.:HyPeX:. Posted October 27, 2013 Share Posted October 27, 2013 Hello guys, can someone explain this for me? i've carefully watched out the logs of this month, till today and yesterday a random player(never joined b4) joins logins as console and starts doing damage until server is noticed and taken down by the owner. Here is when quark logs in and starts: http://pastebin.com/7pADgWYE if you want the whole month log to search deeper, here you have it: (sorry not making it on pastebin way TOO big)http://www.mediafire.com/download/ll6s72zehc53f8z/server+%2816%29.log Now, how they actually got the console account? need to know HOW they did it. Link to comment
glowdemon1 Posted October 27, 2013 Share Posted October 27, 2013 Did you put anything in the server that wasn't made by you? Link to comment
.:HyPeX:. Posted October 27, 2013 Author Share Posted October 27, 2013 No, all the scripts inside where mostly made by us, and the ones that werent, we roughthly checked over them. we're since yesterday searching all over the scripts and stuff looking for the breach. Link to comment
.:HyPeX:. Posted October 27, 2013 Author Share Posted October 27, 2013 we got this information from out attackers: Quark General IP Information IP: 84.169.215.125 Decimal: 1420416893 Hostname: p54a9d77d.dip0.t-ipconnect.de ISP: Deutsche Telekom AG Organization: Deutsche Telekom AG Services: None detected Type: Broadband Assignment: Static IP Geolocation Information Country: Germany de flag State/Region: Bayern City: Fürth Latitude: 49.4667 (49° 28′ 0.12″ N) Longitude: 10.9667 (10° 58′ 0.12″ E) PEG-ProGamer General IP Information IP: 93.215.52.30 Decimal: 1574384670 Hostname: p5dd7341e.dip0.t-ipconnect.de ISP: Deutsche Telekom AG Organization: Deutsche Telekom AG Services: None detected Type: Broadband Assignment: Static IP Geolocation Information Country: Germany de flag State/Region: Bayern City: Zirndorf Latitude: 49.45 (49° 26′ 60.00″ N) Longitude: 10.95 (10° 56′ 60.00″ E) Link to comment
BieHDC Posted October 30, 2013 Share Posted October 30, 2013 How is the password for Console created? Its a Account, so it has a password and i think this guy knows how to get the password! Link to comment
Castillo Posted October 30, 2013 Share Posted October 30, 2013 I doubt it has a password, for what I see in the accounts database, the console password is blank. Link to comment
BieHDC Posted October 30, 2013 Share Posted October 30, 2013 I was looking through your log and this Guy logged in as "Console." and not "Console" look in your acl if there is such an 2nd account and maybe could be this guy be an ex admin or hacked another admin? OR a stupid guy has given the Console a password with setAccountPassword ? Link to comment
.:HyPeX:. Posted October 30, 2013 Author Share Posted October 30, 2013 No, there was no Console. account at all in the ACL and he somehow had powers. we still didnt found how this happened, but we started to doub about vortex's security (hosting), since we had everything runing smoothly and no one did nothing. (only 3 people in the server had powers to do something at all, and no one of them knows shit about acl stuff) To fix this, i had to do this: (you guys incase should do this) register console. [pass] register Console. [pass] register Console [pass] register Console. [pass] chgpass console. [pass] chgpass Console. [pass] chgpass Console [pass] chgpass console [pass] On other hand, we got our full attacker list: 1 Quark 84.169.215.125 Serial: D777790C9FA52DC0A9B961FB71FEFE54 ICP|Fire connected Serial: D777790C9FA52DC0A9B961FB71FEFE54 (BOR)Byris Serial: D777790C9FA52DC0A9B961FB71FEFE54 GER]Best connected Serial: D777790C9FA52DC0A9B961FB71FEFE54 2 Persona -PEG-ProGamer 93.215.52.30 Serial: 574C997975C1252B851D573F80FC48B3 -ftw-uTaWe connected Serial: 574C997975C1252B851D573F80FC48B3 ICP|LoewenZahn Serial: 574C997975C1252B851D573F80FC48B3 3 FrauenTausch connected 188.194.147.108 Serial: D151AB89928018836C8796095B46DF62 CP|EduRulezZ connected Serial: D151AB89928018836C8796095B46DF62 4 ElectroGrizzly connected (IP: 79.206.95.153 Serial: 506A70053F7A7B7A863D1D17DEA8FF42 ICP|Grizzly successfully logged in as 'Vans5' Serial: 506A70053F7A7B7A863D1D17DEA8FF42 5 ^l!Fe 84.244.117.18 83AAF05DCD2D3C852E33DD6DA997ECB2 6 NIkE_rUliT 46.181.147.157 1A0D4007D2E384CD16EBED5C887DAD12 Link to comment
BieHDC Posted October 30, 2013 Share Posted October 30, 2013 Is the resource "runcode" running? and i still think he owned any admin account and then created his "Console" account and i hope you choosen a very long password (min 32 chars i would say) but the best would be cleaning user db and resetup the acl If you have saved everything in the db then you cant so this, but would be most secure Link to comment
.:HyPeX:. Posted October 30, 2013 Author Share Posted October 30, 2013 what runcode does? and yes, i set a 31 char alphanumeric password (not even i remember it) Link to comment
BieHDC Posted October 30, 2013 Share Posted October 30, 2013 runcode is scripting ingame as i would say if your admin have accsess, they can start it and start scripting like give all players money or set for all vehicles velocity or whatever But your server should be secure now(hopefully) if not then write again in this theard Why i know so much about server security? Because i completed some security courses and thats why i know how to handle this Link to comment
.:HyPeX:. Posted October 30, 2013 Author Share Posted October 30, 2013 Yeah well.. i'd say we might have found how they got acces, but i wont since it would create alot of mess arround. (Host issue). Link to comment
qaisjp Posted October 30, 2013 Share Posted October 30, 2013 this is a serious hole. the last time i found out something like this was due to the runcode http interface. im sure this is fixed as its more than a year old now. im more than sure itts due to a hole in your server code, but you'll need to check if runcode has admin access first. Link to comment
BieHDC Posted October 31, 2013 Share Posted October 31, 2013 btw: if you dont use the web interface then turn it off Link to comment
xXMADEXx Posted November 7, 2013 Share Posted November 7, 2013 He is logging in with the account "Console." not "Console" Link to comment
Imposter Posted November 11, 2013 Share Posted November 11, 2013 You never know, the problem may be here: [2013-10-26 05:04:18] ADMIN: Resource 'ReservedSlot' stopped by quark(Console.) Also, I suggest you check that resource out. May have a leak there. Or maybe he injected code? Link to comment
.:HyPeX:. Posted November 12, 2013 Author Share Posted November 12, 2013 i did that resource myself.. and all the resources were checked. Link to comment
Quited Posted January 1, 2014 Share Posted January 1, 2014 I doubt it has a password, for what I see in the accounts database, the console password is blank. has password "user.Console" ? it is impossible to get it message to the topic owner : you can simply remove "user.Console" from console group and secure your server accounts using "acs" and "asm" resources : https://community.multitheftauto.com/in ... ls&id=7339 + https://community.multitheftauto.com/in ... ls&id=6464 * asm resource linked with acs resource so don't forget to download acs resource Follow these steps to protect accounts from from being stolen * you should added resource.acs + resource.asm in Admin Group * you should added this lines in mtaserver.conf : [/color] [/color] * you should remove Execute Command buttons in Admin Panel + remove runcode resource * you should too encrypt "Manage acl" button with password to open it to protect asm + acs resources from remove their rights. Congratulations: After you follow these steps accounts will be protected from being stolen Link to comment
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now