Please help with this hacker

[Viper.]

Basically our server is being torn a new ***hole. I have taken it down until we can actually resolve this.

A guy is joining and doing pretty much whatever he wants with it. Disabling addons, etc... we can't IP or ID ban him. I was told to post here by Timex for a solution but to be honest, this guy has eluded us for months. He is messing with peoples CFGs and the whole server.

I am really at a loss. We all know there are hundreds of websites out there with the sole aim of bringing servers to a halt, with hacks or whatever, but this is pretty unstoppable.

I've changed the RCON password dozens of times but they still get in. I've banned a number of IPs and IDs. Still no stopping them.

This is destroying our server. Please help.

[IcEWoLF]

Viper., what game you running?
If its counter strike source and running sourcemod:
Install D-Fens.
Install http://forums.alliedmods.net/showthread.php?t=93934
Change your rcon password.
Go in your plugins folder and make sure he did not upload sourceadmin in your folder.
delete that asap.

If its not source, then not sure :/

[Viper.]

We are running CS:S with Sourcemod.
We already have that plugin running.
RCON has been changed at least 5 times.

For what it's worth, he uses this IP - 99.41.169.58, and this ID - STEAM_0:0:18530428, and this is his STEAM community profile - http://steamcommunity.com/id/Mikeywinzorz

He disables sm_kick, sm_ban etc. as soon as he joins the server. He can't even be banned through RCON with banip/banid.

[IcEWoLF]

Did you check if he uploaded a file called sourceadmin in the plugins folder?
If you find that file, delete it, and change your rcon pw one more time.

[Edge100x]

Are you also running the three plugins mentioned here? http://code.devicenull.org/index.php?ti ... 2_Exploits

Are all your plugins up-to-date? You're not running EventScripts or Mani, are you (just Sourcemod)?

You might try completely clearing out the plugins (renaming the folder) and then reloading just the bare Sourcemod and anti-DoS plugins, to try to rule them out as much as possible.

[Viper.]

We are running those 3 plugins also.
They are all up-to-date.

We run eventscripts (the latest version) but only for the anti-crash scripts. Mani isn't installed at all.

I will re-install Sourcemod now.

[Edge100x]

I'd definitely recommend removing ES, at least temporarily, to make sure it's not the culprit. Historically ES has had a number of exploitable bugs, and it also hurts the performance of the server quite a bit.

[Viper.]

ES has been removed and the server is now back up. We'll see how long it takes for CFGs to start getting messed around with and players getting banned again.

Thanks for your help.

[Viper.]

Ok.. even with a complete re-install of every plugin, these people are still getting into RCON somehow. I've changed pretty much every password I have at least 5 times on multiple machines so I know I haven't got a keylogger or anything.

Next question is... TimeX said something about blocking access to RCON and whitelisting IPs that need it. Is there a guide for this anywhere?

I even have the players ID he uses every time, but as he can simply wipe the ban list and unload every plugin, there's not a lot I can do to block him from the server.

[Edge100x]

Did it also do this with all plugins completely disabled (the server running vanilla)?

If it still does it vanilla, then he's getting it through a keylogger/spyware on an admin's machine, most likely, but we could try to manually firewall you off as you describe. In this case, please open a support request.

[Viper.]

Yes, it was a default installation of CS:S.

I'll send off a support ticket now.. just that I was told to come here for firewall help.

[highone]

This is intriguing ....

let us know how this goes.

[Edge100x]

Yes, it was a default installation of CS:S.

I'll send off a support ticket now.. just that I was told to come here for firewall help.

Shoot, I'm sorry, I thought it was a regular game server with us for some reason (clearly it's not, or it wouldn't be in this forum).

Yes, for a VDS/VPS or dedicated server, the firewall configuration is something you would have to do yourself. What OS are you running?

[Viper.]

Shoot, I'm sorry, I thought it was a regular game server with us for some reason (clearly it's not, or it wouldn't be in this forum).

Yes, for a VDS/VPS or dedicated server, the firewall configuration is something you would have to do yourself. What OS are you running?

We're using Windows 2003. I did block the IP I mentioned above using the IP Security Snap in through the Management Console but I'm also looking at filtering RCON and only allowing mine and a couple of other IPs.

[Edge100x]

Ok. For filtering rcon, I'd recommend using ipsec. I'm most familiar with ipseccmd; with it, you'd enter a line like this for every IP you want to get through:

ipseccmd -f "(allowedip::tcp=0:27015:tcp)"

Then you'd enter this line to block anyone else from getting through to port 27015:

ipseccmd -f "[*::tcp=0:27015:tcp]