Project Gazelle is a php frontend for private bittorrent tracker, developed by What.CD sysops.
Private tracker that use Gazelle : What.CD, Save The Coratee, TorrentIt, Vortex, Wunza, Filmdom, PTP, etc.
The source code itself is available to public, google it for more info.

After you read this article, I hope you gain knowledge about how staff member found cheater and avoid any future ban from What.CD

Note from the developers :


"some of our tools, such as cheater evasion, will not be included in the public version of the source, for obvious reasons."

This is true. If you read the source code, it's clear that they remove any anti-cheating script from the public source code.
But keep reading, you'll understand how they caught cheater so fast even if you make a little mistake.

I'll divide the analysis into two sections :

I. Gazelle Source Code
II. Staff Account's Screenshot


I. Gazelle Source Code



// Check DNS blacklists to see if IP is a proxy or a tor node
function blacklisted_ip($IP) {
// http://en.wikipedia.org/wiki/Comparison_of_DNS_blacklists
$DNSBLs = array('http.dnsbl.sorbs.net', 'misc.dnsbl.sorbs.net', 'socks.dnsbl.sorbs.net', 'ohps.dnsbl.net.au', 'tor.dan.me.uk');

// Reverse IP, so 127.0.0.1 becomes 1.0.0.127
$IP = implode('.', array_reverse(explode('.', $IP)));

foreach($DNSBLs as $DNSBL) {
$TestHost = $IP.'.'.$DNSBL;
$ResolvedHost = gethostbyname($TestHost);
if($ResolvedHost!=$TestHost) {
return $DNSBL.' ('.$TestHost.' returned '.$ResolvedHost.')';
}
}
return false;
}

This function checks if the user use proxy / tor to access the website by checking these lists :
1. http.dnsbl.sorbs.net : Open HTTP proxy servers
2. misc.dnsbl.sorbs.net : Additional proxy servers
3. socks.dnsbl.sorbs.net : Open SOCKS proxy servers
4. ohps.dnsbl.net.au : RIP as of April 29,2009
5. tor.dan.me.uk : All tor nodes (both entry and exit nodes)
You can use dnsbltools.com to check if your IP/proxy is in DNS blacklists or not.




// Cookie management
if ($_COOKIE['keeplogged']!='') {
$LoginCookie=decrypt($_COOKIE['keeplogged']);
$LoginCookie=explode("|~|",decrypt($LoginCookie));
$CookieID = $LoginCookie[2];
if($CookieID!=$LoggedUser['CookieID'] || !$CookieID) {
// The user's cookie is different from the one we have stored in the database
// They're either trying hax, or have logged in from multiple computers.
// Both of these are a big no-no.
logout();
}
}

This routine check if the cookie in your browser and database is different or not.




CREATE TABLE `cheater_log` (
`ID` int(5) NOT NULL auto_increment,
`Client` varchar(8) default NULL,
`User` int(10) default NULL,
`TorrentID` int(10) default NULL,
`Test` int(2) default NULL,
`Time` timestamp NOT NULL default CURRENT_TIMESTAMP,
`Peers` text,
`GroupID` int(10) default NULL,
PRIMARY KEY (`ID`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

Once they caught cheater, they store the data in this table.




CREATE TABLE `users_history_emails` (
`UserID` int(10) NOT NULL,
`OldEmail` varchar(255) default NULL,
`NewEmail` varchar(255) default NULL,
`ChangeTime` datetime default NULL,
`ChangerIP` varchar(15) default NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE `users_history_ips` (
`UserID` int(10) NOT NULL,
`IP` varchar(15) NOT NULL default '0.0.0.0',
`StartTime` datetime NOT NULL default '0000-00-00 00:00:00',
`EndTime` datetime default NULL,
PRIMARY KEY (`UserID`,`IP`,`StartTime`),
KEY `UserID` (`UserID`),
KEY `IP` (`IP`),
KEY `StartTime` (`StartTime`),
KEY `EndTime` (`EndTime`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

CREATE TABLE `users_history_passkeys` (
`UserID` int(10) NOT NULL,
`OldPassKey` varchar(32) default NULL,
`NewPassKey` varchar(32) default NULL,
`ChangeTime` datetime default NULL,
`ChangerIP` varchar(15) default NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

CREATE TABLE `users_history_passwords` (
`UserID` int(10) NOT NULL,
`ChangeTime` datetime default NULL,
`ChangerIP` varchar(15) default NULL
) ENGINE=InnoDB DEFAULT CHARSET=latin1;

These changes are logged, with IP & timestamp.
1. Email change
2. IP change
3. Passkey change
4. Password change




$DB->query("SELECT MAX(Sequence) FROM users_history_ratio");
list($Sequence) = $DB->next_record();
$LastSequence = $Sequence;
$Sequence++;
if(!$Sequence){
$Sequence = 1;
}

$DB->query("INSERT INTO users_history_ratio(Sequence, UserID, Uploaded, Downloaded, UpChange, DownChange, Time)
SELECT '$Sequence', m.ID, m.Uploaded, m.Downloaded, (m.Uploaded - r.Uploaded), (m.Downloaded - r.Downloaded), '".sqltime()."'
FROM users_main AS m
LEFT JOIN users_history_ratio AS r ON r.UserID=m.ID AND r.Sequence='$LastSequence'");

Every day and every hour, a script dump your ratio history to database.
This is what the script log :
- UserID
- Uploaded
- Downloaded
- UpChange
- DownChange
- Time
The log is stored separately, so at day 20 a staff can still see how much you upload / download at day 5.




m_cheater = false;
m_cheater_speed = 26214400;

XBTT's abnormal upload speed detection, deactivated by default.
If upload speed is greater than 25 MB/s, consider that user is cheating.




// F****** btjunkie piece of s***
if(strpos($_SERVER['HTTP_REFERER'], 'btjunkie.org')) {
// This code is executed if someone is downloading a torrent from btjunkie
// Do what you want here, be creative. ;)
}

Yeah, they hate btjunkie. Don't try to download What.CD's torrent from btjunkie.




log_attempt($UserID);
if ($Enabled=='2') {
$Err='Your account has been disabled.<br />This is either due to inactivity or rule violation.';
} elseif ($Enabled=='0') {
$Err="Your account has not been confirmed.<br />Please check your email.";
} else {
$Err="Your username or password was incorrect.";
}

If you're unable to log in, there're 3 reasons given :
- Your account has been disabled. This is either due to inactivity or rule violation.
- Your account has not been confirmed.
- Your username or password was incorrect.
You won't see the ban reason, although moderators usually put the reason in the Staff Notes.




`BanReason` enum('0','1','2','3','4') NOT NULL default '0',

// Disabled manually by moderators / admins
BanReason=1

// If a user hasn't been taken off ratio watch in the two weeks since he was put on, banhammer
BanReason=2
AdminComment=Disabled by ratio watch system

// If a user has downloaded more than 10 gigs while on ratio watch, banhammer
BanReason=3
AdminComment=Disabled by ratio watch system for downloading more than 10 gigs on ratio watch

// Disable inactive user accounts
BanReason=3
AdminComment=Disabled for inactivity

// Disable unconfirmed users
BanReason=3
AdminComment=Disabled for inactivity (never logged in)

There're 4 different kind of ban reason.
I haven't seen the 4th reason in the source code, maybe it's either "reserved" or "disabled automatically for cheating";




$DB->query("UPDATE users_info AS ui JOIN users_main AS um ON um.ID=ui.UserID
SET um.Enabled='2',
ui.BanDate='".sqltime()."',
ui.BanReason='3',
ui.AdminComment=CONCAT('".sqltime()." - Disabled for inactivity', ui.AdminComment)
WHERE um.PermissionID IN ('".USER."', '".MEMBER ."')
AND um.LastAccess<'".time_minus(60*60*24*7*10)."'
AND um.LastAccess!='0000-00-00 00:00:00'
AND ui.Donor='0'
AND um.Enabled!='2'");

Users will be disabled for inactivity if they don't login for 10 weeks (70 days).




$DB->query("UPDATE users_info AS ui JOIN users_main AS um ON um.ID=ui.UserID
SET um.Enabled='2',
ui.BanDate='".sqltime()."',
ui.BanReason='3',
ui.AdminComment=CONCAT('".sqltime()." - Disabled for inactivity (never logged in)', ui.AdminComment)
WHERE um.LastAccess='0000-00-00 00:00:00'
AND ui.JoinDate<'".time_minus(60*60*24*7)."'
AND um.Enabled!='2'
");

Unconfirmed users will be disabled after 1 week (7 days)




II. Staff Account's Screenshot

Maybe you have seen lots of What.CD tracker screenshots, with user / power user permission.
It's time to see what staff account screenshots looks like.
Since we'll deal with staff more often than admin account, let's focus on staff account :

1. Staff Account's Toolbox
http://www.sb-innovation.de/attachment.php?attachmentid=4687

2a. User's Permission
http://www.sb-innovation.de/attachment.php?attachmentid=4689

2b. Power User's Permission
http://www.sb-innovation.de/attachment.php?attachmentid=4690

2c. Staff's Permission
http://www.sb-innovation.de/attachment.php?attachmentid=4688

3. IP Bans
Note : There's no expires date
http://www.sb-innovation.de/attachment.php?attachmentid=4691

4. Login Watch
http://www.sb-innovation.de/attachment.php?attachmentid=4692

5. Invite Pool
http://www.sb-innovation.de/attachment.php?attachmentid=4693

6. User Search
http://www.sb-innovation.de/attachment.php?attachmentid=4694

7. Active Reports
http://www.sb-innovation.de/attachment.php?attachmentid=4695

8. Duplicate IPs
http://www.sb-innovation.de/attachment.php?attachmentid=4696

9. User's Profile
Unlike regular user, staff have access to specific feature when they access your profile.
http://www.sb-innovation.de/attachment.php?attachmentid=4698

10. Watched users
Usually, staff have to click "Add to watchlist" to make a user account go into "Watch List".
But, I'm sure the system will add any account to "Watch List" automatically if the account meet specific suspicious condition.
http://www.sb-innovation.de/attachment.php?attachmentid=4697

Final Note :
Gazelle is open source, so developer can easily modify it to add more feature, like new feature in toolbox or anti-cheating script.
What you see here may be obsolete in a few month later.

Approved! Great work! :klatsch_3: Thanks for making the information accesible to everyone, specially the source code explanations. We can learn a lot from your post.

Will there be other "tracker analysis" threads from you?

great work :klatsch_3:,
thanks for the info,

hoping for IPT analyzing :smile:

Will there be other "tracker analysis" threads from you?

Yeah, I think I'll cover another tracker in my next analysis thread. Stay tuned :biggrin:
Meanwhile, feel free to ask anything about What.CD

Great work. Very well explained too, yes IPT should be next... ;)

Well I feel like a nubzor again but thank you for your effort.
+rep to you my friend.

Great work and Very very experienced too.

Thanks for the detailed info, although I don't understand too much (been rusty on source codes for sometime now), I'm sure it will be very useful for coders and future tracker designers. :top:

Interesting.But that thing about how much you uploaded and in how much time should make waffles method imposible to use.But it's not and i used it with high speeds too.

Interesting.But that thing about how much you uploaded and in how much time should make waffles method imposible to use.But it's not and i used it with high speeds too.


Right now, I can't found any read access to users_history_ratio or users_history_ratio_hourly table except at economic stats, where the staff see how much total upload / total download for their tracker.
This means staff can't see your ratio history.

I find stat_history.php but it doesn't have any code in it.
Maybe the developers don't show it to public or the function isn't ready yet.
It's better to be careful, though.

Same thing with "Rejoins Watch" on staff toolbox, it's missing.

Slow and steady is the way to go... :biggrin:

Zorvak, no pressure man, but is it possible for you to analyze the SoftMP3 source code for your next thread? SceneSound and CareStreet are using it.

Great work
+1 from me..
May be it's useful to some member..

Great work. Very well explained too, yes IPT should be next... ;)

Unfortunately, IPT source code isn't released to public.



Zorvak, no pressure man, but is it possible for you to analyze the SoftMP3 source code for your next thread? SceneSound and CareStreet are using it.

Don't worry, SoftMP3 is one of the tracker on my analyzing list.
According to the source code, 4 MB/s is the limit, otherwise you'll enter the cheat database.
But, I'll have to look at the other file to check another anti-cheating script.

I forgot to say this, but make sure you use tor + elite proxy chain if you want to get Gazelle source code directly from What.CD's SVN.
Maybe they will closely monitor who download the source code from their server now.

i have a question, i've been banned before. and i got another new acc which was registered using another country's IP; my own ip is dynamic, is that safe to login again with this acc? yeah of course the ip is different from the one i got banned, but they are belongs to a ip range

This is the wrong section for asking but, anyway, if the account belongs to another country, then it's very likely it will be banned as soon as you log in using your country ip. If you have dynamic ip, you should've created the account in your own country, after cleaning all traces (cookies,etc) and renewing the ip, unless we are talking about a trade here. :top:

no trade for me .......so far

yeah i cleaned all the cookies, temp file..ect

so it's safe for me right? even a little bit ip change , like before 192.168.1.1 now using 192.168. 2.2 ?

---------- Post added at 07:10 ---------- Previous post was at 07:09 ----------

sorry for the wrong section
i though as Zorvak said i could ask anything question about whatcd:tongue:

so it's safe for me right? even a little bit ip change , like before 192.168.1.1 now using 192.168. 2.2 ?

That's your internal IP. It's the external one that matters!

yes i know

just for example ,

like before my ip is 123.456.789.1

now am i safe under 123.456.001.235?

just an example

like before my ip is 123.456.789.1

now am i safe under 123.456.001.235?

You're safe if the first two numbers don't change. IP range change bans are for when you "jump" to other countries:

123.23.89.22 -> 99.44.55.22

wow that's nice

is that the advantage for dynamic ip for our cheaters? :biggrin:



sorry for double post i though this one could combine with the above...

Yes, I suppose. Unless they ban your whole range, like The* trackers do.

what if i got banned from lots of my dynamic ips, will whatcd's staff ban my ip range? :frown:


cannot believe my 100th posts got deleted :biggrin:

Who knows. Maybe they will.

but i still register a new acc for the* tracker and login from my banned ip range,

it's safe, isn't it?

but i still register a new acc for the* tracker and login from my banned ip range,

it's safe, isn't it?

Well, I don't think What.cd and The* trackers share info.

oh one more little question about what.cd like tracker. ..

i m login to the site by lots of my dynamic ips, cuz it will changed in couple days. so will whatcd record each of my login ip, and turned out i got banned, and then those login histories ips will banned too?

and then those login histories ips will banned too?

Well, they do log every IP you've used. But I'm not sure if they'll ban them. When What banned me they didn't block my IP.

no no i mean it's safe to use the* tracker if i login using a banned ip range right?

i registerd using other country's ip

How do you want to log in from a banned IP? Mind making that more clear?

but it seems like risky to use the IP (which i've visited by the banned accout ) to login again...
whatcd can banned again immediately before i start to cheat :eek3:

OK, I think I get it now.

That shouldn't be a problem if you wait some days/weeks. But you have a dynamic IP, so what's the problem?

Oh, and clear cache/cookies, etc. before reregistering, of course.

yeah i actually i m talking about the* tracker .. very off topic but just make it clear as u wish

i got banned for the* tracker before for ex the ip i got banned is 123.23.89.22

now i got another new acc which registered in other country

then i login the new account using my own dynamic ip 123.23.34.911

so this is safe, am i rite?

I think you should be safe if you don't get an error when visiting the tracker's frontpage :biggrin:

yeah thx for all the tips

that's why i love dynamic lol

btw anyone achieved ellite or more higher lvl on whatcd? by cheating ?

anyway , that's my goal :biggrin:

btw anyone achieved ellite or more higher lvl on whatcd? by cheating ?

Not just cheating, you need to upload at least 50 torrents. :wink:

i was banned as elite before :tongue:

damn ! they ban even elite user :biggrin:

Well, that's too bad. But you probably already knew the 50 torrents thing, then.


damn ! they ban even elite user :biggrin:

Rules are rules :tongue:

i wont do the next higher lvl of elite, sth called TorrentCelebrate ? that's insane, require 500 torrents upload :eek3:

"Torrent Celebrity" is assigned by the Staff:

Torrent Celebrity - Staff at another tracker that meets certain requirements and approved by a staff member (Access to the special forum). Can send unlimited invites.

It's the TorrentMaster class that needs 500 uploaded torrents:

TorrentMaster - Been here at least 8 weeks, has uploaded at least 500 torrents and 500GB, ratio above 1.05 (Access to the TorrentMaster forum, earns custom title).
Note: TorrentMasters are demoted to Elite if their uploaded amount drops below 500GB, or their current uploaded torrent total is less than 500.

Does what.cd ban a ip change (country)? How about email+ip+pass change?

Does what.cd ban a ip change (country)?

Yeah, it's a standard anti-trading protection.
I think certain event will put you into Watch List automatically.



How about email+ip+pass change?

Use a reasonable time, like a week or a month to change email/password, but it's still risky since
What.CD log every IP, email, password and passkey change.
Changing email + ip + pass at the same time is like asing to be put into Watch List / ban, very risky.

this is awesome dude. I wonder how this site can I cheat? What is safe speed?

this is awesome dude. I wonder how this site can I cheat? What is safe speed?

check this link out, right here: Link for people affected by the force that opposes work (http://www.sb-innovation.de/search.php?search_type=1)

It gives all the answers.

this is awesome dude. I wonder how this site can I cheat? What is safe speed?

There are threads for most of the trackers about cheating. what.cd is here: http://www.sb-innovation.de/showthread.php?threadid=5801

Edit for grammar.

Firstly, hello and do forgive me for resurrecting an old thread but since it pertains to my recent experience with what.cd, a ban to boot :)

I had been a member on both what.cd and waffles since their inception (after the fall of oink and the two schisms emerging in its aftermath). I had little to no use of either since most of my needs were met by russian trackers where surprisingly, exact replicas of lossless rips from what.cd and/or other sites were posted frequently (peddlers aplenty would be my guess). For now, Rutracker.org caters to most of what i need.

Anyway, so I recently stumbled upon NRPG, and thought I'd give it a try on what.cd . Tread slowly into unknown waters as the adage goes, but i had little to loose since i was not using the site anyways besides logging in every once a while to keep me from being bumped off.

I ended up uploading close to a few TB's in a matter of few minutes. Dumb move. I was not banned instantly (almost a day after). And this delay perhaps gives credence to the fact that bans just may not be automated after all. I can infer that one might pop up on the red-flag list and eventually, the ban might have been meted out by a member of the staff, post examination.

I suppose a little bit of research on my part could just have easily prevented this from happening. The reason why i assert this with emphasis is only based on my experience on sites like IPT & Waffles after the failure with what.cd. I have been scouring this website for a few days and finally have managed to execute successful ratio spoofing on both.

Here is the lowdown on my IPT experience, personally id say it was just dumb luck. I once again jumped the gun and used high speeds massive uploads (we're talking TB's here and double digits) all in a single day. I do not know how i made it through since i used no mods or complex routines, just the NRPG client. I escaped unscathed. The exact procedure being firing up utorrent 1.6.1 and having it run a torrent just so NRPG could extract all the things it needed (peer-id, key etc). I did not use TCP listener and the torrent selected was a massive pack with a lot of seeders. I started NRPG outright with seeding (100% finished) and stopped it multiple times, even while performing multiple updates. When it reached a more than appreciable amount of total upload, as mentioned before, i just shut it down and waited for an imminent ban as i was almost certain, after my not so memorable escapade with what.cd, but it never came to pass. Still a member. Still holding on to those TB's and i dare not try to meddle with it ever again since I am way in the clear now, and it would be downright foolish on my part to play russian roulette with it again. I think it was just dumb luck that it went unnoticed. Had some staff member been on surveillance, I'd have stick out like bollocks on a bulldog :D



Right now, I can't found any read access to users_history_ratio or users_history_ratio_hourly table except at economic stats, where the staff see how much total upload / total download for their tracker.
This means staff can't see your ratio history.

I find stat_history.php but it doesn't have any code in it.
Maybe the developers don't show it to public or the function isn't ready yet.
It's better to be careful, though.

Same thing with "Rejoins Watch" on staff toolbox, it's missing.

This theory just might hold water and seems plausible, especially after my experience with IPT. It just might be possible sites not making use of an hourly ratio parameter being logged.

Anyhow, i am glad to have stumbled upon this site.

Thanks.

NRPG is detectable due to discrepancies in its HTTP requests, doesn't matter how much you upload. Use RM (the original one) or mRatio to avoid this.

I've been using RM 1.91 ever since (with memory reader). Your threads on RM in the tutorial sections were immensely helpful. I have a few doubts or queries (concerning sites like torrentbytes, and the .bz's) but its better if i asked on threads relating to these sites.

Rest assured, I'm not turning to NRPG again, was just my first time. Also, thanks for pointing out the flaw, all the more reason to stay away from it i guess.

What.cd haven't put the cheating scripts in their public release of gazelle. Also, I'm not sure about the IP change detection.

I'm not sure about the IP change detection.

ip logging with country detection is included in the public gazelle releases

Just a random question for people in this thread: Are interviews for entering What.CD still going on nowadays?

Are interviews for entering What.CD still going on nowadays?

I haven't read anything anywhere about the interview channel being closed. Some countries are banned from it, however.

I haven't read anything anywhere about the interview channel being closed. Some countries are banned from it, however.

Yeah, I didn't read anything as well, I was just wondering because I'm thinking about finally applying for the interview... But still... I would have to learn a few things, which is something I'm not fond of...

Well, you can read this (http://www.sb-innovation.de/f59/how-join-what-cd-7924/) to get an idea, and if you still have questions, I'll be happy to help. Although I think Portugal is one of those banned countries...

Well, you can read this (http://www.sb-innovation.de/f59/how-join-what-cd-7924/) to get an idea, and if you still have questions, I'll be happy to help. Although I think Portugal is one of those banned countries...

Yeah, I think so too, although, I remember getting an account there even though people were telling me my country had been banned... Still, this was around 4 years ago