Rcon Stealer help

Already contacted the provider. Just hope its not a bot that he uses…

Ok, found em. They used the callvote bug and still knew the ref pass from last time they hacked. With this they could enable rcon again. I now have all voting disabled and rcon back on.

ive solved my problem with an IP-Mask-Ban via Punkbuster … so the guy tried it 2 times to get back on servers … then he gave up for now … hopefully he wont come back … votings also disabled at my servers … im afraid there are some new exploits at etadmin-mod … cuz he got the rcon-pass

I have the same problem. This Estonian is destroying my server. Please tell me what I have to do. I already have switched off voting on maps. Please help me.

set g_allowVote "0"
set vote_limit "5"
set vote_percent "60"
set vote_allow_comp "0"
set vote_allow_gametype "0"
set vote_allow_kick "0"
set vote_allow_map "0"
set vote_allow_matchreset "0"
set vote_allow_mutespecs "0"
set vote_allow_nextmap "0"
set vote_allow_pub "0"
set vote_allow_referee "0"
set vote_allow_shuffleteams "0"
set vote_allow_swapteams "0"
set vote_allow_friendlyfire "0"
set vote_allow_timelimit "0"
set vote_allow_warmupdamage "0"
set vote_allow_antilag "0"
set vote_allow_balancedteams "0"
set vote_allow_muting "0"

I would try to ban him via Punkbaster like Combo said. I think his ip is something like this here 88.196.44.???
So I would go this way:
Add this " PB_SV_BanMask “88.196.44” " to your punkbuster.cfg and restart punkbuster: pb_sv_restart via rcon. I think that should work.

It’s working. Thank u.

if this is his real ip why not make him bring to the lawyer (dunno how to say that in english

laughing out loud.

sry, i might have said sth totally noobish, thats caus i dont know much about those things.

court (or if must to name person, judge?) or no, police because criminal case not civil 1

Damn, my clan server got rcon hacked too…I ****ing hate it…I hope its the same est guy admin can ban him…god damn i hate this hacking shit…destroying the gaming world and servers…****ing childish…:stroggtapir:

Well I am desperately dissapointed to say that one of my clan has been caught using this rcon hack and is now banned.

Although he wasn’t trying to do anything malicious, he was trying to get his admin level back after a reinstall and didn’t want to bother me with it.

For your information it was PBBans that caught him, this program is well worth installing on your server.

Now the guy who has been caught cannot play on any server running PBBans.

A great tool in the fight against hackers.

(He isn’t Estonian though)

(Now the guy who has been caught cannot play on any server running PBBans)

thats not 100% true (if he is a real noob = yes) … there are several options to get back on … but i wont explain it here … ive got five attacks last month … wanna kick someones *** now … running pbbans since 2 years … its just a pimped punkbuster-protection … but more protection then default-punkbuster itself

greetz
Cambo

I wouldn’t expect any program to be 100% secure against a determined hacker.

We aren’t talking about NORAD here !

Had another noob hacking my panzer server. His ip address is 78.151.77.218 Better check your databases. Couldnt find thsi ip on my other servers… but will start hunting tomorrow!!

For jaymod servers do : !userlist -ip 78.151.77.218

How I can completely disabled rcon? He is still destroying my serwer and I do not have new necessary PB_SV_BanMask.

He always has different IP from different internet provider (IP masks do not help). Please say what I have to do. I do not want to close my server.

I need quick solution, please help me!

have you tried the fixes mentioned earlier in this thread ?

There is a security bug in enemy-territory that lets a client download server files if he knows the file name. Example server.cfg. Most game server admins store ref, and rconpassword in a file called server.cfg for execution. Many admins use a file like shubbot.cfg to set levels which also stores guids, or similar files depending on the mod. There really is no need to update to 2.60b if you are using 2.55, or 2.56. All current security bugs can be fixed by the mod or 3rd party programs. The admin him self can fix some problems. Lets take the client D/L server files bug 1st

Make your server secure.

They are D/L your server.cfg. So they own the server with the rconpassword. You need to change the name of your server.cfg Example cheatersSuck.cfg. Then get your host to change the command at start up to exec cheatersSuck.cfg You need to change the name of your shrubbot.cfg. They can download that, and see the levels and admins guids, game names. Example w1rfg2.cfg Be sure and change the path to the new shrubbot (w1rfg2.cfg) name in the cheaterSuck.cfg

After making them secure. I left my server.cfg, and shrubbot.cfg on the server. Dummies, or bait and switch if you will. Plus its nice to leave them love notes if they download the server.cfg Make sure you change the name of any .cfg that has sensitive information. Including etadmin_mod. which may also mean changing another file that starts the.cfg
Example the etadmin_mod.sh

You need to make sure that all .cfgs that exec other cfgs are secure.

Any GSP, or game server host could do this rather quickly for you. (Changing the command line) If they wont, find another host.

Now lets talk about other currently used security bugs in the quake 3 engine or enemy-territory. The most secure mod of course is etpro, with its combinedfix.lua. But lass you may be just another empty etpro server, until you have a challenge for a scrim. So saying update to 2.60b. would be like saying update to etpro. If I choose to have an 2.55 etpub server. and a 2.60b etpro server. I see nothing wrong with it. Please don’t give me this “your destroying the community by not updating to 2.60b” My community introduces players to 2.60b etpro. Whoops off subject rant.
Other bugs. Current known bugs.

Quake 3 Download Exploit - Versions vulnerable: 2.55, 2.56, 2.60

The Exploit

A bug in the Q3 engine allows a malicious player to download any file from the server, providing they know the file name. As an example, the malicious player will attempt to download ‘server.cfg’, which contains your RCON and referee passwords. These can then be used to take full control over your server.
We already discussed this.

Quake 3 Engine ‘Oversize Infostring’ exploit - Versions vulnerable: 2.55, 2.56, 2.60

The Exploit

A malicious player can shut down or crash a game server, as the Q3 engine has problems handling large queries. If your server is attacked via this method, the following will be present in your console log file:

ERROR: Info_SetValueForKey: oversize infostring

callvote Exploit - Versions vulnerable: 2.55, 2.56, 2.60, 2.60b

The Exploit

The exploit allows a malicious user to execute any command via the /callvote command. Including rcon commands :0

Fake Players DOS Attack - Versions vulnerable: 2.55, 2.56, 2.60, 2.60b

The Exploit

A malicious player can fill a server with ‘fake’ players. This prevents ‘real’ players from being able to join. Filling up all available slots. Oh NOOO

Now there are many ways to fix these bugs. But this post seems to be getting longer by the second. Here is what I recommend.

The QMM bugfixes (for Enemy Territory) provides some additional bugfixes which may already be supported by the mod you run. Please note that QMM itself also contains an infostring bugfix which is not included by this bugfix.

The 4 bugfixes/features supported by this plugin are:
(by default all the bugfixes are enabled)

1. /ws Crash Protection
   This bugfix is enabled when the cvar bf_ws is set to 1 (default). To disable this fix simply set bf_ws to 0.

2. GUID Faking (userinfo)
   This bugfix prevents users from changing their GUID after they have joined the server. This is required for console mods such as etadmin_mod and etphp. This bugfix is enabled when bf_guid is set to 1. To disable this bugfix set bf_guid to 0 (default). This bug has been known to cause some problems with omnibots as they use fake GUIDs.

3. Team Changes Spam Protection
   This bugfix allows the server to restrict how many team changes a player can make within 10 seconds. By default bf_teamchanges is set to 3 (3 team changes per 10 seconds). You can change this value to any integer to allow more/less team changes per 10 seconds. To disable this feature set bf_teamchanges to 0.

4. Callvote Exploit
   This bugfix prevents clients from injecting additional rcon commands through the callvote command. This bugfix is enabled when bf_callvote is set to 1 (default). To disable this feature set bf_callvote 0.

5. Max Connections per IP (q3fill protection)
   When bf_maxcon cvar is set to any value above 0 then when more connections are made from the same IP address then the value, they will be rejected and the connection will be closed. By default the connection limit is set to 2. To disable this feature set bf_maxcon 0. This feature allows protection against the q3fill exploit which floods your server with fake players.

Documentation for version 1.0.4
Plugin By Evgeny Yakimov (eyjohn)
Edit by EvilJohn removed link in the readme to a GSP. did not seem appropriate.

Please note #2 if you use bots. You may have some problems. Bots being removed, server crashing. Don’t ask me for help I despise bots.

The D/L link. http://www.ycn-hosting.com/downloads/bugfixes/ this link is for 1.0.03 or 1.0.4 I recommend that the avg admin get their GSP or game server host to install this for them. Put in a ticket. If they will not do it. Get another host.

Newest bug. No fix for this. Your guid can be replicated. Your etkey used by someone else. Then your game name copied also. Only thing that distinguishes you is your IP. Though this has been used. I don’t think it has been released to the general hacking public. Is evenbalance willing to fix this in a free game? This remains to be seen.

Good luck in protecting your servers.

the best way to solve this if you have NQ server dont know how it works exactly with the other mods

just make the commands available in your shrubbot.cfg so you can just leave the Rcon and Reff off. you wont need them anymore.

here a example (where lvl 30 is the operator)

[command]
command = playsound
exec    = playsound [1]
desc    = playsound like in Rcon
levels  = 30 

[command]
command = timelimit
exec    = timelimit [1] ;qsay ^5timelimit on map is set to [1] minutes!;playsound sound\misc\referee.wav
desc    = set timelimit
levels  = 30

[command]
command = pbbanclear
exec    = pb_sv_banempty; qsay ^7PB ban list (in memory) has been emptied.
desc    = Cleans temp pb ban list. PB temp banned players can re-connect immediately.
levels  = 30 

[command]
command = floodprotect
exec    = set sv_floodProtect [1]; qsay done =)
desc    = please set to 1 and leave at 1 unless you know what you are doing!!!!!
levels  = 30 

[command]
command = startnq
exec    = exec noquarter.cfg; qsay ^1noquarter started ;playsound sound\misc\referee.wav
desc    = start noquarter
levels  = 29 30 

[command]
command = restartserver
exec    = exec server.cfg; qsay ^1restarting server
desc    = execute server.cfg
levels  = 30 

[command]
command = mines
exec    = set team_maxLandmines [1]; say ^9 the number of mines for each team has set to ^7[1] ;playsound sound\misc\referee.wav
desc    = Set number of mines for every team (30-40 is normal. max = 1000)
levels  = 30 

[command]
command = custommaps
exec    = exec maprotation.cfg
desc    = Loads the maprotation.cfg file. custom maps
levels  = 30 

[command]
command = normalmaps
exec    = exec campaigncycle.cfg
desc    = Loads the standaard map campaigns.
levels  = 30 

[command]
command = gravity
exec    = g_gravity [1]; say ^9Gravity is set to [1]! (800 is normal) ;playsound sound\misc\referee.wav
desc    = Allows admins to change the gravity to a number. 800 is normal.
levels  = 30 

these are just a few examples, but you can make whatever you want this way.
they are still able to download your server.cfg but thy cant do anything with it, so who cares