Hacking

[tma]

Hey,

I was just wondering where the best place to ask about people hacking was ? I'm not talking about s0beit as that can be easily seen - but by spontaneous events happening in the server. Should I post about the problem here ?

Thanks

[norby89]

Moved your topic to 'General discussion' as it seems a more appropriate place.

Sure go ahead, other admins should be aware too of how to spot cheaters, what new methods they use and not to mistake simple glitches or bugs for hacking.

[tma]

Hey Norby, thanks for replying.

The hacker problem I am referring to is not (?) s0beit as mentioned - the issue is random events. This has taken the form of:

+ Random ped spawning

+ Random vehicle changes

+ Gravity changes

+ Screen shaking

I tracked this down initially to the fact that somehow, the admin resource on the server had been modified to include "extra" code. It had been amended to one of the admin resource LUA files. When I stopped this (removing the offending code), they then modified the meta.xml of the admin resource to include their own file. I do not know how they are modifying resource files, but I zipped up the admin resource to try and stop it. All seemed OK for a while, but yesterday it happened again (vehicle changing and camera shaking).

I've tried tracking this down in a number of ways including examining client commands to see if "dodgy" things are going on - this is how I initially found the exploited admin resource - they were issuing commands to the extra code they had added. However, since yesterday I haven't so far found any iffy commands (or altered resources) so I'm currently at a loss how this is happening still. Do you know how they might do this ? Do any resources have possible exploits ? I have tried stopping various resources, especially those with raised admin privileges but it seems to not help. I can post the code they added to the admin resource and an example of the commands they were running if that helps ?

I don't think we're running the latest version of the admin resource, but I have been through the one we have to remove all possible holes - mainly removing anything to do with the use of loadString().

[lil Toady]

Are you sure they could not gain admin access somehow? Or maybe some way to login onto your server ftp? Admin resource logs all the actions done with it, would probably be useful to check the server log file as well

[tma]

Yeah I thought at first someone might have admin/ftp access but the passwords were changed to combat this. I checked the server log file also, looking for anything to do with "ADMIN:" but only found the usual bans / muting etc.

I have seen this problem on another server also.

[tma]

Also, does this account:

<account name="Console" password="" />

need to exist ? It seems to be in by default (at least on my local PC) but is it needed for things to work correctly ? (We don't use the server console at all). Can that be exploited ?

[Callum]

Only the server console itself can login as that, if you delete it, it will just be re-created when you next run the server. And have you got a resource called "runcode" running? I don't think the newer ones allow non-admins to execute codes but the older ones did I think.

[Kayl]

On our server we also had a hacking problem but related to triggerServerEvent.

At some points, all people on the server were warped at the same point, or all would start the masturbating animation for instance.

The hacker didn't mention how he could do that but at least he told us it was his doing and what we should protect.

For us it had something to do with triggerServerEvent for client > server communication and to call serverside functions, either with our own events or using a mechanism similar to freeroam (metatable).

When doing that, we usually specify getLocalPlayer() as the "source" of the event we trigger.

And for some reason, the hacker is able to execute his own code (without runcode running) and triggers events putting one player at a time as the source.

The fix we had to implement everywhere is that we now check, on the serverside triggered functions that the source equals the "client", an other hidden argument that represents the player's client from which it really comes.

I would really like to know how the hacker is even able to do that, that pisses me off because now we fear implementing clientside features.

[tma]

Only the server console itself can login as that, if you delete it, it will just be re-created when you next run the server. And have you got a resource called "runcode" running? I don't think the newer ones allow non-admins to execute codes but the older ones did I think.

The runcode resource is not on the server.

[tma]

On our server we also had a hacking problem but related to triggerServerEvent.

At some points, all people on the server were warped at the same point, or all would start the masturbating animation for instance.

Yep, had that.

For us it had something to do with triggerServerEvent for client > server communication and to call serverside functions, either with our own events or using a mechanism similar to freeroam (metatable).

When doing that, we usually specify getLocalPlayer() as the "source" of the event we trigger.

And for some reason, the hacker is able to execute his own code (without runcode running) and triggers events putting one player at a time as the source.

The fix we had to implement everywhere is that we now check, on the serverside triggered functions that the source equals the "client", an other hidden argument that represents the player's client from which it really comes.

I would really like to know how the hacker is even able to do that, that pisses me off because now we fear implementing clientside features.

Wow, really ? Thanks for the info. So I guess any logged in player with priveliges can be "attacked" ? The hack triggers an event for them so extra permissions are granted to do stuff ? Do you have a "normal" set of resources running ? i.e. nothing special ?

I guess I will have to go through my code and change some stuff around ...

Edit:

Did you just edit your own resource to include this "client = source" check ? It's just that I'm not seeing how they run their own code. I mean, how does a hacker trigger an event for someone else to call what I assume is a custom-coded server event, that then does something it's not supposed to ?

Say I have a server event that the client triggers to update their FPS. How can they use that to then run anything they like ? I could see how that would be a problem with the admin resource but that isn't even running and we've still got the problem.

[Kayl]

As far as I know we only have regular resources and our custom made ones. Nothing fancy.

And me neither I don't understand how it's possible to run custom code from hack.

And you have to check all resources that use client > server events.

For example:

fr_client.lua, in warpTo:

server.warpMe(player)

which is, through the metatable, equivalent to (cf util.lua):

triggerServerEvent('onServerCall', g_Me, "warpMe", player)

with g_Me being the "source".

Now if, somehow, you are able to call, and that's what the hacker seem to be able to do:

local players = getElementByType("players")
for _,otherPlayer in ipairs(players) do
if otherPlayer ~= g_Me then
triggerServerEvent('onServerCall', otherPlayer , "warpMe", g_Me) 
end
end

Since fr_server works on "source" to warpto "targetPlayer" without checking that the "source" is actually only the client who called and not an the motherfucking hacker, it will warp all the players to the hacker.

In the case of freeroam only the addEventHandler('onServerCall', g_Root, needs to be patched.

However it would be good to:

- be also able to detect what the real resource triggering the event was (if the hacker does it through a custom resource somehow), but it doesn't work http://bugs.mtasa.com/view.php?id=4322

- find out what the real source of this problem is (custom code hack)

[tma]

Eesh, I have a lot of custom events. I take it putting something like:

if not (client and source and (client == source)) then
	cancelEvent()
	return
end

at the start of each of your custom events would work ? Maybe a more generic system like in the freeroam example you gave would be a better idea.

I still can't think of how custom code is done though. Yes, I can see them faking an event for someone else, but the stuff like ped spawning ?

Thanks again for the info, Kayl.

[Mr.Hankey]

The vehicle change issue seems to be caused by a similar problem within the race resource. So again a client==source check should be enough.

I guess this hacker found a way to connect to normal servers with a custom compiled client which then obviously offers a way to run client-side lua scripts at his liking.

[Jumba']

What is client actually, that's the getLocalPlayer() function or what?

[Callum]

Yes, client is the client-side version of source.

[dzek (varez)]

well, the biggest problem of open source is that anybody can modify it. i had the guy who disabled data file checking on client side in 1.0.3 (as i wrote a script that was dont allowing some players to connect until upgrade to 1.0.3, becouse they dont want to remove their handling mods) and changed his serial etc..

[Dark Dragon]

you cannot connect to regular servers with a self compiled version

[Mr.Hankey]

Apparently somone found a way to make it possible.

[dzek (varez)]

DarkDragon, how its protected? it MUST be possible in some way (and probably not too hard) - everything is crackable. remember times when steam was created?

[[DKR]silverfang]

you cannot connect to regular servers with a self compiled version

Apparently somone found a way to make it possible.

Yes, this is what the 'hacker' claimed to have done, to begin with, he said that he was doing it a different way when we called him up on it, he openly admitted that it was he that was doing it, and he seemed to get some kind of joy out of the fact that he was the only one who knew how to do it.

He also claimed to have some form of serial generator, and we did ban him a few times (more than enough to hint that it wasn't a different comp each time)

For a while this guy was a nuisance to us, but he then told us how to fix the resources with holes, freeroam and admin being the 2 biggest offenders, he even gave everyone one the server admin rights, so we had to stop the resource.

[karlis]

you cannot connect to regular servers with a self compiled version

Apparently somone found a way to make it possible.

Yes, this is what the 'hacker' claimed to have done, to begin with, he said that he was doing it a different way when we called him up on it, he openly admitted that it was he that was doing it, and he seemed to get some kind of joy out of the fact that he was the only one who knew how to do it.

He also claimed to have some form of serial generator, and we did ban him a few times (more than enough to hint that it wasn't a different comp each time)

For a while this guy was a nuisance to us, but he then told us how to fix the resources with holes, freeroam and admin being the 2 biggest offenders, he even gave everyone one the server admin rights, so we had to stop the resource.

here goes explanation of players geting admin back in secs