[MasterWanger]

i recently had a user threaten to hack my server,
he did not have admin, but was able to use the amx_chat, amx_tsay, amx_csay.

Not sure if this is just a configuration error by me, or a bug. ive gone over my admin file about 50 times and it dosen't say that he has admin ANYWHERE.

the default access is z

so i mean, MAJOR BUG HERE.

[BAILOPAN]

adminchat lets a user communicate to admins using the @ symbol. Maybe this is what you mean?

If not, please post your config files (amxx.cfg + users.ini) and any modifications to the core plugins you made.

[MasterWanger]

no no.

i literally mean being able to access amx_tsay with no admin what so ever.

Someone joined my server the other day saying they were gonna hack my server to pieces.(in a manner of speaking...)

Basically, i was on RCON when he said it so i perm ip, and steam id banned him.

But he had access to amx_tsay, He had no way of knowing the rcon password.(my server bans after 1 unsuccessful attempt at using the rcon password) I am the only SOLE HUMAN BEING ON EARTH with the rocn password.

This was on a DEDICATED server, not a hosted.

[PM]

Do you have logs of that thing?

Is there something like

name<some number><his steam id><>^" became an admin blahablhabla

in your amxx logs?

[MasterWanger]

i think this is it:

Code:

L 09/03/2005 - 14:09:14: [adminchat.amxx] Chat: "kiX' I'm a noob.<449><STEAM_0:0:3066249><>" tsay "want me to fuck up your serv,?"
L 09/03/2005 - 14:09:22: [adminchat.amxx] Chat: "kiX' I'm a noob.<449><STEAM_0:0:3066249><>" tsay "i will if you dont turn this shit off"

Admin Listing:

Code:

"STEAM_0:0:4149465"	""	"bcdefghijklmnopqrstu"		"ce"	// Tom
"STEAM_0:0:1192758"	""	"bcdefghijkmnopqrstu"		"ce"	// Zach
"STEAM_0:1:4357588"	""	"bcdefghijklmnopqrstu"		"ce"	// Tom's Sister Mina
"STEAM_0:0:3326891"	""	"bcdefghijkmnopqrstu"		"ce"	// BlondeRocker
"STEAM_0:1:3943097"	""	"bcefghijkmnopqrstu"		"ce"	// Fry
"STEAM_0:0:7292378"	""	"bcefghijkmnopqrstu"		"ce"	// Woody

;/////////////////////////////////////////////////////////////////////////////////////////////////////
;Clan Access
"STEAM_0:1:6933221" 	"" 	"bcdefghijklmnopqrstu" 		"ce"	// MasterWanger
"STEAM_0:1:5979860"	""	"bcdefghijklmnopqrstu"		"ce"	// Bunny
"STEAM_0:0:2791153"	""	"bcdefghijkmnopqrstu"		"ce"	// Auron AKA The Beatles
"STEAM_0:1:6149593"	""	"bcefghijkmnopqrstu"		"ce"	// THR@x
"STEAM_0:0:4017700"	""	"bcefghijkmnopqrstu"		"ce"	// Mr.Po
"STEAM_0:0:4890340"	""	"ghijkzu"			"ce"	// Crap-Head
"STEAM_0:0:2668699"	""	"bcdefghijkmnopqrstu"		"ce"	// Abeep
"STEAM_0:1:4163929"	""	"bcdefghijkmnopqrstu"		"ce"	// CrAzY
"STEAM_0:0:2091423"	""	"bcefghijkmnopqrstu"		"ce"	// FuZZy
"STEAM_0:0:7266803"	""	"bcefghijkmnopqrstu"		"ce"	// Crunk
"STEAM_0:1:2938553"	""	"bcdfghijklmnopqrstu"		"ce"	// Detroit PrEp
"STEAM_0:0:3737689"	""	"bcdefghijkmnopqrstu"		"ce"	// Bklynruski
"STEAM_0:0:6165829"	""	"bcfghijkmnopqrstu"		"ce"	// :$)v(oKe-N-G@T)v(@N
"STEAM_0:1:2097046"	""	"bcefghijkmnopqrstu"		"ce"	// D3L3T3D
"STEAM_0:1:2458860"	""	"ghijkzu"			"ce"	// REG!NA
"STEAM_0:1:4922298"	""	"ghijkzu"			"ce"	// SpedWard
"STEAM_0:0:377027"	""	"ghijkzu"			"ce"	// Knify

UAIO List:

Code:

; These are YOU (YOUR SERVER) when using a ListenServer
admin "6933221"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"
admin "4163929"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"
admin "5979860"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"
admin "2668699"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"
admin "2097046"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"
admin "4017700"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"
admin "3737689"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"
admin "6149593"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"
admin "2091423"  "grp_vote_typeS grp_good_typeS grp_evil_typeS grp_misc_typeS"

;---------------------------------------------------------------------------------------
; Default Access (For non-admin players) -- Only Change Groups (If Required)!
; Do Not Remove!
; This Default Public-Admin IS Required, Remove Flags from Groups in uaio_groups.ini
; To Restrict Access to Commands by Public Players!
;---------------------------------------------------------------------------------------
admin "default"     "grp_vote_public grp_good_public grp_evil_public grp_misc_public"

And no xxx became an admin is not in my logs.

[BAILOPAN]

Can you see if anyone used rcon?

[MasterWanger]

nobody has, its not contained within my logs, there isn't enought proxies in the world to get my rcon password.

it bans after 1 incorrect password.

i lloked in my logs and the only visible rcon is me. 192.168.0.3, or the ip address behind my router.

[BAILOPAN]

(make sure you're checking the amxmodx logs as well, they're stored separately in amxmodx/logs).

If you're absolutely sure, it's apparent there's some sort of problem here, but unfortunately there's really not enough information to debug it. If it happens again, use "amx_who" to see what his access levels are, that's the only thing I can think of right now.

[MasterWanger]

ok.


if it happens again ill post my logs and everything.

[[PAD]Lister]

Had an incident on my server today where someone somehow got full admin on my server now i'm not sure how the hell it happened, i'm the only one that knows our server FTP and all the files checked out so how could this guys have got full admin on my server? is there a bug or security hole in AMX Mod X?

Server Log Entry: L0928

Code:

L 09/28/2004 - 10:12:26: -------- Mapchange --------
L 09/28/2004 - 10:23:13: -------- Mapchange --------
L 09/28/2004 - 10:23:41: [admin.amxx] Login: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" became an admin (account "STEAM_0:0:3859533") (access "abcdefghijklmnopqrstu") (address "81.110.218.38")
L 09/28/2004 - 10:25:00: [admincmd.amxx] Cmd: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" ask for players list
L 09/28/2004 - 10:39:21: -------- Mapchange --------
L 09/28/2004 - 10:39:21: [AMXX] Module "csstats" required for plugin.  Check modules.ini. (plugin "statsx.amxx")
L 09/28/2004 - 10:39:21: [AMXX] Module "csstats" required for plugin.  Check modules.ini. (plugin "stats_logging.amxx")
L 09/28/2004 - 10:40:04: [admin.amxx] Login: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" became an admin (account "STEAM_0:0:3859533") (access "abcdefghijklmnopqrstu") (address "81.110.218.38")
L 09/28/2004 - 10:41:03: [mapsmenu.amxx] Cmd: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" changelevel "cs_office_cz"
L 09/28/2004 - 10:41:05: -------- Mapchange --------
L 09/28/2004 - 10:41:06: [AMXX] Module "csstats" required for plugin.  Check modules.ini. (plugin "statsx.amxx")
L 09/28/2004 - 10:41:06: [AMXX] Module "csstats" required for plugin.  Check modules.ini. (plugin "stats_logging.amxx")
L 09/28/2004 - 10:41:07: [admin.amxx] Login: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" became an admin (account "STEAM_0:0:3859533") (access "abcdefghijklmnopqrstu") (address "81.110.218.38")
L 09/28/2004 - 10:49:27: -------- Mapchange --------
L 09/28/2004 - 10:49:55: [admin.amxx] Login: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" became an admin (account "STEAM_0:0:3859533") (access "abcdefghijklmnopqrstu") (address "81.110.218.38")
L 09/28/2004 - 11:04:57: [mapsmenu.amxx] Cmd: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" changelevel "cs_italy_cz"
L 09/28/2004 - 11:05:00: -------- Mapchange --------
L 09/28/2004 - 11:05:01: [admin.amxx] Login: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" became an admin (account "STEAM_0:0:3859533") (access "abcdefghijklmnopqrstu") (address "81.110.218.38")
L 09/28/2004 - 11:08:49: [mapsmenu.amxx] Cmd: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" changelevel "de_dust2_cz"
L 09/28/2004 - 11:08:51: -------- Mapchange --------
L 09/28/2004 - 11:08:53: [admin.amxx] Login: "[DS-Elite] The0ne<1><STEAM_0:0:3859533><>" became an admin (account "STEAM_0:0:3859533") (access "abcdefghijklmnopqrstu") (address "81.110.218.38")

users.ini listed below:

Code:

; Users configuration file
; File location: $moddir/addons/amxx/configs/users.ini

; Line starting with ; is a comment

; Access flags:
; a - immunity (can't be kicked/baned/slayed/slaped and affected by other commmands)
; b - reservation (can join on reserved slots)
; c - amx_kick command
; d - amx_ban and amx_unban commands
; e - amx_slay and amx_slap commands
; f - amx_map command
; g - amx_cvar command (not all cvars will be available)
; h - amx_cfg command
; i - amx_chat and other chat commands
; j - amx_vote and other vote commands
; k - access to sv_password cvar (by amx_cvar command)
; l - access to amx_rcon command and rcon_password cvar (by amx_cvar command)
; m - custom level A (for additional plugins)
; n - custom level B
; o - custom level C
; p - custom level D
; q - custom level E
; r - custom level F
; s - custom level G
; t - custom level H
; u - menu access
; z - user (no admin)

; Account flags:
; a - disconnect player on invalid password
; b - clan tag
; c - this is steamid/wonid
; d - this is ip
; e - password is not checked (only name/ip/steamid needed)

; Format of admin account:
; <name|ip|steamid> 	        <password> 	<access flags> 	       <account flags>	<comment>

"STEAM_*:*:******" 	"" 	"abcdefghijklmnopqrstu" 	"ce"	;Kakistos (Full Admin + RCON + Immunity)
"STEAM_*:*:******"	""	"abcdefghijklmnopqrstu"	"ce"	;Lister (Full Admin + RCON + Immunity) 
"STEAM_*:*:******"	""	"abcdefghijklmnopqrstu"	"ce"	;Soap-Bar (Full Admin + RCON + Immunity)
"STEAM_*:*:******"	""	"bcefghijklmnopqrstu"		"ce"	;Babey (Full Admin + RCON)
"STEAM_*:*:******"	""	"bceij"			"ce"	;MRM!N! (Standard Admin)
"STEAM_*:*:******"	""	"bceij"			"ce"	;BDP (Standard Admin)
"STEAM_*:*:******"	""	"bceij"			"ce"	;Furious (Standard Admin)
"STEAM_*:*:******"	""	"bceij"			"ce"	;MrKu1e (Standard Admin)
"STEAM_*:*:******"	""	"bceij"			"ce"	;ZAIN (Standard Admin)
"STEAM_*:*:******"""	"bceij"			"ce"	;MrSmokey (Standard Admin)
"STEAM_*:*:******"	""	"b"			"ce"	;L!quId (Reserve Slot) 


"loopback" "" "abcdefghijklmnopqrstu" "de"

Any ideas? Help + rapid reply much appreciated!

*Note* STEAM_ID's hidden for privacy

amxx.cfg \/

Code:

/ AMX Configuration File
echo Executing AMX Mod X Configuration File

// Default access for all non admin players (see users.ini for access details)
amx_default_access "z"

// Name of setinfo which should store a password on a client (you should change this)
// (Example: setinfo _pw "password")
amx_password_field "_pw-home"

// Mode of logging to a server
// 0 - disable logging, players won't be checked (and access won't be set)
// 1 - normal mode which obey flags set in accounts
// 2 - kick all players not on list
amx_mode 1

// Show admins activity
// 0 - disabled
// 1 - show without admin name
// 2 - show with name
amx_show_activity 2

// Frequency in seconds and text of scrolling message
amx_scrollmsg "Welcome to %hostname% -- www.painafterdeath.co.uk" 600

// Center typed colored messages (last parameter is a color in RRRGGGBBB format)
amx_imessage "Welcome to %hostname%" "000255100"
amx_imessage "This server is monitored by Admins" "000100255"
amx_imessage "Www.painafterdeath.co.uk" "000255100"

// Frequency in seconds of colored messages
amx_freq_imessage 180

// Set in seconds how fast players can chat (chat-flood protection)
amx_flood_time 0.75

// Amount of reserved slots (for more details see comments in a plugin source)
amx_reservation 0

// Displaying of time remaining
// a - display white text on bottom
// b - use voice
// c - don't add "remaining" (only in voice)
// d - don't add "hours/minutes/seconds" (only in voice)
// e - show/speak if current time is less than this set in parameter
amx_time_display "ab 1200" "ab 600" "ab 300" "ab 180" "ab 60" "bcde 11"

// Announce "say thetime" and "say timeleft" with voice
amx_time_voice 1

// Minimum delay in seconds between two voting sessions
amx_vote_delay 600

// How long voting session goes on
amx_vote_time 30

// Display who votes for what option
amx_vote_answers 1

// Some ratios for voting success
amx_votekick_ratio 0.40
amx_voteban_ratio 0.40
amx_votemap_ratio 0.40
amx_vote_ratio 0.02

// Max. time to which map can be extended
amx_extendmap_max 90

// Step for each extending
amx_extendmap_step 15

// Rank mode
// 0 - by nick
// 1 - by authid 
// 2 - by ip
csstats_rank 1

// Max size of the stats file
csstats_maxsize 3500

// Duration of HUD-statistics
amx_statsx_duration 12.0

// HUD-statistics display limit relative round freeze end
// Negative time will clear the HUD-statstics before the round freeze time has ended
amx_statsx_freeze -2.0

//If you set this to 0, clients cannot chose their language
amx_client_languages 0

// Plugin Debug mode
// 0 - No debugging (garbage line numbers)
// 1 - Plugins with "debug" option in plugins.ini are put into debug mode
// 2 - All plugins are put in debug mode
// Note - debug mode will affect JIT performance
amx_debug 1