VDS hacked?

[exs_teabag]

umm ive changed my pw to my rcon for my servers say i dunno 8 times in the past 4 days with passwords ranging from 9906-AbCdEFGhIjKlMNOP yet someone keeps logging into rcon for my server and banning everyone ... i have the log file for it but i dont know how to find the ip from which the person was logging into rcon with ... im really confused on the whole situation i really need some help... i have the guy's ip but i dont know if that helps at all

[Edge100x]

CoD4 has a bug in it that allows for the server.cfg (and any other configuration file) to be sent to any client that asks for it. In doing this, the client can easily learn your rcon password.

The good news is that a workaround is very simple. Use a dummy server.cfg file containing an invalid rcon password, and call the configuration file that you actually want executed something like serverADKJAGHYU1213215.cfg -- with random letters and numbers making it into a sort of password of its own. Then, add +exec serverADKJAGHYU1213215.cfg to your server's command line, so that it is executed when the server is started.

This workaround is made possible by the fact that clients can't get a list of files on the server; they can just request specific files by name. Using an unguessable name ensures that your file can't readily be snooped.

[exs_teabag]

btw what's "the ddos" .. this guy thats hacking me use to be in my clan and after we found out he was a convicted hacker in cod4 we got rid of him and he just messaged me saying that he hacked it and this and that and this and that and i did what you told me to do and put the server back up and this is what he said

[18:19] exPos3D: happy?
[18:20] #eXs.TeaBaG[UGL]: ?
[18:20] exPos3D: your server is back
[18:20] #eXs.TeaBaG[UGL]: i just put it up
[18:20] exPos3D: i stopped the ddos
[18:20] #eXs.TeaBaG[UGL]: u gonna stop?

so what in the world is ddos ? lol

[Edge100x]

A DDoS is a Distributed Denial of Service attack, and typically involves flooding a machine offline by overwhelming its internet connection (though it could also involve resource exhaustion, such as the machine's CPU or memory). If he's planning to launch one of these, using a botnet, it would be separate from what he did to you before. The rcon password retrieval exploit was not a DDoS or DoS.

[exs_teabag]

btw on another not it seems that all the people he banned from the cod4 server is NOT in the ban.txt files .... and i CANNOT reverse the bans ... he banned a few of my members along with a bunch of friends that play in my server all the time and i cant find where to delete the bans ... i tried renaming the mod loaded it up to the ftp wrote the new configs and put it on another one of my ips and they're still banned ... kinda lost on this issue as well

[TimeX]

In CoD4, bans are recorded in a bans.txt file, located in the mod's folder (or the "main" folder, if not running a mod). If there are no such bans recorded, and a server restart doesn't clear the bans, then they may have their bans recorded in punkbuster instead.

This is assuming they are getting the message about being banned when they join. The bans will be recorded in either bans.txt or in punkbuster where you can edit it.

[exs_teabag]

yeah man ... i just found out the guy was using a ddop or somethin like that and found all the bans in the pbbans.dat file ... i ended up deleting around 60 bans give or take just from what he's done in the past 2 days ... it kinda makes me wonder how he can write those bans in that file because wouldnt he need access to the file in order to write it there?

[TimeX]

Punkbuster bans can be done manually via a punkbuster rcon command. My guess is he did it that way.