Server rcon hacked, help

[Flux]

Greetings. I've been administering the ION Gaming Team Counter-Strike public servers for near 6 months now, and never had any problems what-so-ever up until yesterday afternoon, when a person unknown to me somehow cracked the rcon password and banned all the players from my server. I own a dedicated server so it took nothing more than logging into SSH and restarting the servers with the backed up config file, but it happened again today. I set the rcon advanced settings to allow only 1 rcon failure and on the 2nd one ban the person for 60mins to prevent someone from running some type of password cracking utility, but somehow they managed to get the password again today despite my efforts to prevent it. Does anyone have any suggestions? I am going to disable rcon until further notice, but doing so prevents me from getting into the server via HLSW. HELP PLEASE!!

[skeletor]

do you have mani? if so are you running the latest beta, cuz if you are they could of added themself as an admin through mani. so they don't even have to hack your rcon anymore.

also, try to just disable rcon (like you said) and see if it happens again, they might not even go through rcon, a decent "hacker" doesn't need it . also.. after you reset the configs, and changed the failure time.. did you change the rcon password to something else? something totally different..

also are you running any admin plugins at all, they could of gotten through any of them probly. i don't know that much about how exactly they work, but im sure theres people out there that can do it through just about any admin plugin. you should most definatly though find out the steam id of the person doing this, and ban them by steam id.

[Flux]

skeletor Wrote:do you have mani? if so are you running the latest beta, cuz if you are they could of added themself as an admin through mani. so they don't even have to hack your rcon anymore.

also, try to just disable rcon (like you said) and see if it happens again, they might not even go through rcon, a decent "hacker" doesn't need it . also.. after you reset the configs, and changed the failure time.. did you change the rcon password to something else? something totally different..

also are you running any admin plugins at all, they could of gotten through any of them probly. i don't know that much about how exactly they work, but im sure theres people out there that can do it through just about any admin plugin. you should most definatly though find out the steam id of the person doing this, and ban them by steam id.

I changed the rcon passwords to a random combination of letters and numbers, uppercase and lowercase. Had to write them down just to remember em . From looking at the logs, it appears that one of the persons who was involved in the hack (that forgot to clean up after herself) was connecting to the server with the handle: "Kate;rcon_password penis". My rcon password, definitely isnt penis lol..but it's peculiar that she changed her name to that when she connected, then she would disconnect and reconnect with her normal name. I did a reverse lookup on the IP she was wearing at the time of her connection to the server, and sent an email to the support desk of her ISP including the raw logfiles from the server. If you want to take a look for yourself, heres the links to em

http://iongamingteam.com/L0313002.log
http://iongamingteam.com/L0313003.log
http://iongamingteam.com/L0313004.log

In the last log file you can clearly see that its been edited and most of what the logfile contained was removed.

Anyhow, let me know what ya think. I'm open to any suggestions.

Oh, and as far as mani goes..I am running a version older than the latest beta. I was going to upgrade to the beta this evening, but after reading your post I think i'll just keep what I have :-D. Thanks for the input!

[Flux]

Ahh, I just found a nifty little flag I can add to my screen startscript for the servers that logs everything in the screen to a file thats in a secret place on the server :-D. So they can edit the server logs, but now I gots a backup.

[skeletor]

lol, well i don't think they did anything through any admin plugin. it seems that they connect with that name with rcon_password in it, left, came back, and had rcon. but i think that the only way you can get around this, is to disble rcon, or.. on the port forwarding on the firewall of the server, set it so port 27015 tcp is only open to your ip address. so no one out side of your ip will be able to use rcon. that would work best if the server is on the same lan.. cuz if its not then your external ip address could change, and you would have to re-set the ip address thats allowed access.

but do you understand what i mean? im still a bit a sleep, so i don'tknow if i make any sense.. lol

[Flux]

I have a static IP so thats notta problem Thanks for the input, ill look into doing that. Right now ive got rcon enabled just to set these bastards up for the kill, got server console logging to 3 different locations both on the server and on my harddrive.. They aint getting away with it this time.

[skeletor]

lol, yea cuz from what i have heard they can actually do some jail time for hackin a server.. or atleast i have heard of it from people hackin websites.. i would guess a game server would be the same :\

[neon89]

You can be arrested for hacking a website/server, if you live in the US or UK that is^^

[Flux]

neon89 Wrote:You can be arrested for hacking a website/server, if you live in the US or UK that is^^

And the kicker about the whole thing is...

The persons responsible (atleast 1 for sure) lives outside of New York where the server is located, therefore they hacked across state lines..which automatically makes the crime a felony. *bad boys bad boys..whatcha gonna do..whatcha gonna do when they come for you*

[neon89]

Well get a greate fine for once and probably some jail time^^

[Flux]

Good news. The bad guys took the bait, and I got it all logged . They hacked my server again this morning after I re-enabled rcon on purpose just so they'd do it. I have filed a complaint with IC3 (http://www.ic3.gov), who works alongside the FBI to bring justice to cyber-crime. I have also contacted the ISP's of those involved about the incedents. *evil laugh*


http://iongamingteam.com/logs/2006_03_14.log
*logfile of the hack. Start at the bottom and go up.

[neon89]

Did you find out how they crack the rcon password? did the gues it?

[skeletor]

I think it had something to do with is csp autentication.. cuz it was something with binding p to something, and then changing there name to somethhing;rcon_password wtf and then reconnecting and pushing p, and they had rcon. but what they bound p to was something about the csp authentication, so thats the problem..

[Hollanda]

Stupid question: How do I log rcon commands? :?

[neon89]

It would come up in the server logs but myself I use hlstats^^ records all^^