How are people figuring out my server's rcon password?
7 replies, posted
My friend just setup a dedicated server and somehow a guy went and accessed the server and set himself up as admin.
Yes, my friend has setup a RCON password, it is not the default one and neither it is 12345 or something silly like that.
I heard stories that Wiremod has something called Expression 2 and that maybe how they went and done it. Someone theorized that they used Advanced Duplicator + Wiremod to do it, but honestly I'm lost. Anyone ever encountered this? If so, how you went and fixed it?
My friend also theorized that it might be something related to HLSW Admin Tools, but the crux of the problem is: How did they get the password in the first place?
Thank you
Is the rcon password in your server.cfg?
If so, remove it.
That's a pretty old method though, so I'm not sure.
You might also have a backdoored addon.
The password IS on the server.cfg but how is it possible to acquire the password through something like that?
You probably have a backdoored addon, I suggest you pick out any suspicious looking addons and search their .lua files for 'file.Read'
There are exploits that allow a remote user to download your server.cfg and then they have your password in plaintext.
Rather than try and find and close every single possible expoit that could open your server.cfg to public viewing, take the password out and put it in the server launch command where remote users can't see it.
These should be all fixed for quite a while, most common are backdoored addons.
I was counting backdoor addons in the list of exploits that OP would need to worry about, although they're obviously a different category than (old, fixed) engine exploits. I certainly wouldn't stop at just taking the password out of server.cfg, but it'd be the first thing, hunt for backdoors second.
