New Exploit issue: What could cause this error?

M.I.A. · **Author**

Hi I am requesting information on a exploit that effects all source servers as both my Garrys Mod and Cstrike servers have beenc rashed by the same person using the same exploit

the debug console log spams

RCON Server ProcessAccept Error: Too many open files
RCON Server ProcessAccept Error: Too many open files
RCON Server ProcessAccept Error: Too many open files

like literally 1,000 times each crash..

I'd assume this isnt an exploit with any mod since it was sued on the garrysmod server also

I am seeking any theory or information form anyone here that may cause this, could be related to webservers in general as my research shows that MYSQL databases also crash from this.

Please let me know and send this to as many experienced people as you can.

Thank you

Kigen · 09-03-2009 , 09:00 Re: New Exploit issue: What could cause this error?

Well, based on the error I'd say your servers had too many open files. Maybe its a DoS based off of http://aluigi.org/adv/sourceupfile-adv.txt but not to upload files per-say but just cause the Source engine to open a crap ton a files needlessly.

BeG · 10-30-2009 , 21:57 Re: New Exploit issue: What could cause this error?

i have the same problem someone knows a fix? pls say it easy to understand im german

TESLA-X4 · *Last edited by TESLA-X4; 11-01-2009 at 10:04. Reason: Missing word*

I guess you could try this plugin out and see if it solves your trouble. Be warned: because of the way the plugin blocks functions, it will break banning, because the server is unable to save the ban to file. It also breaks some other things like sprays.
I also recommend that you add sv_logflush 1 to your server.cfg to force a log write for every entry, rather than on log close (typically a mapchange), but keep in mind that this generates significantly more disk I/O, so the performance impact can be noticable in some cases. Forcing log writes will allow you to check if someone is indeed using the file upload exploit Kigen mentioned (all blocked calls to the exploitable functions are logged in there), because log caching gets in the way if the server crashes (you get a 0 byte file instead).

Good luck!

BeG · 11-01-2009 , 10:43 Re: New Exploit issue: What could cause this error?

hi big thanks but i need my bans and i need to add new bans... my server is visited good and when i can´t ban people... uiii thats not good...

the spams are not so often like before 2 days i think he has stop it... i hope so

BeG

thetwistedpanda · 11-01-2009 , 12:32 Re: New Exploit issue: What could cause this error?

You can try installing this plugin: http://devicenull.org/temp/cmd_test.smx on your servers and seeing if there's anything being caught in the logs. Doubtful, but if you can narrow it down then fixing it is easier.

BeG · 11-01-2009 , 16:42 Re: New Exploit issue: What could cause this error?

i´ll take a look thx ;)

devicenull · 11-01-2009 , 17:23 Re: New Exploit issue: What could cause this error?

Any fix to this requires SSH access to the server, do you have that available?

If so, you have two choices:
1) Firewall off TCP 27015 completely (this will disable rcon, and is the best fix)
2) Use ulimit to increase the number of file handles available.

This exploit is completely unrelated to the file upload one, so my plugin that prevents file writes will be completely useless.

BeG · 11-01-2009 , 18:52 Re: New Exploit issue: What could cause this error?

sry i dont have ssh

devicenull · 11-02-2009 , 18:00 Re: New Exploit issue: What could cause this error?

Then you have no options. Literally, nothing you can do.