Fake Gyazo link banning people explanation (Not a serious exploit!)

This “exploit” was originally posted in this thread:
http://forum.facepunch.com/showthread.php?t=1348526
And I know why it happens. Except I can’t post there anymore since it was locked. I already asked postal if he could unlock it and he suggested I make a thread instead so here I am.

My home server was hit by the same link a couple months ago, the owner and I did a little snooping with NoScript and Javascript disabled. Inspecting the page source, there are 5 well hidden Javascript panels embedded in the webpage that opens a connection to the target server by IP. Source bans the IP for a couple of minutes for repeated failed RCON access attempts, resulting in users currently connected to that server get banned on a Source level, since it bans after 5+ attempts in rapid succession.

You could replicate the exact same thing by opening a webpage in your browser and putting the IP of a server in the url bar, and pressing refresh a bunch of times.

So there’s no real threat involved. In fact, the webpage owner has to edit the page to target a specific server in the first place.
So if you were to click that link, your IP would be added to the banlist of whoever’s server it was currently set to target at that time.

Remember, a real Gyazo link ends with .com, not .org. Always check the validity of a url some random guy sends you.

The link was taken down. Just always check for the url suffix and you’ll be fine. I’d be nice to know how it works though.

Oh, I didn’t notice that.

Well the link looked like a legit Gyazo link to an image, and the page also looked legit, but the link went Gyazo.org/blfsjhf rather than Gyazo.com/gjdfwsf in case anyone wanted to know what it looked like. Roughly.

This exploit has existed for years in Source and just triggers its natural defenses - ie attempt to connect on the RCon port without a valid password and it’ll ban you from that server for the current session.

Here is how it’s construct

A web part which contant a JavaScript exploit : I guess it’s forcing you to do some shits
(So it don’t works in the Steam-overlay Browser)

The second part has to have the SteamID (or your victim) and the serverIP where is your victim.

EDIT : Woops, I mistook with the exploit to VAC-Ban you

Well,

upload a SWF file in puush

The link will be something like that : http://puu.sh/qsdfsdflsfopsh.swf

Rename the extention : http://puu.sh/qsdfsdflsfopsh.png

Example : http://puu.sh/6luzY.png (Don’t Worry it’s safe)

And it will still work, in the SWF file you can place code like this one to open an internet page (Here the SWF is Non-related, but it’s just an example)

Except the url didn’t end in anything. You’re confusing file extensions with domain extensions.

A normal, legit Gyazo link looks like this:

A false one, would look the same, only ending in “.org” rather than “.com”, and a random string of numbers/letters.

I was saying that you can hide any “bad” file with another extention on Official puush website, so they cannot be like (before clicking on the link) : “Nope i know its not the official website”

The way it works is by creating a bunch of iframes with the server IP set as the source, the the user that clicks the links will send TCP traffic to the server IP, which will then cause the server to ban the user’s IP for false RCON attempts. This exploit has been around forever.

If you want to protect your server against it, simply setup your firewall to only allow TCP traffic to your server ports if the source IP is equal to the IP you’re going to be sending RCON commands from (for example your home connection or web server).

[editline]15th January 2014[/editline]

Or disable RCON altogether if you’re not using it

I love this being brought up again. Good times banning annoying people from my server.

Or rate limit them, it’s what we did since my IP is dynamic.

How do you get unbanned? Some guy came in our server and told us it was an ss of someone rdming. I clicked it got banned. How do I get unbanned?

Just reboot the server, should fix it.

Actually it’s been posted a few times, think I might have even had a thread about it a year or 2 ago. Old exploit sadly. It doesn’t ban all connected players just the IP of the guy who clicked the link. There is also a page that let’s people dynamically change the target ip with a simple post var. The annoying thing about this being soon as 1 idiot finds out how it works he can use the same page to do it to anyone/server without having access to the files.

It should also only be a temp IP ban, 15 minutes or so. Not sure on the timescale but I think it was 5 or 15 by default.



If you need rcon for something then you can normally get around this method working by relaxing the brute force cvars a bit. I wouldn't advise this method but we do have a nice long rcon password so doesn't effect us much. (Plus the firewall rules catch it most of the time).

rcon_password	                Set rcon passsword. Leave blank to disable rcon
sv_rcon_banpenalty <mins>	Number of minutes to ban users who fail rcon authentication. Default: 0
sv_rcon_maxfailures <0-20>	Max number of times a user can fail rcon authentication before being banned. Default: 10
sv_rcon_minfailures <0-20>	Number of times a user can fail rcon authentication in sv_rcon_minfailuretime before being banned. Default: 5
sv_rcon_minfailuretime <1-seconds>Number of seconds to track failed rcon authentications. Default: 30


According to this page the ban penalty is set to perm by default, but I’m fairly sure that’s not true as I’ve often banned myself when hitting a fail key binding etc.