AlliedModders

AlliedModders (https://forums.alliedmods.net/index.php)
-   General (https://forums.alliedmods.net/forumdisplay.php?f=7)
-   -   my server got hacked or got a backdoor?... (https://forums.alliedmods.net/showthread.php?t=67273)

hoboman 02-19-2008 19:36

my server got hacked or got a backdoor?...
 
now I don't know what is going on, on my server now, but yesterday somehow some guys from the "dna" clan came onto the server and started kicking everyone...

i checked the users.ini and none of them are admins...i checked the amxx admin logs and no kicking command were logged...

this was actually reported to me by one of my admins ( who had immunity btw ) who they kept on repeatedly kicking...
i checked the server logs and got suspicious too...

look at these console kicks:
Code:

02/18/2008 - 13:41:10: Kick: "O.C Naranjero<355><STEAM_0:0:8287189><>" was kicked by "Console"
L 02/18/2008 - 13:41:10: "O.C Naranjero<355><STEAM_0:0:8287189><CT>" disconnected
.
.
.L 02/18/2008 - 13:41:35: Kick: ".::AMS::.TheyHaveAwps<361><STEAM_0:0:18079190><>" was kicked by "Console"
L 02/18/2008 - 13:41:35: ".::AMS::.TheyHaveAwps<361><STEAM_0:0:18079190><CT>" disconnected
.
.
.
L 02/18/2008 - 13:42:11: Kick: "O.C Naranjero<376><STEAM_0:0:8287189><>" was kicked by "Console"
L 02/18/2008 - 13:42:11: "O.C Naranjero<376><STEAM_0:0:8287189><CT>" disconnected
.
.
.
L 02/18/2008 - 13:42:35: Kick: "O.C Naranjero<377><STEAM_0:0:8287189><>" was kicked by "Console"
L 02/18/2008 - 13:42:35: "O.C Naranjero<377><STEAM_0:0:8287189><CT>" disconnected
.
.
.

...at the end the three guys who were suspected of doing this just got kicked ( probably kicked themselves ) and the kickings stopped:
Code:

L 02/18/2008 - 13:44:28: Kick: "dna Nick<334><STEAM_0:0:13749269><>" was kicked by "Console"
L 02/18/2008 - 13:44:28: "dna Nick<334><STEAM_0:0:13749269><TERRORIST>" disconnected
L 02/18/2008 - 13:44:32: Kick: "dna drop<365><STEAM_0:1:7260443><>" was kicked by "Console"
L 02/18/2008 - 13:44:32: "dna drop<365><STEAM_0:1:7260443><CT>" disconnected
L 02/18/2008 - 13:44:36: "I <3 Yo Momma<379><STEAM_0:1:16210178><>" entered the game
L 02/18/2008 - 13:44:36: Kick: "dna silk<380><STEAM_0:1:4498532><>" was kicked by "Console"
L 02/18/2008 - 13:44:36: "dna silk<380><STEAM_0:1:4498532><>" disconnected

the same damn, "was kicked by "Console"" kept popping up again and again in the logs, but I know for a fact that I have never ever told anyone rcon so I don't know what the hell is going on...

for now I just disabled the rcon all together, until I can figure it out...there are 3 things that could have happened in my opinion.

a.) there is an amxx backdoor somewhere
b.) maybe my server host got hacked and the rcons got leaked somehow...but I am hosted by NuclearFallout
c.) someone hacked my server...but that would be pretty strange because according to psychostats neither of those 3 guys have played on my server before this, so they would not have any reason to hack me


...and that just leaves me with a.)

YamiKaitou 02-19-2008 19:38

Re: my server got hacked or got a backdoor?...
 
There is no AMXx backdoor. Do you happen to use UAIO?

hoboman 02-19-2008 19:43

Re: my server got hacked or got a backdoor?...
 
almost forgot to mention this...i looked up that dna slick's guy ip and it turns out that he was playing all the way from Florida ( my server is located in LA )...
now why the hell would someone join a server that is located that far ( they'd get a shitty ping ) from them unless they didn't come to play CS at all...

hoboman 02-19-2008 19:45

Re: my server got hacked or got a backdoor?...
 
Quote:

Originally Posted by YamiKaitou (Post 587261)
There is no AMXx backdoor. Do you happen to use UAIO?

yeah I saw that topic...don't have to warn me about it and I don't use UAIO...maybe it is another one of the amxx plugins then that has the backdoor?

I am using amxx 1.8 and these are the plugins that I am running:
Code:

; AMX Mod X plugins

; Admin Base - Always one has to be activated
admin.amxx        ; admin base (required for any admin-related)
;admin_sql.amxx        ; admin base - SQL version (comment admin.amxx)

; Basic
admincmd.amxx        ; basic admin console commands
adminhelp.amxx    ; help command for admin console commands
;adminslots.amxx    ; slot reservation
;multilingual.amxx    ; Multi-Lingual management

; Menus
menufront.amxx        ; front-end for admin menus
cmdmenu.amxx        ; command menu (speech, settings)
plmenu.amxx            ; players menu (kick, ban, client cmds.)
;telemenu.amxx        ; teleport menu (Fun Module required!)
;mapsmenu.amxx        ; maps menu (vote, changelevel)

; Chat / Messages
adminchat.amxx        ; console chat commands
antiflood.amxx        ; prevent clients from chat-flooding the server
;scrollmsg.amxx        ; displays a scrolling message
;imessage.amxx        ; displays information messages
adminvote.amxx        ; vote commands

; Map related
;nextmap.amxx        ; displays next map in mapcycle
;mapchooser.amxx    ; allows to vote for next map
;timeleft.amxx        ; displays time left on map

; Configuration
;pausecfg.amxx        ; allows to pause and unpause some plugins
statscfg.amxx        ; allows to manage stats plugins via menu and commands

; Counter-Strike
restmenu.amxx        ; restrict weapons menu
statsx.amxx        ; stats on death or round end (CSX Module required!)
;miscstats.amxx        ; bunch of events announcement for Counter-Strike
;stats_logging.amxx    ; weapons stats logging (CSX Module required!)



; Custom - Add 3rd party plugins here
amx_exec.amxx
bullet_damage.amxx debug
;servershutdown.amxx
admin_allinone.amxx
amx_hpk.amxx
repay.amxx
amx_cvarguard.amxx
afkkicker.amxx
ptb.amxx
round_money.amxx
ad_manager.amxx
realnadedrops.amxx
descriptive_fire_in_the_hole.amxx
amx_parachute.amxx
admin_spec_esp.amxx
amx_gore_ultimate.amxx
ultimate_sounds.amxx
;f_ultimate_sounds.amxx
speeds.amxx
breakable_doors.amxx
assault_vent_fix.amxx
fakefull_original.amxx
loadingsounddir.amxx
;flashbang_dlight.amxx
;grenade_trail.amxx
;drunkdrug.amxx
showndead_bug_fix.amxx
;hats.amxx
adminlisten.amxx


YamiKaitou 02-19-2008 19:47

Re: my server got hacked or got a backdoor?...
 
Chances are he is using rcon to do it. I would disable all 3rd party plugins and see if it still happens. Also change all passwords on the server, starting with FTP first.

hoboman 02-19-2008 20:23

Re: my server got hacked or got a backdoor?...
 
Quote:

Originally Posted by YamiKaitou (Post 587265)
Chances are he is using rcon to do it. I would disable all 3rd party plugins and see if it still happens. Also change all passwords on the server, starting with FTP first.

well yeah....like I said, I disabled the rcon already...it has only happened once and maybe they won't be back for a while, but I still wanna know how the hell they were kicking people because I have never told my rcon to ANYONE

maybe I should go bug the NuclearFallout staff now :p

Brad 02-19-2008 21:50

Re: my server got hacked or got a backdoor?...
 
Did you get any of the plugins from somewhere other than this site? Presumably you have the source for each?

kp_uparrow 02-19-2008 22:49

Re: my server got hacked or got a backdoor?...
 
amx_mode?

s3r 02-20-2008 01:51

Re: my server got hacked or got a backdoor?...
 
I think they used rcon cus youre rcon lenght have to be 6< someone said that if rcon lenght is >6 theres is a trick,,, but its only my opinion ;)

TheNewt 02-20-2008 02:09

Re: my server got hacked or got a backdoor?...
 
You mean it is only what you heard... Not your opinion... lol

SomeoneS 02-20-2008 09:48

Re: my server got hacked or got a backdoor?...
 
you cannot disable rcon! set it to a cryptic pass, if you dont want to use it.

if u set rcon (what i think) to rcon_password "" than its free for all.
most tools have problem with an empty password, so u can think that u disabled it.
but try the ingame console :P

hoboman 02-20-2008 16:10

Re: my server got hacked or got a backdoor?...
 
Quote:

Originally Posted by Brad (Post 587297)
Did you get any of the plugins from somewhere other than this site? Presumably you have the source for each?

no

Quote:

amx_mode?
no idea what that is, so it is probably the default


Quote:

I think they used rcon cus youre rcon lenght have to be 6< someone said that if rcon lenght is >6 theres is a trick,,, but its only my opinion ;)
but is that is this even a fact?
my rcon length was well over 6...

Roach 02-20-2008 16:13

Re: my server got hacked or got a backdoor?...
 
Never seen those names before in my research when looking for the original backdoor.

You got me on that one hombre. All of those kicks, however, look like rcon console kicks, and not amxx kicks.

YamiKaitou 02-20-2008 17:11

Re: my server got hacked or got a backdoor?...
 
If you are using GameServers.com as your host (assuming because of the GameTracker banner), look in your gsconsole.log file for rcon logins. This file get overwritten everytime you press the Restart Server button in the Members Area.

Otherwise, it may be logging it to the general HLDS logs, just maybe.


But yeah, those kicks are definitely rcon kicks.

bmann_420 02-20-2008 22:46

Re: my server got hacked or got a backdoor?...
 
I believe he mentioned Nuclear Fallout as the host.

Jellric 02-23-2008 14:08

Re: my server got hacked or got a backdoor?...
 
I can almost guarantee you it's rcon. You don't have to give it out for someone to get your rcon password. The password is sent out over the internet in plain text (unencrypted) everytime rcon is used. Someone with an rcon sniffer program can easily intercept that traffic and read your password. Then, using a program such as HLSW, take remote control of your server. It has happened to me before.

The only solution in this case is to remove the rcon password for a few days or more by setting rcon_password "". If you feel sure those guys were the ones hacking your server, ban them.

If they are using a packet sniffer, changing the password to something more complex won't help for the reason I mentioned.

If you ban them, be sure to ban them by IP address also. Otherwise they could remotely remove themselves from your ban list. Banning their IP will keep them from using a remote program such as HLSW. Your server won't even show up on their steam servers list anymore.

[X]-RayCat 02-26-2008 17:30

Re: my server got hacked or got a backdoor?...
 
How about vote? It may sound stupid (im stupid)... ^^

hoboman 02-28-2008 15:21

Re: my server got hacked or got a backdoor?...
 
Quote:

Originally Posted by [X]-RayCat (Post 590199)
How about vote? It may sound stupid (im stupid)... ^^

if it was a vote it would have been logged in the amxx admin logs...and it wasn't

After doing some googling it turns out that Jellric is probably correct about what has happened here...I had no idea that it was that easy to get a hold of the rcon

YamiKaitou 02-28-2008 15:24

Re: my server got hacked or got a backdoor?...
 
There is a votekick and a voteban command that comes with HL that anyone can use.

cs1.6 03-03-2008 20:37

Re: my server got hacked or got a backdoor?...
 
hi,

i want to contribute to security of the forum members and so i would like to say something, as well.

It seems to me that nowadays alot of these kind of things are happening. I would in my humble opinion/guess say that i assume some kind of 'rcon sniffer program' has been made available for abuse. I am sure this has happened to alot of ppl, just that they have not realized it. Shortly ago i experrienced the exact same thing. Obviously someone respectively serveral ppl are using this program to hack the console password.

I have luckily one copy of those messages still in my notes.

Code:

Bad Rcon from 74.138.253.184:49786:
rcon 2079285343 "amber"  status

I had for a short time alot of similar messages in the console. If i remember right, it was allways the same command (status) just with a different user name. Note that all those messages had a female name in them, like 'amy' 'jessica' and alikes which points out the fishy nature of the whole thing. And also there was no player with thsese kind of names on the server!! which would indicate a remote program/scanner/person.

bye :)

hoboman 03-05-2008 23:39

Re: my server got hacked or got a backdoor?...
 
Quote:

Originally Posted by YamiKaitou (Post 590955)
There is a votekick and a voteban command that comes with HL that anyone can use.

ah, thx for reminding me about that...at least those are easy to disable; however, those guy really did have my rcon as they kicked each other at the very end

cs1.6: ay, the rcon sniffer is probably some private copy or something ( even though I heard it is super easy to make it: http://seclists.org/bugtraq/2003/Sep/0287.html ) cause I didn't have any luck googling it...and btw, those guys didn't use hlsw

and yeah...fuck the HL developers and their unsafe rcon. I disabled mine ( set it to ""), so this nasty incident doesn't happen again

Jellric 03-06-2008 00:49

Re: my server got hacked or got a backdoor?...
 
Quote:

and yeah...fuck the HL developers and their unsafe rcon. I disabled mine ( set it to ""), so this nasty incident doesn't happen again
Tell me about it. The advantage is totally on the cheaters side with our games we love. You have to research on your own to catch just a few cheaters while the rest run wild.

Acerman23 03-07-2008 22:14

Re: my server got hacked or got a backdoor?...
 
Maybe , they went all on the same team , and in consle they type votekick and it shows a number of that person so all 3 of them probably typed votekick 431 < for example and probably got kicked.

cs1.6 03-28-2008 17:13

Re: my server got hacked or got a backdoor?...
 
talking of the devil: :)

Maybe interesting for server admins :)

|PJ| Shorty 03-28-2008 20:20

Re: my server got hacked or got a backdoor?...
 
do you use fastdownload?
i saw some people, who had all cfg files also on the fastdownload server...

cs1.6 03-28-2008 20:49

Re: my server got hacked or got a backdoor?...
 
Quote:

Originally Posted by |PJ| Shorty (Post 603513)
do you use fastdownload?
i saw some people, who had all cfg files also on the fastdownload server...

interesting post :)

yea u gotta watch out for those little things. :)

rudle 03-29-2008 05:31

Re: my server got hacked or got a backdoor?...
 
Block vote kick and vote ban in a amxx plugin. :)

PHP Code:

/* Plugin generated by AMXX-Studio */

#include <amxmodx>

public plugin_init() 
{   
    
register_plugin("block vote kick & vote ban""eldur""rudle")
    
register_clcmd("vote kick""cmd_votekick")
    
register_clcmd("vote ban""cmd_voteban")
}

public 
cmd_votekick(id) {
    
client_print(id,print_center,"[ACCESS Denied]")
    return 
PLUGIN_HANDLED_MAIN
}

public 
cmd_voteban(id) {
    
client_print(id,print_center,"[ACCESS Denied]")
    return 
PLUGIN_HANDLED_MAIN


It should work if not then the scripters can have a go :)

sawce 03-30-2008 00:45

Re: my server got hacked or got a backdoor?...
 
Issue resolved to insecure rcon password; closed.


All times are GMT -4. The time now is 08:32.

Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.