my server got hacked or got a backdoor?...
now I don't know what is going on, on my server now, but yesterday somehow some guys from the "dna" clan came onto the server and started kicking everyone...
i checked the users.ini and none of them are admins...i checked the amxx admin logs and no kicking command were logged... this was actually reported to me by one of my admins ( who had immunity btw ) who they kept on repeatedly kicking... i checked the server logs and got suspicious too... look at these console kicks: Code:
02/18/2008 - 13:41:10: Kick: "O.C Naranjero<355><STEAM_0:0:8287189><>" was kicked by "Console"Code:
L 02/18/2008 - 13:44:28: Kick: "dna Nick<334><STEAM_0:0:13749269><>" was kicked by "Console"for now I just disabled the rcon all together, until I can figure it out...there are 3 things that could have happened in my opinion. a.) there is an amxx backdoor somewhere b.) maybe my server host got hacked and the rcons got leaked somehow...but I am hosted by NuclearFallout c.) someone hacked my server...but that would be pretty strange because according to psychostats neither of those 3 guys have played on my server before this, so they would not have any reason to hack me ...and that just leaves me with a.) |
Re: my server got hacked or got a backdoor?...
There is no AMXx backdoor. Do you happen to use UAIO?
|
Re: my server got hacked or got a backdoor?...
almost forgot to mention this...i looked up that dna slick's guy ip and it turns out that he was playing all the way from Florida ( my server is located in LA )...
now why the hell would someone join a server that is located that far ( they'd get a shitty ping ) from them unless they didn't come to play CS at all... |
Re: my server got hacked or got a backdoor?...
Quote:
I am using amxx 1.8 and these are the plugins that I am running: Code:
; AMX Mod X plugins |
Re: my server got hacked or got a backdoor?...
Chances are he is using rcon to do it. I would disable all 3rd party plugins and see if it still happens. Also change all passwords on the server, starting with FTP first.
|
Re: my server got hacked or got a backdoor?...
Quote:
maybe I should go bug the NuclearFallout staff now :p |
Re: my server got hacked or got a backdoor?...
Did you get any of the plugins from somewhere other than this site? Presumably you have the source for each?
|
Re: my server got hacked or got a backdoor?...
amx_mode?
|
Re: my server got hacked or got a backdoor?...
I think they used rcon cus youre rcon lenght have to be 6< someone said that if rcon lenght is >6 theres is a trick,,, but its only my opinion ;)
|
Re: my server got hacked or got a backdoor?...
You mean it is only what you heard... Not your opinion... lol
|
Re: my server got hacked or got a backdoor?...
you cannot disable rcon! set it to a cryptic pass, if you dont want to use it.
if u set rcon (what i think) to rcon_password "" than its free for all. most tools have problem with an empty password, so u can think that u disabled it. but try the ingame console :P |
Re: my server got hacked or got a backdoor?...
Quote:
Quote:
Quote:
my rcon length was well over 6... |
Re: my server got hacked or got a backdoor?...
Never seen those names before in my research when looking for the original backdoor.
You got me on that one hombre. All of those kicks, however, look like rcon console kicks, and not amxx kicks. |
Re: my server got hacked or got a backdoor?...
If you are using GameServers.com as your host (assuming because of the GameTracker banner), look in your gsconsole.log file for rcon logins. This file get overwritten everytime you press the Restart Server button in the Members Area.
Otherwise, it may be logging it to the general HLDS logs, just maybe. But yeah, those kicks are definitely rcon kicks. |
Re: my server got hacked or got a backdoor?...
I believe he mentioned Nuclear Fallout as the host.
|
Re: my server got hacked or got a backdoor?...
I can almost guarantee you it's rcon. You don't have to give it out for someone to get your rcon password. The password is sent out over the internet in plain text (unencrypted) everytime rcon is used. Someone with an rcon sniffer program can easily intercept that traffic and read your password. Then, using a program such as HLSW, take remote control of your server. It has happened to me before.
The only solution in this case is to remove the rcon password for a few days or more by setting rcon_password "". If you feel sure those guys were the ones hacking your server, ban them. If they are using a packet sniffer, changing the password to something more complex won't help for the reason I mentioned. If you ban them, be sure to ban them by IP address also. Otherwise they could remotely remove themselves from your ban list. Banning their IP will keep them from using a remote program such as HLSW. Your server won't even show up on their steam servers list anymore. |
Re: my server got hacked or got a backdoor?...
How about vote? It may sound stupid (im stupid)... ^^
|
Re: my server got hacked or got a backdoor?...
Quote:
After doing some googling it turns out that Jellric is probably correct about what has happened here...I had no idea that it was that easy to get a hold of the rcon |
Re: my server got hacked or got a backdoor?...
There is a votekick and a voteban command that comes with HL that anyone can use.
|
Re: my server got hacked or got a backdoor?...
hi,
i want to contribute to security of the forum members and so i would like to say something, as well. It seems to me that nowadays alot of these kind of things are happening. I would in my humble opinion/guess say that i assume some kind of 'rcon sniffer program' has been made available for abuse. I am sure this has happened to alot of ppl, just that they have not realized it. Shortly ago i experrienced the exact same thing. Obviously someone respectively serveral ppl are using this program to hack the console password. I have luckily one copy of those messages still in my notes. Code:
Bad Rcon from 74.138.253.184:49786:bye :) |
Re: my server got hacked or got a backdoor?...
Quote:
cs1.6: ay, the rcon sniffer is probably some private copy or something ( even though I heard it is super easy to make it: http://seclists.org/bugtraq/2003/Sep/0287.html ) cause I didn't have any luck googling it...and btw, those guys didn't use hlsw and yeah...fuck the HL developers and their unsafe rcon. I disabled mine ( set it to ""), so this nasty incident doesn't happen again |
Re: my server got hacked or got a backdoor?...
Quote:
|
Re: my server got hacked or got a backdoor?...
Maybe , they went all on the same team , and in consle they type votekick and it shows a number of that person so all 3 of them probably typed votekick 431 < for example and probably got kicked.
|
Re: my server got hacked or got a backdoor?...
|
Re: my server got hacked or got a backdoor?...
do you use fastdownload?
i saw some people, who had all cfg files also on the fastdownload server... |
Re: my server got hacked or got a backdoor?...
Quote:
yea u gotta watch out for those little things. :) |
Re: my server got hacked or got a backdoor?...
Block vote kick and vote ban in a amxx plugin. :)
PHP Code:
|
Re: my server got hacked or got a backdoor?...
Issue resolved to insecure rcon password; closed.
|
| All times are GMT -4. The time now is 08:32. |
Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.