I am trying to help a guy, who has people that are using a program called rcon stealer. They are really doing bad stuff to his servers, and us server techs are trying to fix this problem. I see there is a linux fix… but I can’t seem to find a windows fix…
I am looking for anyone who knows how to stop this from happening, or how to fix it… The server owner even disabled rcon password, and this program created a new password…
PLEASE HELP ASAP!!!
He is running 2.55 and he runs jaymod/nq/etpub all mods were being hacked…
I think this could become a huge issue for all us server owners… We need something to protect our servers.
got the same problem on tuesday … so evidence has been collected and passed on to lawyer and police … (i know who’s it) xD …
iirc there is a callvote-exploit at jaymod/etpub (etpub fixed it for the latest nightly)
… what about etadmin-mod … ive heard about a weird exploit there too
greetz Cam
Are you sure that updating it to 2.60b is the answer? He doesn’t want to update it…
I suggested to him to changed rcon pass, update server to 2.60b and move IPS
but got a No on all the above. I myself use 2.60b and jaymod (nightly build) and nq 1.2.3
never had these issues… I will keep looking into this. If anyone else knows any thing to help let me know, and I will do the same. -Jason Coombs
There is simply a bug in W:ET which allows this kind of thing. See the 2.60b readme; it fixes exploits which allow one to run code on the server and another one which allows to download any file from the server.
thank you guys for ur help. I will be seeing what I can do to get this resolved. I agree that he should update… Whats the point of using old stuff when there is newer and better things out there…?? heh
The point is, that serveradmins are afraid to loose players on their server after an update.
The broad mass of players is happy if there can connect to an server after there installed the game, but I say if there can’t connect there are searching for themselfes if an update for the game is available.
To bad that ET don’t has a auto-update function like QW wich forces players and serveradmins to update the game.
What about SD allowing a release of a new ET package that has all the current patches released for it? I know I almost trashed the game when I downloaded it because the first thing I got was an error, and when I got my friend at school to download he actually DID trash it because he couldn’t get it working first try either. I think it would vastly improve the download rates of the game and the life it has, and it shouldn’t take more than an hours work and a legal ‘Ya go ahead’ on SD’s part.
I happen to know the dude who made that rcon stealer hack in the first place. The hack itself uses some older than time callvote bug which isn’t fixed even in 2.60b. Thank god he stopped distributing the hack. Anyway, here’s some way how to fix this: http://www.crossfire.nu/?x=news&mode=item&id=4349
Hopefully people will be arsed enough to fix their servers (and update to 2.60b too same time).
great if this works hypoo, never had this problem… only thing i’ve seen is when i kicked the omnibots some player was kicked too…guess it was aimbots…because when you use the bot kickbot comand it should only kick bots and no players…
turn off vote nextmap and votemap/ rcon stealer not work byeee
set vote_allow_map “0”
set g_allowVote “0”
I had this problem on my servers to, last week. RCON kept being hacked on 3 servers, changed the rcon pass 2 times, still got hacked, disabled voting, still got hacked. Took me to much time, so I just disabled RCON. Now I use SSH on a non default port on my debian dedi and the local console for rcon stuff. Not the most easy thing, but safe.
same problem here … since yesterday
but he done a big mistake … ive got his IP
[QUOTE=Blowfish;188291]I had this problem on my servers to, last week. RCON kept being hacked on 3 servers, changed the rcon pass 2 times, still got hacked, disabled voting, still got hacked. Took me to much time, so I just disabled RCON. Now I use SSH on a non default port on my debian dedi and the local console for rcon stuff. Not the most easy thing, but safe.[/QUOTE]I’m not entirely sure but I think the hacker could enable re-rcon should he want to. It could be that he uses a tool for script kiddies, in that case it might take him a little longer.
RCON is still off, but I can see he is still connecting from :
88-196-44-229-dsl.noe.estpak.ee
With a !userlist -ip 88.196.44.229 I see a playername " M3rc’ "
And messing up our servers, setting all to highest levels, renaming to same names etc.
Maybe install firewall and block IP ?
And voting is already off :
set g_allowVote “0”
set vote_limit “0”
set vote_percent “75”
set vote_allow_generic “0”
set vote_allow_comp “0”
set vote_allow_gametype “0”
set vote_allow_kick “0”
set vote_allow_map “0”
set vote_allow_matchreset “0”
set vote_allow_matchrestart “0”
set vote_allow_mutespecs “0”
set vote_allow_nextmap “0”
set vote_allow_pub “0”
set vote_allow_referee “0”
set vote_allow_shuffleteamsxp “0”
set vote_allow_swapteams “0”
set vote_allow_friendlyfire “0”
set vote_allow_timelimit “0”
set vote_allow_warmupdamage “0”
set vote_allow_antilag “0”
set vote_allow_balancedteams “0”
set vote_allow_muting “0”
88-196-44-229-dsl.noe.estpak.ee
He is from estonia, that’s for sure. Can’t imagine why people would do this.