MTA Team qaisjp Posted January 14, 2012 MTA Team Posted January 14, 2012 Hello, Multi Theft Auto community, we were recently attacked and are still currently defending against a server hacking attempt and we recommend you to ban and watch these users: iNu9aiF logged in as 'nu9aif' (IP: 109.161.194.173 Serial: 9A461B36D284577F18C8148B874AB252) #ff1000|S.s|SoRa<3SaRa logged in as 'sora' (IP: 94.96.5.117 Serial: F0441377B8B78A749549A1C84DBAA3B2) We will give you more information whilst we defend against this attack. 109.161.194.173 is from bahrain. For the second one we don't know still, ban those serials in your servers. They literally CRACKED our Password from first and stealed all of the resources via Resedit. IF YOU SEE ONE OF THESE NICKNAMES BELOW, BAN THAT USER NO MATTER WHAT. [راعÙ? اÙ?سÙ?رÙ?ر] iNu9aiF [عضÙ?] iProoooof^zxD
botanist Posted January 14, 2012 Posted January 14, 2012 Then why did you leave resedit unprotected? You can make resedir only allow certain accounts for access.
MTA Team qaisjp Posted January 14, 2012 Author MTA Team Posted January 14, 2012 Then why did you leave resedit unprotected? You can make resedir only allow certain accounts for access. RESEDIT was manually added by them.
Phat Looser Posted January 14, 2012 Posted January 14, 2012 I don't get whats going on, maybe you should explain. For everyone.
AeroXbird Posted January 14, 2012 Posted January 14, 2012 This is more of a louzy protection other then hack attempt, i mean just protect every resource that has the rights to mess with resources, its common sense to protect something like that!
Phat Looser Posted January 14, 2012 Posted January 14, 2012 The hackers gained admin rights on that server and messed with the ACL, from what I've heard.
Arran Posted January 14, 2012 Posted January 14, 2012 This may be related to a security vulnerability in MTA or just poor scripting/ACL.
MTA Team qaisjp Posted January 14, 2012 Author MTA Team Posted January 14, 2012 This may be related to a security vulnerability in MTA or just poor scripting/ACL. ACL is the default one for now.
Orange Posted January 14, 2012 Posted January 14, 2012 This may be related to a security vulnerability in MTA or just poor scripting/ACL. ACL is the default one for now. Or a hoster's fault.
Unknown76 Posted January 14, 2012 Posted January 14, 2012 If this guy could upload RESEDIT on your server then it is a host related problem, but if he had access to your files why didn't he steal them directly without using a resource?! I mean he also cracked your server password + admin rights, so he changed something in ACL, this shows that he had total control over your host.
MTA Team qaisjp Posted January 17, 2012 Author MTA Team Posted January 17, 2012 He didn't have "total-control" at all.
MTA Team qaisjp Posted January 25, 2012 Author MTA Team Posted January 25, 2012 (edited) Hello once more. We found the hackers which Hacked NPG. iNu9aiF is an owner of GTA - AR, also known as GTA - ARAB ( http://www.gta-arab.com/gt/ ) server or [GTA-AR]!Hajwalah and Drift Ksa Saudi http://www.Gta-Arab.com~~~ and the |S.s|SoRa is an Moderator of GTA - AR. We recommend to BAN their serials. Oh, and also: http://www.gta-arab.com/gt/showthread.php?t=33644 and the Owner: http://www.gta-arab.com/gt/showthread.php?t=20827 Also, we recommend not to play on their servers due your own security, Regards, The NPG Team Edited January 28, 2012 by Guest
Phat Looser Posted January 25, 2012 Posted January 25, 2012 Were you able to find out how they did it, so that they can't do it again?
Orange Posted January 25, 2012 Posted January 25, 2012 Were you able to find out how they did it, so that they can't do it again? Hoster's fault. I had an attack, seems that they attacked FTPd service.
MTA Team qaisjp Posted January 25, 2012 Author MTA Team Posted January 25, 2012 This is exactly what happened: ACL admin was given to 'resource.*' and also admin was given to two users. They managed to be able to access the runcode resource to execute commands from outside the server, even when all [web] resources were removed and the server was restarted. We removed the resource.* rights and figured that they were using getServerPassword to retrieve the server password, enter the server and give themselves administrator rights. Thank fully they did not acquire anything but the 'pride' in hacking out server, so they didn't get any resources. We hosted by No1Servers and we think / we were told that it was because of 'malformed packets.
Phat Looser Posted January 25, 2012 Posted January 25, 2012 Currently I am trying to analyze what was going on, but it wasn't a malformed packet for sure. Looking through the "runcode" resource I managed to find stuff that explains a LOT.
Orange Posted January 25, 2012 Posted January 25, 2012 Currently I am trying to analyze what was going on, but it wasn't a malformed packet for sure.Looking through the "runcode" resource I managed to find stuff that explains a LOT. They somehow got the password. And here it can be hoster's fault.
Phat Looser Posted January 25, 2012 Posted January 25, 2012 Actually its the server admin's fault. Putting all resources on admin is a very, very bad idea.
sora+ Posted January 25, 2012 Posted January 25, 2012 I guess i got fans , since this SoRa guy started use mta like 6 months ago and i've been using it for like 1.5 years. Don't get confused with me and this 13 year old named |SA|SoRa.
sora+ Posted January 25, 2012 Posted January 25, 2012 Hello once more.We found the hackers which Hacked NPG. iNu9aiF is an owner of GTA - AR, also known as GTA - ARAB ( http://www.gta-arab.com/gt/ ) server or [HD]kSA~S3D~~[Hajwalah^7rb~falah]~S3D~KSA[HD]/999~b7~GTA AR~~al3grb... They are using other server's tags, like you see, because they are used to be such kids. Second one, Sora+ is an Moderator of GTA - AR. We recommend to BAN their serials. Oh, and also: memberlist.php?mode=viewprofile&u=55665 is equal to: http://www.gta-arab.com/gt/showthread.php?t=33644 and the Owner: http://www.gta-arab.com/gt/showthread.php?t=20827 Also, we recommend not to play on their servers due your own security, Regards, The NPG Team Dude you're making false statements for f*cks sake , i'm not that SoRa guy who is 13 years old , i make DM maps. Think before you post something here , now you are blaming me for your poorly scripted server? Secondly , i'm american , not arabic.. Here is something i wrote for you , incase you didn't read it you will read it here. And also , i host a Mapping server for mapping / script testing needs. I don't own any SA clan or something. Sorry for the offtopic, but "sora+", do you use or did used the nickname below ?|S.s|SoRa<3SaRa That guy uses the nick as me , he's been using it for 5 months as i can remember. I've been playing mta for a whole year now so i'm pretty much original , even though i got so many DM / DD maps. Don't get confused with me and that 13 year old , thanks ^^ -Edit- Then i found one dumbf* :viewtopic.php?f=5&t=39055&p=399058#p399058 #ff1000|S.s|SoRa<3SaRa logged in as 'sora' (IP: 94.96.5.117 Serial: F0441377B8B78A749549A1C84DBAA3B2) Don't help to this :~. I'm not even the "hacker" you're thinking of , don't believe me? Checkout my DM maps made for ffs , that hacker can't map. To be more specific , i made 19 maps yet for DM. Here are some , incase you don't believe me.. Oblivion: Passion: https://www.youtube.com/watch?v=_EWFi16mlGE Electro city: https://www.youtube.com/watch?v=0CxSOCZjZx8 Listen to your heart: https://www.youtube.com/watch?v=Ay2X9Fz4 ... re=related It's a new generation: https://www.youtube.com/watch?v=O4-02sZE ... re=related Epicity: https://www.youtube.com/watch?v=F_egVG5y6yc Train system: https://www.youtube.com/watch?v=wKncL20V ... re=related Not afraid: https://www.youtube.com/watch?v=fpkuhkG3 ... re=related Eternal Universe: Revolutionary Civilization(latestmap): i can't believe people get confused with "sora+"..
Cadu12 Posted January 26, 2012 Posted January 26, 2012 I know this guy, sora+ is not known as SoRa. I can remember this sora+, I did join FFS server, I got his message "joinquit" it says sora+ from US.
MTA Team qaisjp Posted January 26, 2012 Author MTA Team Posted January 26, 2012 That guy uses the nick as me , he's been using it for 5 months as i can remember. I've been playing mta for a whole year now so i'm pretty much original , even though i got so many DM / DD maps. Don't get confused with me and that 13 year old , thanks ^^ Thanks for your feedback, post fixed.
Recommended Posts