AlliedModders
Page 1 of 6 1 23 Last »
Show 40 post(s) from this thread on one page

AlliedModders (https://forums.alliedmods.net/index.php)
-   SourceMod Anti-Cheat (https://forums.alliedmods.net/forumdisplay.php?f=133)
-   -   Solve this Exploit Allied Modders (https://forums.alliedmods.net/showthread.php?t=171900)

deadlyruler 11-12-2011 10:41
Solve this Exploit Allied Modders
 
Before hand I would just like to let you know that I have tried all plugins (kigen, daf, rcon_lock, forlixfloodcheck, smac (and all the plugins that come with it including client protection), zblock, and have even resorted to whitelisting certain ConVars. Although I've tried all that this exploit still has the ability to crash my server and re-crash it on restart.

Here is an example Logging on what this attack looks like -
http://pastebin.com/D9x6FR4A (too big for this post)

Now these bots rejoin over 1000 times in 1 second, they generate random characters, and when I ban an IP address it automatically switches over to a new one.

Not only this, but no steamids show up when the bots rejoin. (I have managed to catch a steamid or two but banning the steamid doesnt help) When the server restarts the bots automatically rejoin once again continually crashing the server.

(Yes I have added css anti-rejoin and other plugins the like) Please help me get this taken care of, I own some pretty popular servers and have run out of ideas on what to do.

If you need more information here is a KAC Log of the attack.
http://pastebin.com/vfmc8hMz

(Please also note that this exploit was created by HaloShadoW)

psychonic 11-12-2011 10:58
Re: Solve this Exploit Allied Modders
 
https://forums.alliedmods.net/showthread.php?t=171668

deadlyruler 11-12-2011 11:04
Re: Solve this Exploit Allied Modders
 
Here's is a dump of sm plugins list

30 "SourceMod Anti-Cheat" (0.7.3.0) by GoD-Tony, psychonic

(Please note these plugins are running and my server is still vulnerable)

31 "SMAC Client Protection" (0.7.3.0) by GoD-Tony, psychonic, Kigen
32 "SMAC CS:S Anti-Rejoin" (0.7.3.0) by Kigen

GoD-Tony 11-12-2011 12:08
Re: Solve this Exploit Allied Modders
 
I have to ask, what is the value of your smac_antispam_connect cvar set to? (SMAC and KAC had this disabled by default)

Quote:
Originally Posted by deadlyruler (Post 1595280)
32 "SMAC CS:S Anti-Rejoin" (0.7.3.0) by Kigen
This doesn't do what you think it does.

Quote:
Originally Posted by deadlyruler (Post 1595265)
Here is an example Logging on what this attack looks like -
http://pastebin.com/D9x6FR4A (too big for this post)
I may be wrong here but this doesn't look like the standard server log.

deadlyruler 11-12-2011 12:29
Re: Solve this Exploit Allied Modders
 
"smac_antispam_connect" = "1" min. 0.000000
- [smac_client.smx] Seconds to prevent someone from restablishing a connection. (0 = Disabled)

We have our own proprietary plugins for logging, for some reason this attack was not showing up in the normal sm command logs, although we were able to see it in console logs, but recently disabled -condebug because of creation of such large files. I can re-enable it, wait for another attack, and send you the console logs if you want.

deadlyruler 11-12-2011 12:30
Re: Solve this Exploit Allied Modders
 
honestly if my server keeps getting attacked I would be willing to let you have access to the server and try to patch this exploit. I have just run out of ideas.

GoD-Tony 11-12-2011 12:33
Re: Solve this Exploit Allied Modders
 
How often is your server getting crashed this way?

Quote:
Originally Posted by deadlyruler (Post 1595323)
but recently disabled -condebug because of creation of such large files. I can re-enable it, wait for another attack, and send you the console logs if you want.
That would really help determine if it's the same attack as the other thread or something different. Log the attack and get back to me with the file and I'll take a look.

Quote:
Originally Posted by deadlyruler (Post 1595323)
"smac_antispam_connect" = "1" min. 0.000000
- [smac_client.smx] Seconds to prevent someone from restablishing a connection. (0 = Disabled)
Update to the latest version of SMAC (only need smac.zip and smac_client.smx), and delete your smac.cfg. I'd like to know if any connection spam bans are logged after the next attack.

Fearts 11-12-2011 13:14
Re: Solve this Exploit Allied Modders
 
Don't bother banning IP because in my logs they keep changing every so often. But the SteamIDs stay the same.

Code:
–@@X]G{”մ"<3451><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "L3šf’lUc›‡T*lc
5f!̶<3452><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "L3šf’lUc›‡T*lc
5f!̶<3452><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "!-S’–QsjbfˆEfiipjŸ,<3453><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "!-S’–QsjbfˆEfiipjŸ,<3453><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "ytIŒxGzF™A#vֱG<3454><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "ytIŒxGzF™A#vֱG<3454><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: ":O8ݢj:U\'a4œ+9͡<3455><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: ":O8ݢj:U\'a4œ+9͡<3455><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "r@?nw•šOŸrVNc‚\m†a<3456><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "r@?nw•šOŸrVNc‚\m†a<3456><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "“knl•(eŠAݮty•<3457><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "“knl•(eŠAݮty•<3457><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "BSdY&9dlž[dI4bwL<3458><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "BSdY&9dlž[dI4bwL<3458><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "*•:u/r»i}S9|hatt<3459><STEAM_0:1:41719390><>" connected, address "60.197.109.24:24373"
L 11/03/2011 - 15:24:56: "*•:u/r»i}S9|hatt<3459><STEAM_0:1:41719390><>" disconnected (reason "Connection closing")
L 11/03/2011 - 15:24:56: "@
^here what I got don't know if same person but that's his steamid


EDIT:

Code:
L 11/10/2011 - 21:12:24: "“uj|‚Ž$q„2ϧPž(3!_<917><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "c.–p.lœlT"    G<918><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "c.–p.lœlT"    G<918><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "†*o4„=x9…€Ÿyx5*Œ‰!<919><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "†*o4„=x9…€Ÿyx5*Œ‰!<919><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "‘2*ʰœ۷gB촿c]ZXC4‰`Pob<920><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "‘2*ʰœ۷gB촿c]ZXC4‰`Pob<920><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "!cZ44“Œ|‰…ˆcŽ)“˜8š†#<921><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "!cZ44“Œ|‰…ˆcŽ)“˜8š†#<921><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "=ŠŒ@BšŽ*8i?*&'a|OŽŠ+z<922><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "=ŠŒ@BšŽ*8i?*&'a|OŽŠ+z<922><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "(\k“6p’c€R>ದ'y0—›,-<923><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "(\k“6p’c€R>ದ'y0—›,-<923><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
L 11/10/2011 - 21:12:24: "c\<O3wC";!;qC-E}$<924><STEAM_0:1:11902529><>" connected, address "109.165.130.143:6939"
L 11/10/2011 - 21:12:24: "c\<O3wC";!;qC-E}$<924><STEAM_0:1:11902529><>" disconnected (reason "Connection closing")
Here's another from my other server

EDIT2:

And another:

Code:
L 11/01/2011 - 14:28:08: "|*‹8‚– Aag:mblnŸ<6214><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "|*‹8‚– Aag:mblnŸ<6214><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "Iu}<bœ•|}œwVN €<6215><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "Iu}<bœ•|}œwVN €<6215><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "DŒLOˆ;‘OR05Yi8<6216><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "DŒLOˆ;‘OR05Yi8<6216><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "zNl‰B—yv5“=\a<6217><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "zNl‰B—yv5“=\a<6217><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "–B“VIR    O^fš<6218><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "–B“VIR    O^fš<6218><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "#ʻ]K:,˜ix23/uX<6219><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "#ʻ]K:,˜ix23/uX<6219><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "[A3jW4P4V^‡‹竺?iX…<6220><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "[A3jW4P4V^‡‹竺?iX…<6220><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
L 11/01/2011 - 14:28:08: "ǶD0 <‘„#8›'•| *
<6221><STEAM_0:1:21620883><>" connected, address "88.2.225.59:27005"
L 11/01/2011 - 14:28:08: "ǶD0 <‘„#8›'•| *
<6221><STEAM_0:1:21620883><>" disconnected (reason "Connection closing")
Also these are a little old from 11/3/11 and up. I am not sure if I had anti connection spam loaded or if it even crashed the server at all.

Anyone who want to ban them type this into console:

Code:
sm_rcon banid 0 STEAM_0:1:21620883; sm_rcon banid 0 STEAM_0:1:11902529; sm_rcon banid 0 STEAM_0:1:41719390; sm_rcon writeid

GoD-Tony 11-12-2011 13:36
Re: Solve this Exploit Allied Modders
 
Quote:
Originally Posted by Fearts (Post 1595348)
Don't bother banning IP because in my logs they keep changing every so often. But the SteamIDs stay the same.

Also these are a little old from 11/3/11 and up. I am not sure if I had anti connection spam loaded or if it even crashed the server at all.
Your log spam looks like the issue discussed over here. Especially with the SteamID and no crashes. Following the instructions there should help block it.

Fearts 11-12-2011 13:58
Re: Solve this Exploit Allied Modders
 
Yea I have since then. I don't see what is different about this guys issue though (except for the fact player steamids don't show, which could be a server side issue).


All times are GMT -4. The time now is 08:45.
Page 1 of 6 1 23 Last »
Show 40 post(s) from this thread on one page

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.