Help - Search - Members - Calendar
Full Version: Server keeps getting hacked
[splatterladder] Board > --:: RtCW/ET ::-- > RtCW/ET - Servers > RtCW/ET - Serveradmin-Lounge
limewire1988
Hi

I have a jaymod server on 2.60b ( seriously on 2.60b) which is getting hacked pretty often. I do not know what to do ? I have renamed the jaymod.cfg to another random name and its still geting hacked help.gif This time he changed the RCON, banned my admins, renamed the server to assfilled.com, lenghthen the map time and give himself XP. WTF!!

I thought i had rid of the problem by switching IP's but just 1 day with the new IP it gets hacked again sadd.gif

Now i have etadminmod installed on server and we have kept the cfg name to etadmin.cfg. I heard it cant be changed or it wont run. But could this the source as it contains the RCON or is there anything else

Any tips that you have please let me know, i dont want to give up like this


Server name : BEGINNERS XP-SAVE FOREVER
IP : 78.159.96.62:27500

will turn on server see whats up

Terror Time
ETAdmin Mod can be hacked through a back door leading to your rcon password too. Better to just remove it, if you are having problems already.
qualmi
sounds like this noobtool rconstealer. you have votes enabled ?
limewire1988
Hey

thanks for the tips Terror time and qualmi. If you have any other tips that can make my jaymod more secrure please mention as this will help me and other servers which get hacked on 2.60b only more securer thanks.gif

I have completely removed etadmin mod from the server and disabled voting. Its seems to be fine now cheers.gif
Funny how they can get on server with an aimbot with pbbans streaming and when they get banned by an admin they can just unban themselves and ban others and hack the server..... very very sad people
qualmi
ZITAT(limewire1988 @ Nov 30 2009, 07:08 PM) *
Hey

thanks for the tips Terror time and qualmi. If you have any other tips that can make my jaymod more secrure please mention as this will help me and other servers which get hacked on 2.60b only more securer thanks.gif

I have completely removed etadmin mod from the server and disabled voting. Its seems to be fine now cheers.gif
Funny how they can get on server with an aimbot with pbbans streaming and when they get banned by an admin they can just unban themselves and ban others and hack the server..... very very sad people


jep. very sad actually. and they are more than one person i think. at least one of them friends once told here in this forum about them. one of them is from germany. he has friends using the same tool. its probably a modified rconstealer tool, but im not sure. they unban themselves by telling their friends, which are not baned, to join this server, set a new rcon and then do a unban
on them. thats the only trick.

about hax: even pbbans cant detect all cheats sadd.gif

also they are constantly hacking 2.55 jaymod servers from which i know. there are many many many complaints about this persons, even in sd forum. well at least i think so, maybe once in a while there are some other noobs hacking a server, but in most of the cases im sure that its this one crew raging and destryoing servers.

but nice that it worked cheers.gif
limewire1988
well server got hacked again. not sure same person or not but deleted levels, turned FF on and the bots were acting weirdly. He always seems to target in the morning motz.gif Re-done the RCON many times some which are unguessable but i think my server is being targetted big time help.gif

His nicks have been 'wait while loading' and today was 'wait while reloading'

IP: 82.155.231.xxx, 82.155.230.xxx
guid: 87dee4601a06fcdc975ccaa02da3ea2d

I got his IP and guid. What can i do with this sort of info ( much of a server noob here) old.gif
qualmi
well. it can always be that he is using some super duper brand new tool and maybe found some bug deep inside the engine. but as far as i see (i joined your server today) you still have votes on. start match and antilag is still enabled. try turn them off and see what happens. and of course get yourself a new rcon again sadd.gif
Terror Time
Start match and Anti-lag can't be disabled due to a bug.
Terror Time
Sorry for double post.

Some things you can do to protect yourself are here:

QUOTE ("BlackWolf")
Below, are details of preventative measures you can take in order to prevent malicious players from taking control of, or 'crashing' your Wolfenstein: Enemy Territory game server. Some are version specific, others are not.

Quake 3 Download Exploit - Versions vulnerable: 2.55, 2.56, 2.60

The Exploit

A bug in the Q3 engine allows a malicious player to download any file from the server, providing they know the file name. As an example, the malicious player will attempt to download 'server.cfg', which contains your RCON and referee passwords. These can then be used to take full control over your server.

Preventative Measures

There are several ways to prevent a malicious player from gaining access to your server's passwords via this method:

1. Disable downloads: Disabling downloads will prevent the malicious player from using the exploit, thus preventing the passwords being obtained.

2. Rename server.cfg: Renaming your server.cfg to something unguessable (such as oaskldj239U8SDHKA89uekl.cfg) will prevent the malicious player from being able to download your configuration files and passwords.*

3. Set RCON password in start-up line: By setting your server's RCON password in the start-up line, your server's configuration file will no longer need to contain your server's password.

* Note that other files on your server may contain your rcon password (such as configuration files for etadmin_mod). These should also be renamed for maximum security.

Quake 3 Engine 'Oversize Infostring' exploit - Versions vulnerable: 2.55, 2.56, 2.60

The Exploit

A malicious player can shut down or crash a game server, as the Q3 engine has problems handling large queries. If your server is attacked via this method, the following will be present in your console log file:

ERROR: Info_SetValueForKey: oversize infostring

Preventative Measures

Fortunately, it is possible to completely prevent this issue from occuring by patching the server's etded.x86 (Linux) or etded.exe (Windows). A patch (q3infofix.zip) is attached to the end of this post.**

** Your server host may already have applied this fix. If not, most hosts will be willing to do this for you.

/callvote Exploit - Versions vulnerable: 2.55, 2.56, 2.60, 2.60b

The Exploit

The exploit allows a malicious user to execute any command via the /callvote command. The vote must pass for the command to be executed.

Preventative Measures

There are several ways to prevent this exploit from being used on your server:

1. Disable voting: The simple solution is to disable voting. If a vote cannot be called and passed, commands cannot be executed via this method.

2. Use the latest mod version: Several mod developers are integrating fixes into their mods (ETPub 0.9.0 nightly includes this fix). Check the mod developer's web sites / change logs to see if the exploit it patched.

For ETPro, the combinedfixes.lua module patches the exploit and is attached to this post (combinedfixes.zip).

Fake Players DOS Attack - Versions vulnerable: 2.55, 2.56, 2.60, 2.60b

The Exploit

A malicious player can fill a server with 'fake' players. This prevents 'real' players from being able to join.

Preventative Measures

1.Mods preventing the exploit: Some mods (generally later versions) include fixes such as limiting the number of connections from a single IP address. Later ETPub versions include this. Check the mod websites / change logs to see if the exploit is fixed.

2.ETPro LUA module: For ETPro only, the combinedfixes LUA module prevents the fake players DOS attack. The combinedfixes LUA module is attached to this post (combinedfixes.zip).

/ws Exploit - ETPRO ONLY! - Versions vulnerable: 2.55, 2.56, 2.60, 2.60b

The Exploit

The /ws command in the ETPro mod can be used to crash servers and / or obtain information such as server passwords.

Preventative Measures

Running the combinedfixes lua module prevents this exploit. The lua module is attached to this post (combinedfixes.zip).

etadmin_mod Exploits - ETADMIN_MOD ONLY! - Versions vulnerable: 2.55, 2.56, 2.60, 2.60b

The Exploit

Certain names will allow malicious players to gain administrator control over your server via etadmin_mod.

Preventative Measures

Find the following in bin/etadmin_mod.pl:

CODE
    elsif ( index( $line, "Userinfo" ) == 0 )
    {

        #$line =~ /cl_guid\\([^\\]*)\\.*name\\([^\\]*)\\.*\\/; #ip\\(\d+\.\d+\.\d+\.\d+):\+\\/;
        my $rhash           = &parse_userinfo($line);
        my $guid            = $$rhash{'cl_guid'};
        my $name            = &strip_name( $$rhash{'name'} );
        my $ip              = $$rhash{'ip'};
        my $custom_password = $$rhash{'hp_password'};
        my $custom_exec     = $$rhash{'hp_logincmd'};
        my $greeting        = $$rhash{'hp_greeting'};

        $kick = "";
        $ip =~ s/:.*$//;

        $over_ip      = $ip;
        $over_guid    = $guid;
        $over_name    = $name;
        $ready{$guid} = time;


Replace it with:

CODE
    elsif ( index( $line, "Userinfo" ) == 0 )
    {

        #$line =~ /cl_guid\\([^\\]*)\\.*name\\([^\\]*)\\.*\\/; #ip\\(\d+\.\d+\.\d+\.\d+):\+\\/;
        my $rhash           = &parse_userinfo($line);
        my $guid            = $$rhash{'cl_guid'};
        my $name            = &strip_name( $$rhash{'name'} );
        my $ip              = $$rhash{'ip'};
        my $custom_password = $$rhash{'hp_password'};
        my $custom_exec     = $$rhash{'hp_logincmd'};
        my $greeting        = $$rhash{'hp_greeting'};

        $kick = "";
        $ip =~ s/:.*$//;

        # START: Lucel's admin steal fix....
   if ( $$rhash{'name'} =~ /.+\^$/ )
   {
      &log("Kicked $name. Has trailing carrot in their name, can be used to hack etadmin mod!");
      $kick = "You have an invalid name! Please remove the last character!";
      next;
   }
        # END: Lucel's admin steal fix....

        $over_ip      = $ip;
        $over_guid    = $guid;
        $over_name    = $name;
        $ready{$guid} = time;


---------------------------------------------------------
Credits:
---------------------------------------------------------
Luigi Auriemma
/dev/humancontroller
ReyalP
SNL Lucel
---------------------------------------------------------

Downloads:

ETPro Combined Fixes LUA Plugin
Q3 Info Fix
limewire1988
Hey

Thanks for the help.....

I have fully disabled voting on the server and i asked my host if i can get QMM and itss bugfixes installed.

Since then its been working like a charm....

Thanks for the tips respect.gif respect.gif respect.gif
Terror Time
Good luck. :)
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2024 Invision Power Services, Inc.