http://www.sb-innovation.de/attachment.php?attachmentid=4845

I. Introduction

SweDVDR is ranked at level 8 (http://www.sb-innovation.de/f56/sb-innovation-tracker-levels-9764/) in term of content and only allow members with Nordic IP range, boosting the tracker's rarity to level 8 (http://www.sb-innovation.de/f56/sb-innovation-tracker-levels-9764/).
This analysis apply to SweDVDR and its variants : DVDRSOURCE, SceneDVDR, Tvsource, etc.


II. Short Review
SweDVDR's anti cheating script is quite good, they write down Sweden's IP range with low upload speed and will issue ban if those IP try to use high upload speed.
There's lot of similarity between SweDVDR and SoftMP3, including anti-cheating, anti-trading script and staff toolbox.
Please see SoftMP3's tracker analysis to see what I mean.


III. Long Review



$host = dns_timeout($ip);
$kossa = 0;
if($host != 0){
if (strpos($host, 'tbcn.telia')>-1 && $upspeed > 307200)
$kossa = 1;
elseif (strpos($host, 'skanova')>-1 && $upspeed > 307200)
$kossa = 1;
}

If upload speed > 300 KB/s and ISP is tbcn.telia or skanova, consider that user is cheating.



if(($_SERVER['HTTP_USER_AGENT'] == 'uTorrent/161B(483)' || $_SERVER['HTTP_USER_AGENT'] == 'ABC/ABC-3.1.0') && $upspeed > 105200)
$kossa = 1;

If the user use torrent client : uTorrent 1.6.1B or ABC 3.1.0 and upload speed > 102 KB/s, consider that user is cheating.



$setting['rate_limitation_warn_up'] = 2; // log a warning if exceeding this amount of MB/s
$setting['rate_limitation_err_up'] = 50; // log a error and don't save stats for user if exceeding this amount of MB/s

if($upspeed > (1024000 * $setting['rate_limitation_err_up'])) { // check for excessive speeds
$setting['upload_multiplier'] = 0;
log_cheater($u_id, $t_id, $_GET['downloaded'] - $downloaded, $_GET['uploaded'] - $uploaded, $duration, $_SERVER['HTTP_USER_AGENT'], $ip, 0, $_GET['port'], $upspeed, $ansl);
} elseif($upspeed > (1024000 * $setting['rate_limitation_warn_up']) || $kossa ) {
log_cheater($u_id, $t_id, $_GET['downloaded'] - $downloaded, $_GET['uploaded'] - $uploaded, $duration, $_SERVER['HTTP_USER_AGENT'], $ip, $kossa, $_GET['port'], $upspeed, $ansl);
}

Abnormal upload check :
If upload speed > 2,000 KB/s (1.95 MB/s) log it into cheat database
If upload speed > 50,000 KB/s (48.82 MB/s) log it into cheat database and don't update stats.



CREATE TABLE IF NOT EXISTS `fusk` (
`id` bigint(20) NOT NULL auto_increment,
`torrentid` int(10) NOT NULL default '0',
`torrentname` varchar(255) NOT NULL default '',
`ip` varchar(64) NOT NULL default '',
`port` smallint(5) NOT NULL default '0',
`uploaded` bigint(20) NOT NULL default '0',
`downloaded` bigint(20) NOT NULL default '0',
`rate` bigint(20) NOT NULL default '0',
`seeder` enum('yes','no') NOT NULL default 'yes',
`connectable` enum('yes','no') NOT NULL default 'yes',
`userid` int(10) NOT NULL default '0',
`username` varchar(40) NOT NULL default '',
`agent` varchar(60) NOT NULL default '',
`time` bigint(20) NOT NULL default '0',
`datum` datetime NOT NULL,
`agentdiff` int(1) NOT NULL default '0',
`adsl` tinyint(1) NOT NULL default '0',
PRIMARY KEY (`id`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Once they caught a cheater, this information is logged :
TorrentID, TorrentName, IP, Port, Uploaded, Downloaded, Rate (Upload Speed),
Seeder (Is Seeding ?), Connectable, UserID, UserName, Agent (Name of Browser),
TimeDiff, Date, AgentDiff, ADSL



// Kolla efter dubbla klienter
$agdiff = 0;
if(mysql_num_rows(mysql_query('SELECT COUNT(id) FROM peers WHERE userid = "'. $u_id.'" and ip = "'.$ip.'" GROUP BY port')) > 1){
$agdiff = 1;
}

Check if user use more than one port to connect to the tracker



if(mysql_num_rows(mysql_query("select count(*) from peers where userid = $userid group by agent")) > 1)
$agdiff = 1;

Check if user run more than one torrent client (ex : uTorrent and Azureus)



if ($row["enabled"] == "no")
bark($username, $row[id], $password,"Detta konto har blivit avaktiverat.<br><br>Anledning: <b>".$row[secret]."</b><br><br>Om detta stämmer är det INGEN idé att du kontaktar oss och drar en rövarhistoria. Annars gäller:<br><br>IRC: <b>#swedvdr.support</b> @ irc.freequest.net</a><br>Webchat: <b><a href=http://webchat.freequest.net/irc.cgi?chan=%23swedvdr.support>http://webchat.freequest.net/irc.cgi?chan=#swedvdr.support</b></a>",1);

Just like SoftMP3 SweDVDR will give the reason why your account is disabled.



$mu = mysql_query("Select * from iplog where host LIKE '%.pl%' OR host LIKE '%.il' OR host LIKE '%bezeqint.net' OR host LIKE '%.tr' OR host LIKE '%.nl' OR host LIKE '%.de' OR host LIKE '%.pt' OR host LIKE '%.bg' OR host LIKE '%.eg' group by userid")or sqlerr(__FILE__, __LINE__);

while($a = mysql_fetch_array($mu))
{
$sql = "UPDATE users set inviteban = 1 where id = $a[userid]";
mysql_query($sql);

echo $sql."<br>";
}

Users from these countries / hostname will have their invite privilege automatically revoked :
.pl (Poland)
.il (Israel)
bezeqint.net (Israel)
.tr (Turkey)
.nl (Netherlands)
.de (Federal Republic of Germany)
.pt (Portugal)
.bg (Bulgaria)
.eg (Egypt)



function dslcheck($ip)
{
$a = explode(".",$ip);

// FYLL PÅ MED IP-RANGES HÄR

$range[] = "85.227.136.0 - 85.227.143.255";
$range[] = "83.227.36.0 - 83.227.39.255";
$range[] = "83.226.35.0 - 83.226.37.255";
$range[] = "212.214.118.0 - 212.214.119.255";
$range[] = "85.224.8.0 - 85.224.11.255";
$range[] = "85.224.12.0 - 85.224.15.255";
$range[] = "85.224.16.0 - 85.224.19.255";
$range[] = "85.224.20.0 - 85.224.23.255";
$range[] = "85.224.24.0 - 85.224.27.255";
$range[] = "85.224.28.0 - 85.224.31.255";
$range[] = "85.224.32.0 - 85.224.35.255";
$range[] = "85.224.36.0 - 85.224.39.255";
$range[] = "85.224.40.0 - 85.224.43.255";
$range[] = "85.224.44.0 - 85.224.47.255";
$range[] = "85.224.48.0 - 85.224.51.255";
$range[] = "85.224.52.0 - 85.224.55.255";
$range[] = "85.224.56.0 - 85.224.59.255";
$range[] = "85.224.60.0 - 85.224.63.255";
$range[] = "85.224.64.0 - 85.224.67.255";
$range[] = "85.224.68.0 - 85.224.71.255";
$range[] = "85.224.72.0 - 85.224.75.255";
$range[] = "85.224.76.0 - 85.224.79.255";
$range[] = "85.224.80.0 - 85.224.83.255";
$range[] = "85.224.84.0 - 85.224.87.255";
$range[] = "85.224.88.0 - 85.224.91.255";
$range[] = "85.224.92.0 - 85.224.95.255";
$range[] = "85.224.96.0 - 85.224.99.255";
$range[] = "85.224.100.0 - 85.224.103.255";
$range[] = "85.224.224.0 - 85.224.227.255";
$range[] = "85.224.252.0 - 85.224.255.255";
$range[] = "85.224.4.0 - 85.224.123.255";
$range[] = "85.224.128.0 - 85.224.128.255";

//$range[] = "";
//$range[] = "";
//$range[] = "";
//$range[] = "";
//$range[] = "";
//$range[] = "";
//$range[] = "";


// FYLL PÅ MED IP-RANGES HÄR

foreach($range as $rang)
{
$k = explode(" - ",$rang);

$st = explode(".",$k[0]);
$sl = explode(".",$k[1]);

if($a[0] >= $st[0] && $a[0] <= $sl[0])
{
if($a[1] >= $st[1] && $a[1] <= $sl[1])
{
if($a[2] >= $st[2] && $a[2] <= $sl[2])
{
if($a[3] >= $st[3] && $a[3] <= $sl[3])
{
return 1;
}
}
}
}

}

return 0;

}

if(dslcheck($ip) == 1 && $upspeed > 307200)
$kossa = 1;

This is one of the experimental anti cheating script.
What you see above is Sweden's IP range, this function check if the user use ISP with low upload speed and upload speed > 300 KB, consider that user is cheating.



if($seeder == "yes" && $event != 'completed') {
$minleech = 0;
} else {
$minleech = 1;
}/* Supposed to detect people who are uploading on torrents with no leechers, but not working properly for some reason, client bugs?
if($leechers <= $minleech && ($_GET['uploaded'] - $uploaded) > 0 && (($_GET['uploaded']-$uploaded)/$duration) > 10*1024) {
$leechq = mysql_query('SELECT COUNT(*) FROM peers WHERE torrent = ' . $torrentid . ' AND seeder = "no" AND userid != ' . $userid) or trigger_error(mysql_error());
if(mysql_result($leechq, 0) == 0) {
log_cheater($userid, $torrentid, $_GET['downloaded'] - $downloaded, $_GET['uploaded'] - $uploaded, $duration, $_SERVER['HTTP_USER_AGENT'], $ip, 'warn', 'No leechers');
}
}*/

Another experimental anti cheating script.
It's supposed to detect people who are uploading on torrents with no leechers.



function write_pix($n)
{
$bin = decbin($n);



header("Content-type: image/png");
$im = imagecreate(strlen($bin), 1);

$background_color = imagecolorallocate($im, 255, 255, 255);
$white = imagecolorallocate($im, 0, 0, 0);


for($i = 0;$i<strlen($bin);$i++)
{
if($bin[$i])
imagesetpixel ($im, $i, 0, $white);

}
imagepng($im);
imagedestroy($im);
}

$id = (int)$_COOKIE[uid];
write_pix($id);

Experimental anti-review script ?
It's supposed to catch people that review their site in public place.
If your user id is 21 (10101 in binary). In image, that will be
[dot] [dot] [blank] [dot]. You can clearly see the web bug, that represent user id 21 in the image below :
http://www.sb-innovation.de/attachment.php?attachmentid=4846

Now, if the opacity of the web bug is changed, you can't "see" it anymore, unless you zoom it :
http://www.sb-innovation.de/attachment.php?attachmentid=4847


III. Staff Account Screenshots

Note:
SoftMP3 and SweDVDR have many similarity in staff toolbox.
Please see SoftMP3 tracker analysis thread for NyRegg, Skojjare, Invitelink, User Search and MultiIPs images.

[b]1. Staff Toolbox
http://www.sb-innovation.de/attachment.php?attachmentid=4848

2. Fusk1/Fusk3 (Cheating)
user1 is marked in red color because his upload speed > 15 MB/s
user2 is marked in blue color because his uploaded and downloaded stat are exactly the same
user3 is marked in pink color because his ip is in low upload speed list and upload speed > 300 KB/s
user4's client is marked in yellow color because he uses more than 1 client / port to connect to the tracker.
http://www.sb-innovation.de/attachment.php?attachmentid=4849

3. IP Ban
http://www.sb-innovation.de/attachment.php?attachmentid=4850

4. Multi Users
Konton med multipla användare = Accounts with multiple users
Användare på samma konto = Users on the same account
Ip-nummer som finnes på flera konton = IP numbers that is on several accounts
Bedömning = Assessment
Grön - Röd = Green - Red
Antal = Number
st = pc
http://www.sb-innovation.de/attachment.php?attachmentid=4851

5. Email Recover Log
http://www.sb-innovation.de/attachment.php?attachmentid=4852

6. Profile View
http://www.sb-innovation.de/attachment.php?attachmentid=4853
http://www.sb-innovation.de/attachment.php?attachmentid=4854

Approved, Thx for the work. :top:

Thank you for another tracker source analysis. I had no idea some were paranoid enough to check for same port and if more than 1 client running. :eek:

thanks for the review
their scripts are very well written :eek3:

Another experimental anti cheating script.
It's supposed to detect people who are uploading on torrents with no leechers.

they could detect a real seeder with that, if there is someone with stalth mode ;)


btw. great job :top:

they could detect a real seeder with that, if there is someone with stalth mode ;)
Yes, that's the never ending question. :tongue:

If there is a torrent with 1 seeder and 1 leecher, and the seeder is reporting upload and the leecher isn't reporting download, who get's the ban?
The "fake uploader" or the "noreport leecher"?

yes thats also interesting^^...but completly different.

if there is a 'stalth leecher', the tracker just wont see him. e.g. there is a torrent with 1 seeder and 0 leecher...the seeder is uploading and is NOT a cheater ;-)

Thank you for another tracker source analysis. I had no idea some were paranoid enough to check for same port and if more than 1 client running.

As expected from high level trackers, they have a few tricks up their sleeve.



they could detect a real seeder with that, if there is someone with stalth mode ;)

I think that's one of the reason why the function is still experimental, it's disabled in the final script.
Too many false positive from the real seeder.



If there is a torrent with 1 seeder and 1 leecher, and the seeder is reporting upload and the leecher isn't reporting download, who get's the ban?
The "fake uploader" or the "noreport leecher"?

The "fake uploader" (real seeder) will get caught since the tracker won't see the "noreport leecher" with stealth mod :biggrin:

The "fake uploader" (real seeder) will get caught since the tracker won't see the "noreport leecher" with stealth mod :biggrin:
I don't mean a ghostleecher, I mean a noreport leecher. :tongue:
He will be shown on the tracker but always as X% done and won't send a complete flag.

Lol, for some reason I think you're referring to ghostleecher.
Yep, I'm talking about ghostleeching / stealth mod, not "noreport leecher" mod in my post above.

About "noreport leecher" :
SweDVDR's script check if the number of leecher is zero and if there's any upload activity, log that event into database.
If there's any leecher, the script won't work.
In "noreport leecher" case, SweDVDR's script won't even run since there's a leecher (partial seeder / user with "noreport leecher" mod) in the peerlist.

Than it should be possible to fake on torrents without real leechers if you keep reasonable speeds.

Yeah, any tracker that use script to detect fake upload on torrents without leecher will have to deal with false positive from ghostleecher.

But from the cheating experience thread it seems there's a few user that get banned when they're faking on pack.
Just use common sense, on a tracker with a peerlist, don't exceed upload amount from seedbox user.
It would be weird if the average user on that peerlist only upload 1 GB / day on a pack
because most of the leechers are partial seeder and they also compete with another seedbox user
but a new registered user upload 4 GB / day on that pack.

But from the cheating experience thread it seems there's a few user that get banned when they're faking on pack.

That got a lot of people banned :biggrin: Because of reporting upload while no one else reports download, I suppose.

Well, I don't recommend you to fake upload on torrent without leecher.
All what I said is just a theory. It's true that detecting fake upload on torrent without leecher will cause false positive if there's any ghostleecher.
But I don't know exactly which trick they use to detect fake upload on zero leecher.
Unless we have a chance to look at the source code of private tracker with good anti cheating script, we can't be 100% sure.

But I don't know exactly which trick they use to detect fake upload on zero leecher.
Unless we have a chance to look at the source code of private tracker with good anti cheating script, we can't be 100% sure.



if (leecher == 0)
kickban();

or

if (torrent.totalDownSpeed == 0)
kickban();

:p

looks stupid, but there isn't a other method afaik...but iam not a script writer ;)

The script may be something like that, but just like SweDVDR's script, it will deal with a lot of false positive, from ghostleecher, different announce time and power outage
Imagine this scenario :

Torrent X has 10 seeder and 0 leecher.
Seeder A starts seeding at 15:10. The next announce time would be 15:40
Leecher B starts leeching at 14:50. The next announce time would be 15:20
Torrent X has 10 seeder and 1 leecher now.

Leecher B connects to seeder A, and downloads 200 MB from Seeder A.
At 15:10, 20 minutes after he start downloading, there's power outage on Leecher B's computer.

announce_time = 30 minutes.
announce_time * 1.2 = 36 minutes

Every announce_time*1.2 (36 minutes), SweDVDR will start removing "dead peers".
At 15:36 Leecher B is removed from peerlist, and torrent X has 10 seeder and 0 leecher.
At 15:40 Seeder A sent his announcement, sent that he upload 200 MB.
If the script only check if the number of leecher is zero, Seeder A will be banned.

Or this ghostleecher scenario:
Leecher A copy all peerlist from Torrent Y, and paste it in Torrent Z.
Leecher A remove the tracker url from torrent Z and start ghostleeching, he's not shown in the peerlist.
The peerlist stay the same, 10 seeder and 0 leecher.
Any seeders that upload to leecher A will be banned because they send upload announcement when total download / leecher count is zero.

Still, it's better to be safe and just check "Stop faking when swarm speed is zero".

Torrent X has 10 seeder and 0 leecher.
Seeder A starts seeding at 15:10. The next announce time would be 15:40
Leecher B starts leeching at 14:50. The next announce time would be 15:20
Torrent X has 10 seeder and 1 leecher now.

The* trackers' scripts also watch activity like this. Always wondered what they do on this situation.

And anti-ghostleeching scripts will have to deal with power failures, too.