Raised This Month: $12 Target: $400
 3% 

Server hacked


Post New Thread Reply   
 
Thread Tools Display Modes
Author Message
okris
Zero Posts
Join Date: May 2016
Old 05-07-2016 , 16:54   Server hacked
Reply With Quote #1

Hello everyone.

I am running AMX Mod X 1.8.2 and one of my servers was hacked today. The attacker installed 2 plugins named cs.amxx and dproto.amxx and two config files named plugins-amxxx.ini and plugins-players.ini. The plugins modified files on my players' computers to connect them to a Romanian server. Here are the files if anybody is interested: http://s000.tinyupload.com/index.php?file_id=96730576301751480828
Don't run them on your server.

For months I have been running the same plugins all of which I've downloaded and recompiled from here, I've been running them on both servers but only one was hacked. The servers are behind a router which only lets through traffic on HLDS-related ports. I've checked the logs and found no sign of anybody using the rcon password, I did change it after I restored everything from backups. I haven't been using the server for anything else than uploading maps and adding/removing admins meaning for the past months I hadn't run anything I've downloaded off the internet. I really don't know what could've caused this. I hope it's one of the plugins nevertheless and Amx Mod X isn't compromised.

Luckily I noticed this in time before too many players were slowhacked.
okris is offline
tousif
AlliedModders Donor
Join Date: Nov 2014
Location: India
Old 05-08-2016 , 01:55   Re: Server hacked
Reply With Quote #2

No steam = No support

Last edited by tousif; 05-08-2016 at 02:01.
tousif is offline
okris
Zero Posts
Join Date: May 2016
Old 05-08-2016 , 03:04   Re: Server hacked
Reply With Quote #3

Screenshot of my Steam licenses:
http://imgur.com/JmM7U57
okris is offline
tousif
AlliedModders Donor
Join Date: Nov 2014
Location: India
Old 05-08-2016 , 03:27   Re: Server hacked
Reply With Quote #4

Your Running Non steam server , which this community doesnt support . If you want support then please do remove dproto from your server.
tousif is offline
okris
Zero Posts
Join Date: May 2016
Old 05-08-2016 , 03:52   Re: Server hacked
Reply With Quote #5

Quote:
Originally Posted by okris View Post
... The attacker installed 2 plugins named cs.amxx and dproto.amxx ....
I don't know what dproto is. I did not have it in my plugins before, all these files appeared yesterday for the first time. It seems very unlikely that this can be done only with a rcon password. Although I do hope that it can because then it's just the matter of changing the password.

Last edited by okris; 05-08-2016 at 03:59.
okris is offline
fysiks
Veteran Member
Join Date: Sep 2007
Location: Flatland, USA
Old 05-08-2016 , 03:58   Re: Server hacked
Reply With Quote #6

You would require FTP access to put plugins on your server (unless you have a plugin for downloading plugins). So, I'd recommend changing all passwords that relate to your server (CPanel, FTP, Rcon, etc.).
__________________
fysiks is offline
okris
Zero Posts
Join Date: May 2016
Old 05-08-2016 , 07:00   Re: Server hacked
Reply With Quote #7

fysiks: Thank you for your reply. I access the server on a local network and all the ports apart from the two used by my servers are closed from outside access. But if you say that it's possible for a plugin to download and install other plugins, I'll have to review all plugins I have, maybe I've missed one or two with a backdoor.
okris is offline
HamletEagle
AMX Mod X Plugin Approver
Join Date: Sep 2013
Location: Romania
Old 05-08-2016 , 07:44   Re: Server hacked
Reply With Quote #8

There are exploits which upload files to the server, without any plugin installed. I am not sure if they work on a steam only server. Anyway, in case you run dproto remove it.
__________________
HamletEagle is offline
okris
Zero Posts
Join Date: May 2016
Old 05-08-2016 , 15:28   Re: Server hacked
Reply With Quote #9

HamletEagle, thanks for the info, I didn't know it was possible. Maybe the easiest solution here would be to just prevent HLDS from modifying or creating any files except for stats and the ones in the logs folder. I'll fiddle with Windows user ownership and permission settings, the exploits will probably not end today anyway.
okris is offline
ILUSION
Senior Member
Join Date: Oct 2006
Location: Argentina
Old 05-09-2016 , 09:13   Re: Server hacked
Reply With Quote #10

Update your HLDS to the latest version using steamcmd and your problem will be fixed. Its an exploit as Hamlet said.
__________________

Last edited by ILUSION; 05-09-2016 at 09:13.
ILUSION is offline
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 22:39.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode