Raised This Month: $12 Target: $400
 3% 

Security Exploit in UAIO Binary


Post New Thread Closed Thread   
 
Thread Tools Display Modes
Roach
Writes love letters to sawce Daily
Join Date: Jul 2006
Location: Internet
Old 02-03-2008 , 23:32   Re: Security Exploit in UAIO Binary
#41

This forum isn't the place to go and call people out on. Be careful with what information you already possess.
__________________
Quote:
Originally Posted by Brad View Post
That sounds like a really good idea!
Now replace the word "good" with "dumb".
What was your rationale for proposing such a thing?

Last edited by Roach; 02-03-2008 at 23:34.
Roach is offline
Brad
AMX Mod X Team Member
Join Date: Jun 2004
Old 02-04-2008 , 09:03   Re: Security Exploit in UAIO Binary
#42

Hi sawce. I've seen this thread.
__________________
Brad is offline
coca-cola
BANNED
Join Date: Dec 2007
Location: I got caught by Roach be
Old 02-05-2008 , 18:31   Re: Security Exploit in UAIO Binary
#43

oh shit monkeys! so thats why my server got passworded and all players go kicked O_O. I was wondering how that happened, because nomatter what I did, the server always got passworded and stuff

oh well new uaio is installed thanks to this thread
coca-cola is offline
[cTs] Corvette
Senior Member
Join Date: Apr 2004
Old 02-05-2008 , 22:30   Re: Security Exploit in UAIO Binary
#44

Well, after it happened again tonight, the hacker knew we were on to him so he came forward to tell us how he was doing it:

There are some ways to get rcon of some really noob servers with sv_downloadurl.

1) Developer 1
2) Copy the line of the sv_downloadurl to firefox/ie
3) Check if server.cfg is here
4) Take rcon

We had recently changed hosting and needed a temporary fast download site, and it turns out the whole directory was exposed. So, now that you know, you might want to make sure the same thing doesn't happen to you.
[cTs] Corvette is offline
{NM}Jason
AMX Mod X Beta Tester
Join Date: Mar 2004
Location: Texas
Old 02-05-2008 , 22:50   Re: Security Exploit in UAIO Binary
#45

ya know the easy way to get around this happening is placing a index.html with a 404 MSG in the Dir of your sv_downloadurl and poof no more leaching and no more crap, and the person isent a Hacker he's just smarter than you for looking at basic web browsing crap...


Edit: the most secure way of doing sv_downloadurl is placing index.html in every directory, this way IE and other Browser will always look for that file first. in most cases
__________________
http://forums.alliedmods.net/showthr...396#post451396
Quote:
Originally Posted by BAILOPAN View Post
Shortly after posting that image, Jason crushed the truck into a ball with his hands, and tossed it over his shoulder.

Last edited by {NM}Jason; 02-05-2008 at 22:58.
{NM}Jason is offline
Send a message via ICQ to {NM}Jason Send a message via AIM to {NM}Jason Send a message via MSN to {NM}Jason Send a message via Yahoo to {NM}Jason
Roach
Writes love letters to sawce Daily
Join Date: Jul 2006
Location: Internet
Old 02-05-2008 , 23:10   Re: Security Exploit in UAIO Binary
#46

Quote:
Originally Posted by [cTs] Corvette View Post
Well, after it happened again tonight, the hacker knew we were on to him so he came forward to tell us how he was doing it:

There are some ways to get rcon of some really noob servers with sv_downloadurl.

1) Developer 1
2) Copy the line of the sv_downloadurl to firefox/ie
3) Check if server.cfg is here
4) Take rcon

We had recently changed hosting and needed a temporary fast download site, and it turns out the whole directory was exposed. So, now that you know, you might want to make sure the same thing doesn't happen to you.
Not a problem with AMXx...but interesting insight nonetheless.
__________________
Quote:
Originally Posted by Brad View Post
That sounds like a really good idea!
Now replace the word "good" with "dumb".
What was your rationale for proposing such a thing?
Roach is offline
YamiKaitou
Has a lovely bunch of coconuts
Join Date: Apr 2006
Location: Texas
Old 02-06-2008 , 09:59   Re: Security Exploit in UAIO Binary
#47

Quote:
Originally Posted by [cTs] Corvette View Post
Well, after it happened again tonight, the hacker knew we were on to him so he came forward to tell us how he was doing it:

There are some ways to get rcon of some really noob servers with sv_downloadurl.

1) Developer 1
2) Copy the line of the sv_downloadurl to firefox/ie
3) Check if server.cfg is here
4) Take rcon

We had recently changed hosting and needed a temporary fast download site, and it turns out the whole directory was exposed. So, now that you know, you might want to make sure the same thing doesn't happen to you.
Why would you put your config files on the net anyways? Clients don't download those.


Quote:
Originally Posted by {NM}Jason View Post
Edit: the most secure way of doing sv_downloadurl is placing index.html in every directory, this way IE and other Browser will always look for that file first. in most cases
If you know the exact file that you are looking for, you just put that file in the url and you go straight to that file or a 404, browsers do not even look for an index page then.
__________________
ProjectYami Laboratories

I do not browse the forums regularly anymore. If you need me for anything (asking questions or anything else), then PM me (be descriptive in your PM, message containing only a link to a thread will be ignored).
YamiKaitou is offline
8088
Veteran Member
Join Date: Jan 2008
Old 02-06-2008 , 15:26   Re: Security Exploit in UAIO Binary
#48

Quote:
Originally Posted by YamiKaitou View Post
Why would you put your config files on the net anyways? Clients don't download those.
I'm guessing that in cases like these the webserver and gameserver are on the same machine.
8088 is offline
vvg125
AMX Mod X Beta Tester
Join Date: Dec 2006
Location: Queens (Douglaston), New
Old 02-08-2008 , 12:56   Re: Security Exploit in UAIO Binary
#49

Quote:
Originally Posted by 8088 View Post
I'm guessing that in cases like these the webserver and gameserver are on the same machine.
Again, you do not put config files on the web server. Only files that should go there are models, sounds, and textures.

Config files go on the game server, not the web server.

Even if they are on the same machine, the game server files are not accessible via the web server directory.
__________________
vvg125 is offline
Send a message via AIM to vvg125 Send a message via MSN to vvg125 Send a message via Yahoo to vvg125
chris
Senior Member
Join Date: Mar 2007
Location: America
Old 02-08-2008 , 17:21   Re: Security Exploit in UAIO Binary
#50

I don't know if this has to do with the exploit or not but what does the HX have to do with the UAIO menu? The first time, I've seen this and I've seen it multiple times in my menu. I'm using the version 1.51 in the UAIO section of these forums.

__________________
chris is offline
Send a message via AIM to chris
Closed Thread


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -4. The time now is 07:21.


Powered by vBulletin®
Copyright ©2000 - 2024, vBulletin Solutions, Inc.
Theme made by Freecode