Welcome Guest [Log In] [Register]
Welcome to Fort Apache Americas Army Gaming Board . We hope you enjoy your visit.


You're currently viewing our forum as a guest. This means you are limited to certain areas of the board and there are some features you can't use. If you join our community, you'll be able to access member-only sections, and use many member-only features such as customizing your profile, sending personal messages, and voting in polls. Registration is simple, fast, and completely free.





If you're already a member please log in to your account to access all of our features:

Username:   Password:
Add Reply
"Server Hijacking Vulnerability"
Topic Started: May 5 2007, 04:53 PM (45 Views)
Wolflnx
Member Avatar
Sergeant Major Marine Corps
URGENT: Server Hijacking Threat during May 5 Auth Downtime


I have received a few reports today of cheaters entering servers during the Auth Downtime on May 5, 2007. In some cases, these cheaters successfully gained admin rights and began executing commands or banning players from the server.

Please be aware that because auth is currently down, the natural safe-guards that attempt to prevent unauthorized players from gaining admin rights are also disabled/ineffective. For example, without the ability to authenticate, players can join your server as any name, thus gaining player admin rights. There are also other means, but for security and privacy reasons, they will not be discussed.

Steps to take to identify if you've been compromised:

Using an FTP client, go into your server's PB folder. Sort the listing by last modified. An example is seen below:



Please be aware that if you have uploaded anything or made changes to your server/PB configs, then it will say the file was last modified today. What you are looking for more importantly is in "pbsv.cfg" and "pbpower.dat". These two files are modified when certain commands are run as admin or from the PB console.

If you keep a tight leash on who can have PB POWER access or what is contained in your rules/configs, then open the file and look for any additions from May 5th (at the end of the file, usually) that include strange GUIDs or commands you have not added in yourself. What has happened in the past is cheaters gave themselves PB RCON access or re-wrote the PB config so that it would be easier for them to come back later and cause mischief.

Finally, once you are satisfied that nothing strange has been added, proceed to your server's System folder.

You cannot determine if the server config file has been modified here, as it appears the server config INI's for every America's Army server were modified or updated when auth went down/came online.

First, see if "banlist.txt" was modified today. If it was, bans may have been added by your admins for misbehaviour of a player in your server. However, if there are a large number of new additions, then it is possible that your server was jacked and all players MAC/IP banned via the F12 console. You can download the file, remove the bad bans, and upload to fix the problem.

As an added precaution, open your server config (usually ArmyOps.ini) and search for PlayerAdmin. Look at your Player Admin list to see if any names are present that should not be. While it shouldn't be possible for a normal hijacker to manipulate this list, it is a "paranoid" precaution.

Taking temporary preventative action:

While this won't stop ALL attacks, this will get rid of the players just changing their name/logging in with an admin's name. Place semi-colons ( ; ) before each PlayerAdmin name. Restart your server. This will disable Player Admins while auth is down. Remember that when auth returns, you'll need to remove the semi-colons for playeradmins to work again.

Furthermore, to prevent changes to your PB configs and server configs, using your FTP client, right click and select "Properties" for each of the the following files:


SYSTEM FOLDER

ArmyOps.ini (on SeeMePlayMe, you'll need to find SMPMArmyOpsUse.ini)
banlist.txt


PB FOLDER


pbpower.dat
pbrcon.dat
pbsvuser.cfg


As you open the properties of each file, disable the WRITE access of that file. The files should be chmodded to 444 (with execute/read access, but not write access.)

When auth returns, restore access to each of these files by CHMODing them to 644 or by giving "WRITE" access to Owner.



Posted Image
Offline Profile Quote Post Goto Top
 
1 user reading this topic (1 Guest and 0 Anonymous)
« Previous Topic · Server & TeamSpeak Comment Area · Next Topic »
Add Reply