I've tested it on both OS's...
It works on both. (Exploit and fix.)
Saint K. wrote:
> Neph, does this issue exist on Linux as well if you know?
>
> Cheers,
>
> Saint K.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Nephyrin Zey
> Sent: Tuesday, Ap
While the iptables thing I posted (1 rcon/second) works fine, if you
instead want to do a whitelist like this in linux as well:
iptables -A INPUT -p tcp --dport 27015 --source 123.123.12.3 -j ACCEPT
iptables -A INPUT -p tcp --dport 27015 --source 115.53.3.22 -j ACCEPT
[... repeat for as many IPs a
Sick burnnn
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of voogru
Sent: Monday, April 28, 2008 11:41 PM
To: 'Half-Life dedicated Win32 server mailing list'
Subject: Re: [hlds] New server exploit (not nuking)
Hi Andrius Pirus,
I am going to call you out
Neph, does this issue exist on Linux as well if you know?
Cheers,
Saint K.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nephyrin Zey
Sent: Tuesday, April 29, 2008 8:16 AM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] sv_benchmar
So, I was able to make the IPSec thing work to allow certain IPs also. You
just set up a separate pass rule for the IPs you want to let in. Works fine.
I used it to block all RCON except for those sent from HLStatsX and myself.
This line blocks all access to TCP port 27015:
ipseccmd.exe -w REG -p
It's like three lines in sourcepawn. The exploit it blocks is typing
"sv_benchmark_force_start" in console crashes anyone's server, so
anyone could use it on you if you don't use ncp on that command.
- Neph
On Mon, Apr 28, 2008 at 11:37 PM, DontWannaName!
<[EMAIL PROTECTED]> wrote:
> Ok I install
Hi Andrius Pirus,
I am going to call you out on this, the IP address you posted on this
mailing list is mine.
I went on a rampage of using this exploit on cracked servers, I joined
suspect servers and looked for cracked steamids in the status.
The only way you could have got my IP address is by
Ok I installed it but I dont really now why. I know it blocks a certain exploit
so its good that all server ops have it im guessing. I have Sourcemod but I
doubt anyone is going to write it in Sourcepawn. Maybe Valve will fix it by
tomorrow
What server do you run? I'm quite interested.
- voogru.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrius Pirus
Sent: Tuesday, April 29, 2008 2:24 AM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] New server exploit (not nukin
no. and i think we shouldnt make offtopic :)
Quoting voogru : Do you run the tf2.gign.lv servers by any chance?
- voogru.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrius
Pirus
Sent: Tuesday, April 29, 2008 2:03 AM
To: Half-Life dedicated Win
Do you run the tf2.gign.lv servers by any chance?
- voogru.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Andrius Pirus
Sent: Tuesday, April 29, 2008 2:03 AM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] New server exploit (not n
(That's assuming the .dll/so is in orangebox/tf/addons, if you
followed my instructions (orangebox/bin) use the .vdf in the zip)
On Mon, Apr 28, 2008 at 11:11 PM, Cc2iscooL <[EMAIL PROTECTED]> wrote:
> Add the following to a VDF named "NephCVUH.vdf"
>
>
>
> "Plugin"
> {
> "file" "
Updated the .zip to include a .vdf. Whoops.
On Mon, Apr 28, 2008 at 11:09 PM, Cc2iscooL <[EMAIL PROTECTED]> wrote:
> Looks like it works great. Just tested it on a server and was unable to
> use the command.
>
> Props to you, good sir!
>
> Valve should be looking into a pre-release update for t
Add the following to a VDF named "NephCVUH.vdf"
"Plugin"
{
"file" "../orangebox/tf/addons/NephCVUH"
}
Andrius Pirus wrote:
> Oh thanks Neph, but where is a vdf file?
> Quoting Nephyrin Zey : (repost since list partially (?) rejected
> message with attachment
> instead of li
Looks like it works great. Just tested it on a server and was unable to
use the command.
Props to you, good sir!
Valve should be looking into a pre-release update for the server
binaries to fix this ASAP.
Nephyrin Zey wrote:
> (repost since list partially (?) rejected message with attachment
>
Oh thanks Neph, but where is a vdf file?
Quoting Nephyrin Zey : (repost since list partially (?) rejected
message with attachment
instead of link)
sv_benchmark_force_start, when typed in the console by any player,
crashes a server. Yay.
This is a plugin:
http://www.nephyrin.net/NephCVUH_1.0.z
So i think found out the hacker's who sent those bots in my server ip
and steamid:
from logfile:
"The Spamminator" connected, address "65.13.45.43:50347"
"The Spamminator" STEAM USERID validated
"The Spamminator" joined team "Spectator"
"Bot01" connected, address "0.0.0.0:0"
"Bot01" entered the ga
well, I for one welcome our packet reading tube cleaning overlords.
Nephyrin Zey wrote:
> The nuke exploit works as follows:
>
> Connect to a server via TCP (rcon, does anything else use TCP? I have
> no idea.) on its port.
> Send a million garbage packets
> ???
> Profit
>
> The server goes insane
(repost since list partially (?) rejected message with attachment
instead of link)
sv_benchmark_force_start, when typed in the console by any player,
crashes a server. Yay.
This is a plugin:
http://www.nephyrin.net/NephCVUH_1.0.zip
The plugin adds the 'ncp' command, which makes the selected cvar
You can block TCP/IP port 27015 on Windows Server using IPSec policies.
IPSeccmd.exe -W REG -p "Block TCP 27015 Filter" -r "Block Inbound 27015
Rule" -f *=0:27015:TCP -n BLOCK -x
This will of course prevent RCON connections. Allowing certain IP addresses
is probably possible but I'm unsure of how
The nuke exploit works as follows:
Connect to a server via TCP (rcon, does anything else use TCP? I have
no idea.) on its port.
Send a million garbage packets
???
Profit
The server goes insane handling them.
Solution:
Limit incoming TCP packets to ~1/second from any given IP on that port, *OR*
Bl
I'd really prefer it if they spent their time ensuring that the wonder that
is the custom tab is successful rather than patching this security hole.
Priorities people!
On Mon, Apr 28, 2008 at 10:02 PM, voogru <[EMAIL PROTECTED]> wrote:
> Well, we still did the right thing.
>
> Whether they give u
Well, we still did the right thing.
Whether they give us credit or not, no big deal.
It would be neat though :D
- voogru.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Paloma
Sent: Tuesday, April 29, 2008 12:54 AM
To: 'Half-Life dedicated Win32 s
Depends on what you want to do. If you just want to block IPs, I run
PeerGuardian for that. IPSec Policies can be used to do more advanced stuff
similar to Linux iptables but I can't figure them out. I'm interested to
learn though.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL
if u have high ping u get kicked usually by the HPK plugin of choice on
the server, cause it would be no fun to play anyways.
Tony Paloma wrote:
> Are you serious? Get off my thread.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gonzalo
> Sent:
Are you serious? Get off my thread.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gonzalo
Sent: Monday, April 28, 2008 9:49 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] New server exploit (not nuking)
STEAM AND CS 1.6 KEEP KI
This is not the right place to get support for that.
This is a list for the server admins
> From: [EMAIL PROTECTED]> To: hlds@list.valvesoftware.com> Date: Mon, 28 Apr
> 2008 23:48:49 -0500> Subject: Re: [hlds] New server exploit (not nuking)> >
> STEAM AND CS 1.6 KEEP KICKING ME WHEN I LOG IN
One srcds exploit. I helped. That reminds me, didn't valve say they'd give
us a mention in a steam news update thing?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of voogru
Sent: Monday, April 28, 2008 9:41 PM
To: 'Half-Life dedicated Win32 server mailing
What's to good firewall (Software) to run on a win2003 server?
___
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
STEAM AND CS 1.6 KEEP KICKING ME WHEN I LOG INTO A SERVER..IM FROM PERU AND
DON'T KNOW WHAT ELSE TO DOO!!! IM GOING CRAZY!
Gonzalo
Next (99)811*1872
--
From: "voogru" <[EMAIL PROTECTED]>
Sent: Monday, April 28, 2008 11:41 PM
To: "'Half-Life dedica
You fixed it? How? What is your IP address? I would like to see what
happens when I nuke it.
Nephyrin Zey wrote:
> Dear Valve:
>
> God damn.
> I just finished my damn iptables rule to fix your broken packethandling.
>
> In conclusion, give me a job. (please? I'll pretend to like wow around gabe!)
No.
Me first.
I probably found some of the coolest srcds exploits anyway (was recently
fixed :D)
- voogru.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Tony Paloma
Sent: Tuesday, April 29, 2008 12:24 AM
To: 'Half-Life dedicated Win32 server mailing l
Uhm, me first.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Nephyrin Zey
Sent: Monday, April 28, 2008 9:19 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] New server exploit (not nuking)
Dear Valve:
God damn.
I just finished m
Well they are attacking the TCP/IP (RCON) port and not sending UDP packets. So
Valve could potentially detect this and then just deny connections from IPs
that are spamming.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wojciech H
Sent: Monday, April 2
Dear Valve:
God damn.
I just finished my damn iptables rule to fix your broken packethandling.
In conclusion, give me a job. (please? I'll pretend to like wow around gabe!)
- Neph
On Mon, Apr 28, 2008 at 9:12 PM, Tony Paloma <[EMAIL PROTECTED]> wrote:
> Found the problem
>
> "sv_benchmark_forc
I don't think this applies to valve, as the packet contents do not
matter in this case, but just the amount of packets hit at the server.
Valve did a good job on making sure that random packets do not crash the
server, but didn't put any internal limits on the number of packets a
server will pr
You know I have also seen bots pop up in one of my servers.
Everything looks fine then later on that day the server is almost full of bots
?!?!
___
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valve
Found the problem
"sv_benchmark_force_start"
game
- Force start the benchmark. This is only for debugging. It's better to set
sv_benchmark to 1 and restart the level.
Players can run this and make the server start the benchmark. Real bad
k.
-Original Message-
From: [EMAIL PROTECTED
I wish there was. :(
Rodge Stumbaugh wrote:
> Is there a moderated list?
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Ian Shaffer
> Sent: Monday, April 28, 2008 9:08 PM
> To: Half-Life dedicated Win32 server mailing list
> Subject: Re: [hlds] Cr
What map is running?
Tony Paloma wrote:
> Also, this is what shows up in the logs. No indication of any RCON commands
> being executed.
>
> ...
> L 04/28/2008 - 22:43:54: "Anona mouse<12>"
> joined team "Red"
> L 04/28/2008 - 22:43:54: server_cvar: "mp_teams_unbalance_limit" "0"
> L 04/28/2008 - 2
Also, this is what shows up in the logs. No indication of any RCON commands
being executed.
...
L 04/28/2008 - 22:43:54: "Anona mouse<12>"
joined team "Red"
L 04/28/2008 - 22:43:54: server_cvar: "mp_teams_unbalance_limit" "0"
L 04/28/2008 - 22:43:54: "Thomas<2>" say "hmmm"
L 04/28/2008 - 22:43:55:
Try to change your RCON PW
> From: [EMAIL PROTECTED]> To: hlds@list.valvesoftware.com> Date: Mon, 28 Apr
> 2008 20:51:34 -0700> Subject: [hlds] New server exploit (not nuking)> > So my
> servers are getting this in the console:> > > > Benchmark: 40% complete.> >
> Benchmark: 43% complete.> > (:
So my servers are getting this in the console:
Benchmark: 40% complete.
Benchmark: 43% complete.
(:: lmao
Benchmark: 46% complete.
Benchmark: 49% complete.
Compressing fragments (552 -> 521 bytes
Benchmark: 52% complete.
Compressing fragments (691 -> 667 bytes
Benchmark: 55% complete.
I thank all of you for your help in this. It has been causing a lot of
problems and I really hope that there is a simple solution to such a simple
program. There has been lots of great activity so far, we knew this was the
right place to come to in order to get results. We have been using a
mult
Sigh. See, this kind of thing is what happens when developers don't
take the most elementary precautions when sanity checking their
inputs. Haven't those people ever heard of Fuzz Testing?
http://pages.cs.wisc.edu/~bart/fuzz/
The researcher documents research published in 1990, 1995, 2000, and
Is there a moderated list?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ian Shaffer
Sent: Monday, April 28, 2008 9:08 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] Critical "Nuke Attack" Exploit within Source engine
My big pr
At least its not another hlboom
Nephyrin Zey wrote:
> It can send any packet of data you tell it to, the key to the attack
> is the fact that it spams it over and over. I successfully took down a
> test server here after instructing the tool to spam the string ""
> (4141414100)
>
> - Neph
>
>
It can send any packet of data you tell it to, the key to the attack
is the fact that it spams it over and over. I successfully took down a
test server here after instructing the tool to spam the string ""
(4141414100)
- Neph
On Mon, Apr 28, 2008 at 7:31 PM, Chad Austin <[EMAIL PROTECTED]> wr
it sends this:
00508d917476000f1f550a6a0800452840004006b719c0a80101c0a8016500870cf0e556bd8d50147bbe
Bobby35ny wrote:
> You did the right thing Ian, no worries!!
> I'm sure AL will take care of it.
>
> =bobby
>
>
>
> -Original Message-
> From: [EMAIL PRO
You did the right thing Ian, no worries!!
I'm sure AL will take care of it.
=bobby
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Ian Shaffer
Sent: Monday, April 28, 2008 10:08 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] Cr
Can't a simple third-party program stop this from happening?
___
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
Well at least Alfred's been notified of the issue. He told me he's
investigating the report.
Brian D'Arcy wrote:
> I'm afraid that this type of attack has been around since the late 90's, if
> not earlier.
>
> It's basically pounding random UDP data (or maybe now-days more structured
> data) at r
The difference here is that the amount of data this tool is moving is
not significant, and certainly not enough to exhaust network
resources. Simple data-rate limits on firewalls would negate the
attacks if so. The problem is the server software (srcds) is wasting
huge amounts of processing power o
I'm looking at the tool now. The attack is stupid simple: It opens a
TCP connection and sends bogus data over and over as fast as it can.
The server wastes frames processing these packets and quickly chokes
and dies. The server makes no attempt to close this bogus connection
either.
What are the n
I'm afraid that this type of attack has been around since the late 90's, if
not earlier.
It's basically pounding random UDP data (or maybe now-days more structured
data) at raw listen ports. The application listening does what it's
programmed to do, parse the input and use up available resources
I just noticed that. Pity my hastiness.
Daron Dodd wrote:
> you already did when u told everyone the name of the program in the
> first email. google is a very powerful tool.
>
> On Mon, Apr 28, 2008 at 6:07 PM, Ian Shaffer
> <[EMAIL PROTECTED]> wrote:
>
>> My big problem here is that I do not
you already did when u told everyone the name of the program in the
first email. google is a very powerful tool.
On Mon, Apr 28, 2008 at 6:07 PM, Ian Shaffer
<[EMAIL PROTECTED]> wrote:
> My big problem here is that I do not have root access to any of my
> servers. We used to have all our servers o
My big problem here is that I do not have root access to any of my
servers. We used to have all our servers on our own dedi, but BECAUSE of
these attacks, we decided to scrap the dedi and spread our servers
across different IP ranges by paying per slot in different locations.
Even though we can
I'm going to hit my own server with this and see if my IDS will stop
this attack.
Michael Jordan wrote:
> Just Google "Hackers Assistant", it's the first link.
>
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Chad Austin
> Sent: Monday, April 28,
Program wont run on my computer so I can get packets but this is what
the site says:
Nuker - Floods an open port with a specified amount of text
Nuker 2 - Floods an open port with text continuously and auto-reconnects
when connection is lost
Michael Jordan wrote:
> Just Google "Hackers Assistan
Just Google "Hackers Assistant", it's the first link.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Chad Austin
Sent: Monday, April 28, 2008 7:58 PM
To: Half-Life dedicated Win32 server mailing list
Subject: Re: [hlds] Critical "Nuke Attack" Exploit with
My server was nuked a week ago or so, and there is a thread about the
SourceOP servers being attacked similarly.
While this attack doesn't max our bandwidth out, it does use
~3megs/sec while in progress. I have since setup iptables/netfilter in
my kernel so I can add rules that restrict traffic to
Post a dump of packets please, or just link to program so it can be
analyzed.
Ian Shaffer wrote:
> Dear Network Administrator,
>
> Over the past few months my servers have been brought to their knees
> dozens of times through "nuke" style Denial of Service attacks. Simple
> put, players start t
Very disturbing
___
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
http://list.valvesoftware.com/mailman/listinfo/hlds
Dear Network Administrator,
Over the past few months my servers have been brought to their knees
dozens of times through "nuke" style Denial of Service attacks. Simple
put, players start teleporting around, pings gradually start increasing
for all players and the timer slows down. After a coupl
65 matches
Mail list logo