Killing Floor web admin and php support ?

[Elochai]

Ok so here whats up, a buddy of mine runs 2 Killing Floor servers off my VDS and has been having issues with hackers as of late. I dealt with one of them in the pass by a firewall block. But these hacks don't give up, They managed to hack his Admin account and use web admin to cause some trouble.

I changed his admin account, password, and web admin access port. After doing all that, they managed to figure out the web admin port change (Not to hard if you use a site to show open ports) and went back to cracking his admin account again. So once again I have changed all his account info.

So now I am working on adding a php script to the web admin to log connecting IP addresses to see if I can see any unwanted users connecting. My question is, are the manage VDS setup with php installed ?

[TimeX]

The managed VDS servers do not have PHP installed or any type of web server. Killingfloor runs its own web server for the web admin, but I do not know if that will run any PHP functions.

[TacTicToe]

You know I have run KF servers since they first came out. I have never even once had my admin account hacked. Honestly, I don't think I have ever seen a hacker on KF in my life. Nothing you posted makes sense. How the devil can they crack his password. I honestly dont believe it is even possible.

At any rate, there is no PHP access on managed VDS's, so youre fubar there. You can see the IP's of people on your server via the webadmin. You can simply ban them there. Their IP and account will be banned from your server.

Are you running legit KF servers? Are you sure the guy getting his password hacked doesnt maybe have a key logger running on his computer that could be letting these guys get his password? Again, I have never seen or heard of anything like what you have posted here. And i have run KF servers for many years.

[Elochai]

You know I have run KF servers since they first came out. I have never even once had my admin account hacked. Honestly, I don't think I have ever seen a hacker on KF in my life. Nothing you posted makes sense. How the devil can they crack his password. I honestly dont believe it is even possible.

At any rate, there is no PHP access on managed VDS's, so youre fubar there. You can see the IP's of people on your server via the webadmin. You can simply ban them there. Their IP and account will be banned from your server.

Are you running legit KF servers? Are you sure the guy getting his password hacked doesnt maybe have a key logger running on his computer that could be letting these guys get his password? Again, I have never seen or heard of anything like what you have posted here. And i have run KF servers for many years.

Ya they are legit, It a manage VDS and I set them up for him as he doesn't know how to really do anything server side. I even have to install any custom maps he wants.

Ya I been running 6 of my own KF servers and never had an issue with a hacker myself for 2 years now. But he been having this issue and they are gaining ungrated access to his master account (So he says) and then creating new admin accounts from within.

See his clan used to be run by another friend of mine (never had an issue), when that friend took on 4 jobs, he handed the servers over along with the clan to this "New" friend / new client for me. The clan had an issue with this and the way my new client / friend handled it was to delete all admin accounts that some of these clan members who donated had.

So this just made more issues (kids are kids). And thats when we had our 1st few hackers, started out as Cheat Engine hackers who abused the way the game handle information and where able to use that system to change the values of life, ammo, ect within the game.

That don't bother me and I really don't care as it not my servers, plus it was easy to ban them. But then they started to hack his admin account and started creating new ones and casuing issues on the server. I can't have this and I don't got the time to babysit his server looking at all player IP's. That pointless and doesn't tell me which player logged into webadmin.

The real fact to this is, I don't believe these "hackers" who are most likely kids from the clan, before it changed hands or people he has banned are smart enough to figure out his password after changing it or to figure out how to find the new port number for web admin like we can. Really how many of these kids are going to go "hey he must of changed web admin port number, better go do a open port scan on his server".

I believe that one of his other admins have leak the information for their own account and when the port number changed, they leak that information as well. It wouldn't be the 1st time one of his admins gave there account info out to an old clan member. He down to 2 admins now.

Anyway it to bad I can't grab any incoming IP's to web admin. As he believes they are sitting down, typing in username and then using a long process of having a password breaker input password after password for hours on end till it's right .

[Elochai]

UPDATE:

I got a work around made and now am able to capture the IP's of anyone entering the web admin page.

[TacTicToe]

Still doesnt make any sense, how they got his rcon. Even using brute force, and locating the new rcon port, it just doesnt make sense. Have him create a 15 character password, using upper case, lower case and numbers. Dont give that rcon password to ANYONE. He can create admins in the admin group for those he wishes to help administrate the server, without having to give out his rcon password.

I still say someone slipped him a key logger on his system. Would bank money on it. I have never seen or heard of this kind of problem before. Something just doesnt seem right. We dont have all the pieces to this puzzle.

[Edge100x]

You should also check to make sure that the control panel isn't showing unauthorized IPs accessing it (through its "Access log" page) and that the FTP password has been changed (in case the unauthorized individual has a copy of it and is simply reading the password from disk).

[Elochai]

I really don't think he download a key logger from an old clan member who is up rising against him.

The control panel for NFO along with FTP are fine from what I can see. He doesn't even log into it because he afraid he may mess something up and don't understand how to install maps or mods.

So far since I changed the web admin passwords of his other admins (which where full admins), the issue has stopped.

So I still believe that one of his admins leak there account information to a friend and that his master account was not being used or at risk.

That the problem with his clan now, its broken, some members stay and others left. So it only takes one clan member in his clan to try and mess things up for him.

But in the meantime I going to use the IP logger I made to make sure.