[Cr(+)sshair]

About a week ago, we had an emergency. Someone was attacking our servers. This person somehow managed to put himself as a God Admin on our sourcebans and used our own web rcon to attack us. This went from renaming the server to Operation Gamma, changing the map to hardware tests, to banning everyone in it.

When I banned him from in game I was able to grab a quick IP address before the person deleted his ban.

His info: STEAM_0:1:29452626, IP: 188.177.169.182

He came back later with: STEAM_0:0: 33334377, IP: 85.82.170.148

There were a lot more IP's but he was only seen on these two steamID's. I even had to go as far as making a little plugin that blocked him from our servers because he kept bypassing SB no matter what. This worked and no more attacks happened.

Recently, he posted a video on the attack http://www.youtube.com/watch?v=oqBweXiatjI



I recommend all server owners to ban him, then ban him from your sourcebans page by banning his IP ranges. I am currently in the process of getting logs and everything from the attack both server/sb wise and will report it to the Steam Community to hopefully get his accounts deleted.

Please don't flame in here, this is only a warning of what may happen to you!

[Groger]

You could disable the web rcon in your sourcebans by mannually deleting it from the php files

But thx for the heads up, I banned his steamID, IP etc but i dont think banning him by IP does make a difference, its easy to change your ip..


Thx anyway !
EDIT: Did you informed the SB-Crew about this?

[NouveauJoueur]

It's useless to inform SB coders about this until he can prove that he exploited a security hole from SB php's script.

Anyway that's a reason why i've never installed this kind of plugin, security holes can be fixed, but meanwhile you get your server burned by kids.

[atom0s]

There was a known exploit in an old version of the web script for SourceBans that could allow anyone to reset the admin email/password and obtain rcon access to any servers linked to the SourceBans install. If you are using an old copy of SourceBans you may want to update to the latest version. (Currently 1.4.6 as of this post.)

[Peace-Maker]

Quote:

Originally Posted by NouveauJoueur It's useless to inform SB coders about this until he can prove that he exploited a security hole from SB php's script.

No, if there's proof, that the attacker was sending rcon commands through the webpanel in the system log, we're going to check how this could happen.
Since SourceBans is such an widely used system, we try hard to keep it secure.

[Gunners]

They hax
http://www.youtube.com/watch?v=hGVaXM9vidQ

[meecrob]

I don't run CS servers, but if I did I would block their entire group.

http://steamcommunity.com/groups/operationgamma

[atom0s]

Quote:

Originally Posted by Gunners They hax http://www.youtube.com/watch?v=hGVaXM9vidQ

This isn't proof that SourceBans is to blame.

[tigerox]

If your MySQL DB will accept connections from any ip then it is possible to retrieve the DB login and password from your server's databases.cfg.

Then anyone could log into your Sourcebans DB and change a password to allow them to login. You should always only allow your server's ip to connect to your MySQL DB.

Just a theory.

[omgitsme]

so are they still hacking? i just installed it on my test css server (acctually first time lucky, when i tried with amxbans it took me ages ) and i just don't want to regret it