[SilentBr]

Mates, my server was hacked and I need help as soon as possible.

It's 00: 30 AM here, my ZR server was full 42/42 and suddenly the map changed to de_dust2. Immediately I knew it was hacker because was server was hacking every day by Mani Admin plugin, I disabled it to try avoid this, but I was wrong. The hacker could get my server by sourcemod.

Immediatelly I got Log from HLSW Look:

PHP Code:

00:06:57 L 01/05/2012 - 23:50:25: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:25: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:25: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:25: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:26: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:26: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:26: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:26: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:27: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:27: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:27: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:06:57 L 01/05/2012 - 23:50:27: rcon from "201.41.88.145:64439": command "say SourceMod 1.4.0 Injector : By Rod286 !"
00:07:07 L 01/05/2012 - 23:50:35: rcon from "201.41.88.145:64439": command "say Own3D!"
00:07:24 L 01/05/2012 - 23:50:52: rcon from "201.41.88.145:64439": command "sv_cheats 1"
00:07:30 L 01/05/2012 - 23:50:57: rcon from "201.41.88.145:64439": command "sm_noclip @all"
00:07:44 L 01/05/2012 - 23:51:12: rcon from "201.41.88.145:64439": command "sm_map zm_base_day_Se" 


After this, he started kick everyone.

In the folder "logs" by css I just found this

PHP Code:

L 01/05/2012 - 23:54:41: rcon from "201.41.88.145:64450": Bad Password 


I use as protection:
SMAC
Rcon Exploit
ServerSecure
DAF
And a difficult rcon_password with "a A $ ! *&% 1"

Please someone help me. How do I protect my server?
Is there any .cfg file that he could change (maybe to put him admin access)?

I banned his IP so he'll think the server is offline. But not sure how many time my server will be safe.

PS: I use sourcebans.

Please help me

[Afronanny]

Do you have your rcon password set in server.cfg? If so, moving it to the command line would be beneficial to security. Locking down rcon with iptables so that only a select few IP addresses will also help.

Although, ever since sm_rcon started putting the log spew into the client console, the need for rcon has been virtually eliminated, save for a select few external applications such as HLSW and SourceBans.
ducks

[SilentBr]

Quote:

Originally Posted by Afronanny Do you have your rcon password set in server.cfg? If so, moving it to the command line would be beneficial to security. Locking down rcon with iptables so that only a select few IP addresses may even attempt rcon.

Yes, my rcon_password is in server.cfg. I'll ask to the company move to command line.
What about if the company BLOCK rcon connections for everyone, what do you think? I don't care if I don't have acces

Now is 01: 14 AM the company only opens at 03: 00 PM. I need a way to protect my server while this.

What is Sourcemod Injector? How is possible this hacker doing this?

I installed right now this plugin in my server [ANY] Rcon Password Protect http://forums.alliedmods.net/showthread.php?p=1414157

Thank you.

[Afronanny]

I have not heard of this particular exploit tool, but it's quite likely that it is the old Upload/Download exploit that valve does not want to fix. If you can remove the rcon password from server.cfg, he won't be able to download it.
ducks

[Nolongerinthegame]

Quote:

Originally Posted by Afronanny I have not heard of this particular exploit tool, but it's quite likely that it is the old Upload/Download exploit that valve does not want to fix. If you can remove the rcon password from server.cfg, he won't be able to download it. ducks

I thought server secure was supposed to fix the upload/download exploit

[SilentBr]

Quote:

Originally Posted by nelioneil I thought server secure was supposed to fix the upload/download exploit

I thought the same, but I guess ServerSecure need some fixes. It's loaded ok but didn't stop that hacker

PHP Code:

[03] Server Secure - Files Only (1.0.0): The finest defence 


[Larsen]

Quote:

Originally Posted by Afronanny Do you have your rcon password set in server.cfg? If so, moving it to the command line would be beneficial to security. Locking down rcon with iptables so that only a select few IP addresses will also help. ducks

How would one do this? Just append this to the existing one? -rcon password?

[asherkin]

ServerSecure can't be bypassed to download a config file, it's considerably more likely you're running an outdated version of SourceBans which has known, public vulnerabilities and the attacker just pulled your rcon password from SourceBans.

[Despirator]

or maybe you are running infected plugin

[MindeLT]

use zblock, and forget about problems.