54 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:15 +0900] "GET /as.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:15 +0900] "GET /admin.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:15 +0900] "GET /asus.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:16 +0900] "GET /akc.php HTTP/1.1" 302 399 "-" "-" www.site "50 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:16 +0900] "GET /ggfi.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:17 +0900] "GET /ot.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:17 +0900] "GET /aa.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:18 +0900] "GET /about.php HTTP/1.1" 302 399 "-" "-" www.site "52 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:18 +0900] "GET /admin.php HTTP/1.1" 302 399 "-" "-" www.site "52 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:19 +0900] "GET /alfa.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:19 +0900] "GET /asasx.php HTTP/1.1" 302 399 "-" "-" www.site "52 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:20 +0900] "GET /atomlib.php HTTP/1.1" 302 399 "-" "-" www.site "54 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:20 +0900] "GET /autoload_classmap.php HTTP/1.1" 302 399 "-" "-" www.site "64 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:21 +0900] "GET /autoload_classmap/function.php HTTP/1.1" 302 399 "-" "-" www.site "73 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:21 +0900] "GET /buy.php HTTP/1.1" 302 399 "-" "-" www.site "50 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:22 +0900] "GET /classwithtostring.php HTTP/1.1" 302 399 "-" "-" www.site "64 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:22 +0900] "GET /cong.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:23 +0900] "GET /edit.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:23 +0900] "GET /goat.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:24 +0900] "GET /goods.php HTTP/1.1" 302 399 "-" "-" www.site "52 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:24 +0900] "GET /ioxi-o.php HTTP/1.1" 302 399 "-" "-" www.site "53 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:25 +0900] "GET /lock360.php HTTP/1.1" 302 399 "-" "-" www.site "54 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:25 +0900] "GET /makeasmtp.php HTTP/1.1" 302 399 "-" "-" www.site "56 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:26 +0900] "GET /mm.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:26 +0900] "GET /users.php HTTP/1.1" 302 399 "-" "-" www.site "52 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:26 +0900] "GET /w.php HTTP/1.1" 302 399 "-" "-" www.site "48 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:27 +0900] "GET /wp-admin/ HTTP/1.1" 302 399 "-" "-" www.site "52 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:27 +0900] "GET /wp-admin/css/colors/blue/index.php HTTP/1.1" 302 399 "-" "-" www.site "77 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:28 +0900] "GET /wp-admin/images/moon.php HTTP/1.1" 302 399 "-" "-" www.site "67 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:28 +0900] "GET /wp-admin/js/index.php HTTP/1.1" 302 399 "-" "-" www.site "64 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:29 +0900] "GET /wp-admin/setup-config.php HTTP/1.1" 302 399 "-" "-" www.site "68 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:29 +0900] "GET /wp-api.php HTTP/1.1" 302 399 "-" "-" www.site "53 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:30 +0900] "GET /y.php HTTP/1.1" 302 399 "-" "-" www.site "48 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:30 +0900] "GET /p.php HTTP/1.1" 302 399 "-" "-" www.site "48 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:31 +0900] "GET /wp-content/index.php HTTP/1.1" 302 399 "-" "-" www.site "63 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:31 +0900] "GET /wp-content/wp-conflg.php HTTP/1.1" 302 399 "-" "-" www.site "67 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:32 +0900] "GET /sts.php HTTP/1.1" 302 399 "-" "-" www.site "50 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:32 +0900] "GET /root.php HTTP/1.1" 302 399 "-" "-" www.site "51 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:33 +0900] "GET /ws.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:33 +0900] "GET /doc.php HTTP/1.1" 302 399 "-" "-" www.site "50 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:34 +0900] "GET /wp-includes/IXR/autoload_classmap.php HTTP/1.1" 302 399 "-" "-" www.site "80 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:34 +0900] "GET /wp-includes/fonts/admin.php HTTP/1.1" 302 399 "-" "-" www.site "70 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:35 +0900] "GET /wp-includes/fonts/index.php HTTP/1.1" 302 399 "-" "-" www.site "70 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:35 +0900] "GET /wp-setup.php HTTP/1.1" 302 399 "-" "-" www.site "55 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:36 +0900] "GET /wp.php HTTP/1.1" 302 399 "-" "-" www.site "49 399" DE
176.97.210.32 - - [02/Nov/2025:21:45:36 +0900] "GET /wsa.php HTTP/1.1" 302 399 "-" "-" www.site "50 399" DE
66.249.82.8 - - [02/Nov/2025:22:08:49 +0900] "GET /game.php?page=buildings&cp=1860 HTTP/1.1" 302 455 "-" "Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/138.0.0.0 Mobile Safari/537.36 (compatible; Google-Read-Aloud; +support.google.com/webmasters/answer/1061943)" site "365 455" US
207.46.13.17 - - [02/Nov/2025:01:48:35 +0900] "GET / HTTP/1.1" 302 399 "-" "Mozilla/5.0 AppleWebKit/537.36 (KHTML, like Gecko; compatible; bingbot/2.0; +bing.com/bingbot.htm) Chrome/116.0.1938.76 Safari/537.36" site "301 399" US

Qwa · Nov 10th 2025, 10:26am

From this log, it's just someone doing trial and error.

Alternatively, you can lock that IP if does two requests within 2-3 one second (some of those there are within a second).

Yes, it might change the IP to other and try again, but you're limiting already connections.

Otherwise, my recommendations on my post above will address it.

PHP Source Code

Share