Add MultiAccount Detection, Add Push Protection Detection, Add register Default Gold

Add MultiAccount Detection, Add Push Protection Detection, Add register Default Gold
This commit is contained in:
novgorodschi catalin
2026-07-15 14:23:05 +03:00
parent 1925f45001
commit b87cf27396
23 changed files with 1798 additions and 8 deletions
+609
View File
@@ -0,0 +1,609 @@
<?php
#################################################################################
## -= YOU MAY NOT REMOVE OR CHANGE THIS NOTICE =- ##
## --------------------------------------------------------------------------- ##
## Filename : MultiAccount.php ##
## Type : Multi-Account Detection engine (Admin/Multihunter tool) ##
## --------------------------------------------------------------------------- ##
## Developed by : Shadow ##
## Project : TravianZ ##
## URLs: : https://travianz.org ##
## GitHub : https://github.com/Shadowss/TravianZ ##
## --------------------------------------------------------------------------- ##
## License : TravianZ Project ##
## Copyright : TravianZ (c) 2010-2026. All rights reserved. ##
## --------------------------------------------------------------------------- ##
#################################################################################
/**
* MultiAccount
* -------------------------------------------------------------------------
* Heuristic multi-account (bot / pushing account) detection. It does NOT ban
* anyone; it produces a ranked list of suspicious account PAIRS with a risk
* score (0-100) and a breakdown of WHY, so a human (admin / multihunter) can
* investigate.
*
* Data sources (all optional — the engine degrades gracefully):
* - login_log : existing table (uid, ip, date). Gives shared-IP and
* login-timing signals for history that predates this
* feature.
* - mad_session : NEW table written by recordSession() at every login.
* Adds the User-Agent signal (login_log has no UA).
* - movement / send : in-flight merchant transfers -> "currently pushing"
* trade signal.
* - resource_transfer_log : if present (created by the Push-Protection phase),
* gives a richer historical trade-flow signal. Used
* automatically when the table exists.
*
* The engine is intentionally self-contained (static methods, resolves the DB
* link from globals) so it can be called from both the in-game login flow and
* the admin panel without wiring.
*/
class MultiAccount
{
/* ---- Tunables (safe to adjust) ------------------------------------- */
/** How far back to look, in days. */
const WINDOW_DAYS = 30;
/** Hard cap on login rows scanned per source (memory / runtime guard). */
const MAX_ROWS = 60000;
/** A shared key (IP / subnet / UA) used by MORE than this many accounts is
* treated as a public/NAT/proxy artefact: it still counts, but with a
* reduced weight and it never explodes pair generation. */
const POPULAR_KEY_CAP = 12;
/** Two logins closer than this (seconds) from the SAME IP look like one
* person switching accounts. */
const SWITCH_WINDOW = 900; // 15 minutes
/** Only pairs at or above this score are returned. */
const MIN_REPORT_SCORE = 20;
/** Max pairs returned to the UI. */
const MAX_PAIRS = 150;
/* ---- DB plumbing --------------------------------------------------- */
/** Resolve the raw mysqli link from whatever context we run in. */
private static function link()
{
if (isset($GLOBALS['link']) && $GLOBALS['link']) {
return $GLOBALS['link'];
}
if (isset($GLOBALS['database']) && isset($GLOBALS['database']->dblink)) {
return $GLOBALS['database']->dblink;
}
return null;
}
/**
* Create the mad_session table if it does not exist. Called lazily so the
* feature works even on servers that never re-ran the installer.
*/
public static function ensureSchema()
{
$link = self::link();
if (!$link) {
return;
}
$sql = "CREATE TABLE IF NOT EXISTS `" . TB_PREFIX . "mad_session` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`uid` int(11) NOT NULL,
`ip` varbinary(16) DEFAULT NULL,
`ip_text` varchar(45) NOT NULL DEFAULT '',
`ua_hash` char(32) NOT NULL DEFAULT '',
`ua_text` varchar(255) NOT NULL DEFAULT '',
`login_time` int(11) NOT NULL DEFAULT 0,
PRIMARY KEY (`id`),
KEY `uid` (`uid`),
KEY `ip` (`ip`),
KEY `ua_hash` (`ua_hash`),
KEY `login_time` (`login_time`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8";
@mysqli_query($link, $sql);
}
/* ---- Data collection (called at login) ----------------------------- */
/**
* Record one login "session fingerprint". Best-effort: any failure is
* swallowed so it can never block a login.
*
* @param int $uid User id.
* @param string $ipText Client IP (already resolved by the caller).
* @param string $userAgent Raw User-Agent header ($_SERVER['HTTP_USER_AGENT']).
*/
public static function recordSession($uid, $ipText, $userAgent)
{
try {
$uid = (int) $uid;
if ($uid <= 3) {
return; // system accounts
}
$link = self::link();
if (!$link) {
return;
}
self::ensureSchema();
$ipText = (string) $ipText;
$packed = @inet_pton($ipText);
if ($packed === false) {
$packed = null;
}
$uaText = substr((string) $userAgent, 0, 255);
$uaHash = md5($uaText);
$now = time();
$stmt = mysqli_prepare(
$link,
"INSERT INTO `" . TB_PREFIX . "mad_session`
(uid, ip, ip_text, ua_hash, ua_text, login_time)
VALUES (?,?,?,?,?,?)"
);
if (!$stmt) {
return;
}
// ip is binary -> bind as blob ('b') via send_long_data-free path:
// mysqli lets us bind a string to a varbinary column with type 's'.
$ipBind = $packed === null ? '' : $packed;
mysqli_stmt_bind_param($stmt, 'issssi', $uid, $ipBind, $ipText, $uaHash, $uaText, $now);
mysqli_stmt_execute($stmt);
mysqli_stmt_close($stmt);
} catch (\Throwable $e) {
// never break login
}
}
/* ---- Correlation / scoring ---------------------------------------- */
/**
* Build the ranked list of suspicious account pairs.
*
* @param array $opts Optional overrides: 'days', 'min_score', 'focus_uid'.
* @return array {
* 'pairs' => list of pair rows (see below), sorted by score desc,
* 'scanned' => ['login_log'=>int, 'mad_session'=>int],
* 'window_days' => int,
* 'truncated' => bool, // true if a source hit MAX_ROWS
* }
*
* Each pair row:
* uid_a, name_a, uid_b, name_b, score (0-100), label,
* shared_ips, shared_subnets, shared_uas, switch_events,
* trade_gross, trade_dir, reasons (string[])
*/
public static function riskPairs(array $opts = [])
{
$link = self::link();
if (!$link) {
return ['pairs' => [], 'scanned' => ['login_log' => 0, 'mad_session' => 0],
'window_days' => self::WINDOW_DAYS, 'truncated' => false];
}
self::ensureSchema();
$days = isset($opts['days']) ? max(1, (int) $opts['days']) : self::WINDOW_DAYS;
$minScore = isset($opts['min_score']) ? (int) $opts['min_score'] : self::MIN_REPORT_SCORE;
$focusUid = isset($opts['focus_uid']) ? (int) $opts['focus_uid'] : 0;
$since = time() - $days * 86400;
// Per-uid aggregates and inverted indices.
$ips = []; // uid => [ip => true]
$subnets = []; // uid => [subnet => true]
$uas = []; // uid => [uaHash => true]
$logins = []; // uid => [ [ts, ip], ... ]
$ipIndex = []; // ip => [uid => true]
$subnetIndex = []; // subnet => [uid => true]
$uaIndex = []; // uaHash => [uid => true]
$scannedLogin = 0;
$scannedMad = 0;
$truncated = false;
// ---- Source 1: login_log (uid, ip text, date) ----
$cap = self::MAX_ROWS;
$q = "SELECT uid, ip, UNIX_TIMESTAMP(`date`) AS ts
FROM `" . TB_PREFIX . "login_log`
WHERE uid > 3 AND UNIX_TIMESTAMP(`date`) >= " . (int) $since . "
ORDER BY `date` DESC
LIMIT " . (int) $cap;
if ($res = @mysqli_query($link, $q)) {
while ($row = mysqli_fetch_assoc($res)) {
$scannedLogin++;
self::ingest((int) $row['uid'], (string) $row['ip'], (int) $row['ts'], '',
$ips, $subnets, $uas, $logins, $ipIndex, $subnetIndex, $uaIndex);
}
mysqli_free_result($res);
if ($scannedLogin >= $cap) {
$truncated = true;
}
}
// ---- Source 2: mad_session (adds UA) ----
$q = "SELECT uid, ip_text, ua_hash, login_time
FROM `" . TB_PREFIX . "mad_session`
WHERE uid > 3 AND login_time >= " . (int) $since . "
ORDER BY login_time DESC
LIMIT " . (int) $cap;
if ($res = @mysqli_query($link, $q)) {
while ($row = mysqli_fetch_assoc($res)) {
$scannedMad++;
self::ingest((int) $row['uid'], (string) $row['ip_text'], (int) $row['login_time'],
(string) $row['ua_hash'],
$ips, $subnets, $uas, $logins, $ipIndex, $subnetIndex, $uaIndex);
}
mysqli_free_result($res);
if ($scannedMad >= $cap) {
$truncated = true;
}
}
// ---- Candidate pair generation from shared keys ----
$candidates = []; // "a:b" => true
self::pairsFromIndex($ipIndex, $candidates, $focusUid);
self::pairsFromIndex($subnetIndex, $candidates, $focusUid);
self::pairsFromIndex($uaIndex, $candidates, $focusUid);
// ---- Score each candidate pair ----
$pairs = [];
foreach ($candidates as $key => $_) {
list($a, $b) = explode(':', $key);
$a = (int) $a;
$b = (int) $b;
$scored = self::scorePair($a, $b, $ips, $subnets, $uas, $logins, $link, $days);
if ($scored['score'] >= $minScore) {
$pairs[] = $scored;
}
}
// Resolve names for the pairs we keep (bounded set).
self::attachNames($pairs, $link);
// Sort by score desc, then trade gross desc.
usort($pairs, function ($x, $y) {
if ($x['score'] === $y['score']) {
return $y['trade_gross'] <=> $x['trade_gross'];
}
return $y['score'] <=> $x['score'];
});
if (count($pairs) > self::MAX_PAIRS) {
$pairs = array_slice($pairs, 0, self::MAX_PAIRS);
}
return [
'pairs' => $pairs,
'scanned' => ['login_log' => $scannedLogin, 'mad_session' => $scannedMad],
'window_days' => $days,
'truncated' => $truncated,
];
}
/** Fold one login event into all aggregates + indices. */
private static function ingest($uid, $ip, $ts, $uaHash,
&$ips, &$subnets, &$uas, &$logins, &$ipIndex, &$subnetIndex, &$uaIndex)
{
if ($uid <= 3) {
return;
}
$ip = trim($ip);
if ($ip !== '' && $ip !== '0.0.0.0') {
$ips[$uid][$ip] = true;
$ipIndex[$ip][$uid] = true;
$sub = self::subnet($ip);
if ($sub !== '') {
$subnets[$uid][$sub] = true;
$subnetIndex[$sub][$uid] = true;
}
}
if ($uaHash !== '' && $uaHash !== md5('')) {
$uas[$uid][$uaHash] = true;
$uaIndex[$uaHash][$uid] = true;
}
if ($ts > 0) {
$logins[$uid][] = [$ts, $ip];
}
}
/** /24 for IPv4, /48-ish (first 3 hextets) for IPv6. */
private static function subnet($ip)
{
if (strpos($ip, '.') !== false) {
$p = explode('.', $ip);
if (count($p) === 4) {
return $p[0] . '.' . $p[1] . '.' . $p[2] . '.';
}
} elseif (strpos($ip, ':') !== false) {
$p = explode(':', $ip);
return $p[0] . ':' . ($p[1] ?? '') . ':' . ($p[2] ?? '') . '::';
}
return '';
}
/**
* Turn an inverted index (key => [uid => true]) into candidate pairs.
* Skips popular keys (public NAT/proxy) to avoid noise and O(n^2) blowup.
*/
private static function pairsFromIndex(array $index, array &$candidates, $focusUid)
{
foreach ($index as $key => $uidSet) {
$uids = array_keys($uidSet);
$n = count($uids);
if ($n < 2 || $n > self::POPULAR_KEY_CAP) {
continue;
}
sort($uids);
for ($i = 0; $i < $n; $i++) {
for ($j = $i + 1; $j < $n; $j++) {
$a = $uids[$i];
$b = $uids[$j];
if ($focusUid && $a !== $focusUid && $b !== $focusUid) {
continue;
}
$candidates[$a . ':' . $b] = true;
}
}
}
}
/** Score a single (a,b) pair and produce a reason breakdown. */
private static function scorePair($a, $b, $ips, $subnets, $uas, $logins, $link, $days)
{
$sharedIps = array_keys(array_intersect_key(
$ips[$a] ?? [], $ips[$b] ?? []
));
$sharedSubs = array_keys(array_intersect_key(
$subnets[$a] ?? [], $subnets[$b] ?? []
));
$sharedUas = array_keys(array_intersect_key(
$uas[$a] ?? [], $uas[$b] ?? []
));
// Subnets that are shared but NOT already covered by a shared full IP.
// Compare exact subnets (self::subnet) — a string-prefix test would treat
// e.g. "85.204.1." as a prefix of IP "85.204.13.9" (false positive).
$subOnly = [];
foreach ($sharedSubs as $s) {
$hasFull = false;
foreach ($sharedIps as $ip) {
if (self::subnet($ip) === $s) {
$hasFull = true;
break;
}
}
if (!$hasFull) {
$subOnly[] = $s;
}
}
// Login "switch" events: logins of a and b from the same shared IP within
// SWITCH_WINDOW seconds of each other.
$switch = self::switchEvents($logins[$a] ?? [], $logins[$b] ?? [], $sharedIps);
// Trade flow between the pair (villages resolved inside).
$trade = self::tradeFlow($a, $b, $link, $days);
// ---- Weighted score ----
$score = 0;
$reasons = [];
if (count($sharedIps) > 0) {
$add = min(50, 35 + 5 * (count($sharedIps) - 1));
$score += $add;
$reasons[] = count($sharedIps) . ' shared IP' . (count($sharedIps) > 1 ? 's' : '');
}
if (count($sharedUas) > 0) {
$add = min(30, 20 + 5 * (count($sharedUas) - 1));
$score += $add;
$reasons[] = count($sharedUas) . ' identical device/browser fingerprint'
. (count($sharedUas) > 1 ? 's' : '');
}
if (count($subOnly) > 0) {
$score += 10;
$reasons[] = 'same /24 subnet';
}
if ($switch > 0) {
$add = min(30, 15 + 5 * $switch);
$score += $add;
$reasons[] = $switch . ' rapid account switch' . ($switch > 1 ? 'es' : '')
. ' from one IP';
}
if ($trade['gross'] > 0 && $trade['directional']) {
$score += 20;
$reasons[] = 'one-directional resource transfers';
} elseif ($trade['gross'] > 0) {
$score += 8;
$reasons[] = 'resource transfers between them';
}
$score = (int) min(100, $score);
$label = $score >= 70 ? 'High' : ($score >= 40 ? 'Medium' : 'Low');
return [
'uid_a' => $a,
'uid_b' => $b,
'name_a' => '',
'name_b' => '',
'score' => $score,
'label' => $label,
'shared_ips' => count($sharedIps),
'shared_ip_list' => array_slice($sharedIps, 0, 6),
'shared_subnets' => count($subOnly),
'shared_uas' => count($sharedUas),
'switch_events' => $switch,
'trade_gross' => (int) $trade['gross'],
'trade_dir' => $trade['directional'] ? 1 : 0,
'reasons' => $reasons,
];
}
/** Count login "switches" from a shared IP within SWITCH_WINDOW seconds. */
private static function switchEvents(array $la, array $lb, array $sharedIps)
{
if (empty($sharedIps) || empty($la) || empty($lb)) {
return 0;
}
$sharedSet = array_flip($sharedIps);
// Keep only events from shared IPs.
$ea = [];
foreach ($la as $e) {
if (isset($sharedSet[$e[1]])) {
$ea[] = $e[0];
}
}
$eb = [];
foreach ($lb as $e) {
if (isset($sharedSet[$e[1]])) {
$eb[] = $e[0];
}
}
if (empty($ea) || empty($eb)) {
return 0;
}
sort($ea);
sort($eb);
// Two-pointer count of a<->b logins within the window.
$count = 0;
$j = 0;
$m = count($eb);
foreach ($ea as $ta) {
while ($j < $m && $eb[$j] < $ta - self::SWITCH_WINDOW) {
$j++;
}
$k = $j;
while ($k < $m && $eb[$k] <= $ta + self::SWITCH_WINDOW) {
$count++;
$k++;
if ($count >= 20) {
return 20; // cap
}
}
}
return $count;
}
/**
* Resource-transfer signal between two players.
* Prefers resource_transfer_log (Push-Protection phase) when present, else
* falls back to in-flight merchant movements. Returns gross total moved and
* whether flow is strongly one-directional.
*/
private static function tradeFlow($a, $b, $link, $days)
{
$out = ['gross' => 0, 'directional' => false];
// Village ids owned by each player.
$va = self::villagesOf($a, $link);
$vb = self::villagesOf($b, $link);
if (empty($va) || empty($vb)) {
return $out;
}
$vaIn = implode(',', array_map('intval', $va));
$vbIn = implode(',', array_map('intval', $vb));
$since = time() - $days * 86400;
$aToB = 0;
$bToA = 0;
// Preferred: persistent transfer log (created by push protection).
$hasLog = @mysqli_query($link,
"SELECT 1 FROM `" . TB_PREFIX . "resource_transfer_log` LIMIT 1");
if ($hasLog !== false) {
@mysqli_free_result($hasLog);
$sumCols = "(wood+clay+iron+crop)";
$r = @mysqli_query($link,
"SELECT COALESCE(SUM($sumCols),0) FROM `" . TB_PREFIX . "resource_transfer_log`
WHERE from_vref IN ($vaIn) AND to_vref IN ($vbIn) AND `time` >= " . (int) $since);
if ($r && ($row = mysqli_fetch_row($r))) {
$aToB = (int) $row[0];
}
$r = @mysqli_query($link,
"SELECT COALESCE(SUM($sumCols),0) FROM `" . TB_PREFIX . "resource_transfer_log`
WHERE from_vref IN ($vbIn) AND to_vref IN ($vaIn) AND `time` >= " . (int) $since);
if ($r && ($row = mysqli_fetch_row($r))) {
$bToA = (int) $row[0];
}
} else {
// Fallback: in-flight merchant transfers (movement sort_type = 0),
// resources live in the linked `send` row (m.ref = s.id).
$sql = "SELECT COALESCE(SUM(s.wood+s.clay+s.iron+s.crop),0)
FROM `" . TB_PREFIX . "movement` m
JOIN `" . TB_PREFIX . "send` s ON m.ref = s.id
WHERE m.sort_type = 0 AND m.proc = 0
AND m.`from` IN (%FROM%) AND m.`to` IN (%TO%)";
$r = @mysqli_query($link, str_replace(['%FROM%', '%TO%'], [$vaIn, $vbIn], $sql));
if ($r && ($row = mysqli_fetch_row($r))) {
$aToB = (int) $row[0];
}
$r = @mysqli_query($link, str_replace(['%FROM%', '%TO%'], [$vbIn, $vaIn], $sql));
if ($r && ($row = mysqli_fetch_row($r))) {
$bToA = (int) $row[0];
}
}
$gross = $aToB + $bToA;
$out['gross'] = $gross;
if ($gross > 0) {
$maxDir = max($aToB, $bToA);
// Strongly one-directional if >= 85% flows one way and it is material.
$out['directional'] = ($maxDir >= 0.85 * $gross) && ($gross >= 5000);
}
return $out;
}
/** Village wrefs owned by a user (cached per-request). */
private static function villagesOf($uid, $link)
{
static $cache = [];
$uid = (int) $uid;
if (isset($cache[$uid])) {
return $cache[$uid];
}
$out = [];
$r = @mysqli_query($link,
"SELECT wref FROM `" . TB_PREFIX . "vdata` WHERE owner = " . $uid);
if ($r) {
while ($row = mysqli_fetch_row($r)) {
$out[] = (int) $row[0];
}
mysqli_free_result($r);
}
return $cache[$uid] = $out;
}
/** Fill name_a / name_b for the reported pairs in one query. */
private static function attachNames(array &$pairs, $link)
{
if (empty($pairs)) {
return;
}
$ids = [];
foreach ($pairs as $p) {
$ids[$p['uid_a']] = true;
$ids[$p['uid_b']] = true;
}
$in = implode(',', array_map('intval', array_keys($ids)));
$names = [];
$r = @mysqli_query($link,
"SELECT id, username FROM `" . TB_PREFIX . "users` WHERE id IN ($in)");
if ($r) {
while ($row = mysqli_fetch_assoc($r)) {
$names[(int) $row['id']] = $row['username'];
}
mysqli_free_result($r);
}
foreach ($pairs as &$p) {
$p['name_a'] = $names[$p['uid_a']] ?? ('#' . $p['uid_a']);
$p['name_b'] = $names[$p['uid_b']] ?? ('#' . $p['uid_b']);
}
unset($p);
}
}