Jump to content

Bypassing a Server Console account.


.:HyPeX:.

Recommended Posts

Hello guys, can someone explain this for me? i've carefully watched out the logs of this month, till today and yesterday a random player(never joined b4) joins logins as console and starts doing damage until server is noticed and taken down by the owner.

Here is when quark logs in and starts: http://pastebin.com/7pADgWYE

if you want the whole month log to search deeper, here you have it: (sorry not making it on pastebin way TOO big)http://www.mediafire.com/download/ll6s72zehc53f8z/server+%2816%29.log

Now, how they actually got the console account? need to know HOW they did it.

Link to comment

we got this information from out attackers:

Quark

General IP Information

IP: 84.169.215.125

Decimal: 1420416893

Hostname: p54a9d77d.dip0.t-ipconnect.de

ISP: Deutsche Telekom AG

Organization: Deutsche Telekom AG

Services: None detected

Type: Broadband

Assignment: Static IP

Geolocation Information

Country: Germany de flag

State/Region: Bayern

City: Fürth

Latitude: 49.4667 (49° 28′ 0.12″ N)

Longitude: 10.9667 (10° 58′ 0.12″ E)

PEG-ProGamer

General IP Information

IP: 93.215.52.30

Decimal: 1574384670

Hostname: p5dd7341e.dip0.t-ipconnect.de

ISP: Deutsche Telekom AG

Organization: Deutsche Telekom AG

Services: None detected

Type: Broadband

Assignment: Static IP

Geolocation Information

Country: Germany de flag

State/Region: Bayern

City: Zirndorf

Latitude: 49.45 (49° 26′ 60.00″ N)

Longitude: 10.95 (10° 56′ 60.00″ E)

Link to comment

I was looking through your log and this Guy logged in as "Console." and not "Console"

look in your acl if there is such an 2nd account and maybe could be this guy be an ex admin or hacked another admin?

OR a stupid guy has given the Console a password with setAccountPassword ?

Link to comment

No, there was no Console. account at all in the ACL and he somehow had powers. we still didnt found how this happened, but we started to doub about vortex's security (hosting), since we had everything runing smoothly and no one did nothing. (only 3 people in the server had powers to do something at all, and no one of them knows shit about acl stuff)

To fix this, i had to do this: (you guys incase should do this)

register console. [pass]

register Console. [pass]

register Console [pass]

register Console. [pass]

chgpass console. [pass]

chgpass Console. [pass]

chgpass Console [pass]

chgpass console [pass]

On other hand, we got our full attacker list:

1

Quark 84.169.215.125 Serial: D777790C9FA52DC0A9B961FB71FEFE54

ICP|Fire connected Serial: D777790C9FA52DC0A9B961FB71FEFE54

(BOR)Byris Serial: D777790C9FA52DC0A9B961FB71FEFE54

GER]Best connected Serial: D777790C9FA52DC0A9B961FB71FEFE54

2 Persona

-PEG-ProGamer 93.215.52.30 Serial: 574C997975C1252B851D573F80FC48B3

-ftw-uTaWe connected Serial: 574C997975C1252B851D573F80FC48B3

ICP|LoewenZahn Serial: 574C997975C1252B851D573F80FC48B3

3

FrauenTausch connected 188.194.147.108 Serial: D151AB89928018836C8796095B46DF62

CP|EduRulezZ connected Serial: D151AB89928018836C8796095B46DF62

4

ElectroGrizzly connected (IP: 79.206.95.153 Serial: 506A70053F7A7B7A863D1D17DEA8FF42

ICP|Grizzly successfully logged in as 'Vans5' Serial: 506A70053F7A7B7A863D1D17DEA8FF42

5

^l!Fe 84.244.117.18 83AAF05DCD2D3C852E33DD6DA997ECB2

6

NIkE_rUliT 46.181.147.157 1A0D4007D2E384CD16EBED5C887DAD12

Link to comment

Is the resource "runcode" running?

and i still think he owned any admin account and then created his "Console" account

and i hope you choosen a very long password (min 32 chars i would say)

but the best would be cleaning user db and resetup the acl

If you have saved everything in the db then you cant so this, but would be most secure

Link to comment

runcode is scripting ingame as i would say

if your admin have accsess, they can start it and start scripting like give all players money or set for all vehicles velocity or whatever

But your server should be secure now(hopefully)

if not then write again in this theard

Why i know so much about server security?

Because i completed some security courses and thats why i know how to handle this :)

Link to comment

this is a serious hole. the last time i found out something like this was due to the runcode http interface. im sure this is fixed as its more than a year old now. im more than sure itts due to a hole in your server code, but you'll need to check if runcode has admin access first.

Link to comment
  • 1 month later...
I doubt it has a password, for what I see in the accounts database, the console password is blank.

has password "user.Console" ?

it is impossible to get it

message to the topic owner :

you can simply remove "user.Console" from console group

and secure your server accounts using "acs" and "asm" resources :

https://community.multitheftauto.com/in ... ls&id=7339

+

https://community.multitheftauto.com/in ... ls&id=6464

* asm resource linked with acs resource so don't forget to download acs resource

Follow these steps to protect accounts from from being stolen

* you should added resource.acs + resource.asm in Admin Group

* you should added this lines in mtaserver.conf :

[/color]

[/color]

* you should remove Execute Command buttons in Admin Panel + remove runcode resource

* you should too encrypt "Manage acl" button with password to open it to protect asm + acs resources from remove their rights.

Congratulations: After you follow these steps accounts will be protected from being stolen

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...