[Psyk0tik]

Hey, I'm wondering if it is possible to catch these recent pesky hackers on TF2 who seem to bypass steam authorization by spoofing their steam IDs. When I check the console for their steam ID, they have this as their steam ID: STEAM_ID_STOP_IGNORING_RETVALS

I tried using this method but I feel that it is either unreliable or inefficient.

PHP Code:

public void OnPluginStart()
{
    RegAdminCmd("sm_bancheck", cmdBanCheck, ADMFLAG_KICK, "Automatically checks the server for any hackers with a spoofed Steam ID and bans them.");
}

public void OnClientPostAdminCheck(int client)
{
    iBanCheck(client);
}

public Action cmdBanCheck(int client, int args)
{
    if (args > 0)
    {
        ReplyToCommand(client, "Usage: sm_bancheck");
    }

    for (int iPlayer = 1; iPlayer <= MaxClients; iPlayer++)
    {
        iBanCheck(iPlayer);
    }
}

int iBanCheck(int client)
{
    char steamid[64];
    GetClientAuthId(client, AuthId_Steam2, steamid, sizeof(steamid));
    if (StrContains(steamid, "STEAM_ID_STOP_IGNORING_RETVALS", false) || StrContains(steamid, "STEAM_ID", false) || StrContains(steamid, "STEAM_ID_STOP_IGNORING", false) || StrContains(steamid, "STOP_IGNORING", false))
    {
        ServerCommand("sm_ban %s 0 \"Banned for hacking.\"", steamid);
    }
} 


Any help is appreciated. Thanks!

[Mitchell]

IP ban them? also you have to consider the fact that some players can connect without cheats and get a steamid error.

[Psyk0tik]

Quote:

Originally Posted by Mitchell IP ban them? also you have to consider the fact that some players can connect without cheats and get a steamid error.

Yeah I was worried about that part. Unfortunately, these hackers also seem to bypass the IP bans. SB can't even seem to detect the IP nor Steam ID of the hacker on any of the servers owned by the community I am a part of.

[stickz]

Quote:

Originally Posted by Crasher_3637 Yeah I was worried about that part. Unfortunately, these hackers also seem to bypass the IP bans. SB can't even seem to detect the IP nor Steam ID of the hacker on any of the servers owned by the community I am a part of.

People often trick their ISP into assigning a new IP address, by spoofing the mac address on their router. I can do this three times before the lease period is up. Then use anther steam account.

ISPs only have a limited number of IP address blocks for a given area. If the first three numbers in the IP address string are the same, this should be a red flag right away. If not, the country, city and ISP could potentially match up, when running the information through a GeoIP database like IP Tracker.

The problem is SB doesn't have a module capable of automatically detecting these things, to warn admins.

[DarkDeviL]

Quote:

Originally Posted by stickz People often trick their ISP into assigning a new IP address, by spoofing the mac address on their router. I can do this three times before the lease period is up. Then use anther steam account. ISPs only have a limited number of IP address blocks for a given area. If the first three numbers in the IP address string are the same, this should be a red flag right away. If not, the country, city and ISP could potentially match up, when running the information through a GeoIP database like IP Tracker.

It may work for some providers, but there are also a lot that it doesn't work for.

Yet there are (well: used to be, at least) providers where you get a new address each 24 hour, you could at least say hi to the German "Deutsche Telekom" here.

What works for one provider is very different from another one... But previously I could take out 10 IP addresses from one of my providers, which they claim to have reduced to 2, which is the latest thing I heard.

Recently I could span over three different ranges, from the exact same physical location:

- A /20 subnet (e.g. 192.168.144.0/20 (192.168.144.0 - 192.168.159.255))
- A /23 subnet (e.g. 10.156.218.0/23 (10.156.218.0 - 10.156.219.255))
- A /24 subnet (e.g. 10.156.253.0/24 (10.156.253.0 - 10.156.253.255))
(NB: Random private RFC19188 ranges provided for the purpose of demonstration)

So your advertised way of comparing the first few octets of an IP address will be very vague, and cannot be recommended for a foolproof solution.

Quote:

Originally Posted by stickz The problem is SB doesn't have a module capable of automatically doing these things, to warn admins.

And how exactly would you automate doing things, when you are completely unable to find 100% foolproof and accurate information automatically?

There is no foolproof solution to the issue, you can do a lot, but you can also "waste a lot of time" in the journey, with little to no gain at all, and you're also playing around with a huge risk of a lot of "false positives".

[Psyk0tik]

Also, wouldn't OnClientPostAdminCheck() be called when the player has already been authorized? That means the plugin would only ban players who still don't have a valid steam ID after being authorized, right?

[DarkDeviL]

Quote:

Originally Posted by Crasher_3637 Hey, I'm wondering if it is possible to catch these recent pesky hackers on TF2 who seem to bypass steam authorization by spoofing their steam IDs. When I check the console for their steam ID, they have this as their steam ID: STEAM_ID_STOP_IGNORING_RETVALS

Quote:

Originally Posted by Crasher_3637 PHP Code: int iBanCheck(int client) {     char steamid[64];     GetClientAuthId(client, AuthId_Steam2, steamid, sizeof(steamid));     if (StrContains(steamid, "STEAM_ID_STOP_IGNORING_RETVALS", false) || StrContains(steamid, "STEAM_ID", false) || StrContains(steamid, "STEAM_ID_STOP_IGNORING", false) || StrContains(steamid, "STOP_IGNORING", false))     {         ServerCommand("sm_ban %s 0 \"Banned for hacking.\"", steamid);     } }

See THIS POST, as well as THIS POST.

Quote:

Originally Posted by Crasher_3637 Also, wouldn't OnClientPostAdminCheck() be called when the player has already been authorized? That means the plugin would only ban players who still don't have a valid steam ID after being authorized, right?

OnClientPostAdminCheck is called when the user has passed his/her check for admin privileges, if there are no valid Steam ID, it cannot be checked, and it won't ever be called.


If you expect any further assistance, please share your full plugin and extensions list:

Code:

meta list
sm exts list
sm plugins list

As you can read in the linked posts, you most likely have some poorly coded plugins that "fool" you somehow...

[Psyk0tik]

Those posts taught me more about GetClientAuthId, and I found a plugin on that thread that does exactly what I was looking for.

https://forums.alliedmods.net/showpo...2&postcount=25

Thanks!

[Fyren]

Any code that attempts to compare the string from GetClientAuthId to STEAM_ID_STOP_IGNORING_RETVALS is fundamentally misunderstanding what the function does on some level. At the very least, there's no reason to check the string for that value because you could have checked the return value instead.

[Mainstaff]

Best what works against such spoofer is using the function IsClientAuthorized when they enter the server (OnClientPutInServer).
If they are not authorised you just restrict them, e.g.:
SetClientListeningFlags => VOICE_MUTED
Event player_changename => Prevent notication
Commands jointeam, say, say_team etc.. => Stop them
Timer to kick them after 30 seconds
etc...

However, also the authorisation for legit users might be delayed for various reasons. Therefore, I recommend you using OnClientAuthorized to check if a player already entered the server and remove the restrictions applied above.

You also might want to consider the rare case that Steam servers are down and that no player receives the authorsation. Therefore, you probably want to build in something that the restrictions are only applied if e.g. at least 60% of the players on the server already received an authorisation.