SRCDS Steam group


Files Somehow Getting Deleted
#1
I run several game servers (TF2, HL2DM, CSS) on a server running Windows 2008 R2 and as of a couple of days ago, my files have been randomly getting deleted. Somehow all of the folders with all of the game server files in them are getting deleted while the servers are running. I suspect someone has somehow gained access to my server and is trying to compromise it. I've looked through my FTP logs and nothing is out of the ordinary. RDP logs all check out (I'm the only one that has successfully logged in).

I've followed [URL="http://wiki.alliedmods.net/SRCDS_Hardening"]this guide[/URL] however it hasn't solved my problem. I've also enabled auditing so it logs whenever files are deleted, however those audits don't seem to give me enough information as to who/what is deleting the files.

Any ideas as to what I can do to track this down and/or prevent it from happening again?
Reply
#2
Not knowing how you control your server or if you are renting it from someone, the first thing that comes to mind is that someone may have access to the game server control panel if you indeed have one. This would mean they could access the files using the panel's file Manager software without passing much info to Windows in many cases. If you indeed have control panel access to the game servers, I'd change the password immediately and disable any sub-user accounts for the control panel as they too may have been compromised.

Please elaborate on your setup and post the IPs to the affected servers. I'd like to check them out and see if there's anything glaring using HLSW.

Hang in there...
About Me:
I help people who at least try to help themselves. Please use the "Search" button before posting a new topic.
If you post, give us the info we need from the "READ ME FIRST" sticky at the top of each thread!

I'm here to share my experiences to help others. If I'm wrong about something, don't hold it against me, educate me.
I not perfect and try to learn from every failure, yours and mine.
Reply
#3
Thanks for your reply. I use the UGCC panel to control my servers. I've looked at the web access logs (shows who has viewed what pages in the panel, as well as their ip) and nobody has accessed the file manager of the panel in the last 2 days, nor do any of the IP addresses appear to be ones that aren't normally associated with the accounts they're being accessed with.

Here's a list IPs of all of the affected servers:
72.9.147.131:27015 - seems to get taken down the most
72.9.147.131:27110
72.9.147.131:27035
72.9.147.131:27100
72.9.147.131:27120
72.9.147.134:27050
72.9.147.134:27015
72.9.147.134:27025
72.9.147.131:25565 (minecraft)
72.9.147.132:27075
72.9.147.131:27085
72.9.147.133:27060
72.9.147.133:27015
72.9.147.132:27015

I'm completely at as loss here. Even if I restore from a backup, they eventually get taken down again. Thanks again for your help.
Reply
#4
Interesting. Is this your own dedicated server, or do you rent it? Who else has access to the server besides you? The only way I can see someone deliberately deleting files from the server box is would be through FTP, the cPanel or root Remote access to the box itself.
About Me:
I help people who at least try to help themselves. Please use the "Search" button before posting a new topic.
If you post, give us the info we need from the "READ ME FIRST" sticky at the top of each thread!

I'm here to share my experiences to help others. If I'm wrong about something, don't hold it against me, educate me.
I not perfect and try to learn from every failure, yours and mine.
Reply
#5
I'm renting a dedicated server. I'm the only one with access to remote desktop. A couple of other users have access to FTP and the control panel (the control panel manages the FTP accounts), however they only have access to specific folders. I've disabled all of the accounts other than mine, and I have changed my password for the control panel in the meantime.

I've looked through the FTP logs as well as the security audits (remote desktop logins, etc.) and I haven't found anything out of the ordinary.
Reply
#6
Hummmm.. Since doing all of these things, are you still seeing files deleted? I mean are you certain the problem is occurring after all the security measures you've taken?

Have you run a virus scanner on the system? I have seen a couple things lately where some viruses will hide files rather than delete them. Some of my clients have had their entire My Documents folder hidden and freaked out! Turned out they were just hidden my a virus, thank God. You can use the "Show hidden files" feature in the "Folder Options" of Windows to see if they were hidden. Also, there may also be a key-logger or other virus that grants access to your box without knowing.

I use the server-side Clamwin Free AntiVirus (http://www.clamwin.com/). You may to load that and run a scan..

About Me:
I help people who at least try to help themselves. Please use the "Search" button before posting a new topic.
If you post, give us the info we need from the "READ ME FIRST" sticky at the top of each thread!

I'm here to share my experiences to help others. If I'm wrong about something, don't hold it against me, educate me.
I not perfect and try to learn from every failure, yours and mine.
Reply
#7
After disabling everyone's FTP and control panel access (aside from mine), and changing my password, I have not had any trouble. It's only been about a day, so I will continue to watch everything closely for the next few days. Thanks for your help and I'll be sure to keep you posted.
Reply
#8
Right on... Glad to hear!
About Me:
I help people who at least try to help themselves. Please use the "Search" button before posting a new topic.
If you post, give us the info we need from the "READ ME FIRST" sticky at the top of each thread!

I'm here to share my experiences to help others. If I'm wrong about something, don't hold it against me, educate me.
I not perfect and try to learn from every failure, yours and mine.
Reply
#9
Well, it happened again at about 12:15 AM this morning. I looked at the FTP logs and nobody had logged into FTP in almost 2 days. Thank goodness for backups.
Reply
#10
Try going to the folder options and showing hidden files to see if they're there?

What folders were are being affected by this exactly?
About Me:
I help people who at least try to help themselves. Please use the "Search" button before posting a new topic.
If you post, give us the info we need from the "READ ME FIRST" sticky at the top of each thread!

I'm here to share my experiences to help others. If I'm wrong about something, don't hold it against me, educate me.
I not perfect and try to learn from every failure, yours and mine.
Reply
#11
The files aren't being hidden. All files and folders within the srcds installations are being deleted.

ex.
C:\servers\server1 contains the folders hl2 and orangebox (which contain all of the standard game files, etc.). All of the contents of hl2, orangebox, and any other files within the server1 folder are being deleted.

The only files that don't get deleted are the ones that are running (a few .dlls, as well as srcds.exe). The files get deleted while the server is running.

I have about 15 severs installed. Sometimes all of them get deleted, but most of the time it's just 1-3 of the same servers. I've tried changing the locations of the servers, but they still get deleted eventually.
Reply
#12
That is so bizarre. The interesting thing is that some of the files are locked by Windows so they can't deleted unless the servers are stopped. Something's rotten in Denmark here...
About Me:
I help people who at least try to help themselves. Please use the "Search" button before posting a new topic.
If you post, give us the info we need from the "READ ME FIRST" sticky at the top of each thread!

I'm here to share my experiences to help others. If I'm wrong about something, don't hold it against me, educate me.
I not perfect and try to learn from every failure, yours and mine.
Reply
#13
They managed to delete a minecraft server as well. This is really strange.
Reply
#14
I'm almost thinking you have a key-logger on your PC and they are getting your password to remote desktop. Unless someone else has access to the box, I just can't see any other way. I'd love to look at your box via remote desktop. Been running my own dedicated server for a several years now and have learned quite a bit about it. I also run my own computer repair business and have been working on PCs for most of my life. It you would like me to look at it, PM me the Administrator account and IP details. I understand if you don't as well as I'm a total stranger. Totally up to you.

Take care.
About Me:
I help people who at least try to help themselves. Please use the "Search" button before posting a new topic.
If you post, give us the info we need from the "READ ME FIRST" sticky at the top of each thread!

I'm here to share my experiences to help others. If I'm wrong about something, don't hold it against me, educate me.
I not perfect and try to learn from every failure, yours and mine.
Reply
#15
That was my concern as well, but only my ip shows up in the event logs for successful remote desktop logons (the times check out as well).

Doing another clamwin scan now. So far nothing has come up.

Edit: I added you on steam in case you'd rather talk on there. I'm sure you're pretty busy so no worries if you'd rather not.

Edit2: I ran clamwin as well as the ms malicious software removal tool and nothing came up for either of them. I just set up some filters on procmon so I can monitor the filesystem and see what processes are causing the files to be deleted. I'm not sure why I didn't think to do this earler, doh!
Rolleyes
Reply


Forum Jump:


Users browsing this thread: 3 Guest(s)