[SomeoneS]

you cannot disable rcon! set it to a cryptic pass, if you dont want to use it.

if u set rcon (what i think) to rcon_password "" than its free for all.
most tools have problem with an empty password, so u can think that u disabled it.
but try the ingame console

[hoboman]

Quote:

Originally Posted by Brad Did you get any of the plugins from somewhere other than this site? Presumably you have the source for each?

no

Quote:

amx_mode?

no idea what that is, so it is probably the default

Quote:

I think they used rcon cus youre rcon lenght have to be 6< someone said that if rcon lenght is >6 theres is a trick,,, but its only my opinion ;)

but is that is this even a fact?
my rcon length was well over 6...

[Roach]

Never seen those names before in my research when looking for the original backdoor.

You got me on that one hombre. All of those kicks, however, look like rcon console kicks, and not amxx kicks.

[YamiKaitou]

If you are using GameServers.com as your host (assuming because of the GameTracker banner), look in your gsconsole.log file for rcon logins. This file get overwritten everytime you press the Restart Server button in the Members Area.

Otherwise, it may be logging it to the general HLDS logs, just maybe.


But yeah, those kicks are definitely rcon kicks.

[bmann_420]

I believe he mentioned Nuclear Fallout as the host.

[Jellric]

I can almost guarantee you it's rcon. You don't have to give it out for someone to get your rcon password. The password is sent out over the internet in plain text (unencrypted) everytime rcon is used. Someone with an rcon sniffer program can easily intercept that traffic and read your password. Then, using a program such as HLSW, take remote control of your server. It has happened to me before.

The only solution in this case is to remove the rcon password for a few days or more by setting rcon_password "". If you feel sure those guys were the ones hacking your server, ban them.

If they are using a packet sniffer, changing the password to something more complex won't help for the reason I mentioned.

If you ban them, be sure to ban them by IP address also. Otherwise they could remotely remove themselves from your ban list. Banning their IP will keep them from using a remote program such as HLSW. Your server won't even show up on their steam servers list anymore.

[[X]-RayCat]

How about vote? It may sound stupid (im stupid)... ^^

[hoboman]

Quote:

Originally Posted by [X]-RayCat How about vote? It may sound stupid (im stupid)... ^^

if it was a vote it would have been logged in the amxx admin logs...and it wasn't

After doing some googling it turns out that Jellric is probably correct about what has happened here...I had no idea that it was that easy to get a hold of the rcon

[YamiKaitou]

There is a votekick and a voteban command that comes with HL that anyone can use.

[cs1.6]

hi,

i want to contribute to security of the forum members and so i would like to say something, as well.

It seems to me that nowadays alot of these kind of things are happening. I would in my humble opinion/guess say that i assume some kind of 'rcon sniffer program' has been made available for abuse. I am sure this has happened to alot of ppl, just that they have not realized it. Shortly ago i experrienced the exact same thing. Obviously someone respectively serveral ppl are using this program to hack the console password.

I have luckily one copy of those messages still in my notes.

Code:

Bad Rcon from 74.138.253.184:49786:
rcon 2079285343 "amber"  status

I had for a short time alot of similar messages in the console. If i remember right, it was allways the same command (status) just with a different user name. Note that all those messages had a female name in them, like 'amy' 'jessica' and alikes which points out the fishy nature of the whole thing. And also there was no player with thsese kind of names on the server!! which would indicate a remote program/scanner/person.

bye