PDA

View Full Version : Attack on rcon !



goddzila
6th December 2014, 21:25
hello,
Does anyone know how to defend attack rcon, because I can not connect to rcon and writes: Bad rcon from 78.3.43.13:-10222 ..

Mitch
6th December 2014, 21:40
http://aluigi.altervista.org/patches.htm

Quake 3 engine RCON half-second limit disabler (Windows and Linux) 0.1.2b
(q3rconz) (http://aluigi.altervista.org/patches/q3rconz.lpatch)

this patch disables the anti-bruteforcing check in the games that use the Quake 3 engine for avoiding the Denial of Service (admins can't use RCON) caused by the flooding of rcon packets (more info in the file)
anyway remember that disabling this limitation naturally has other negative sides effects like faster rcon brute forcing, so remember to choose a strong rcon password

Tally
6th December 2014, 21:49
http://aluigi.altervista.org/patches.htm

Quake 3 engine RCON half-second limit disabler (Windows and Linux) 0.1.2b
(q3rconz) (http://aluigi.altervista.org/patches/q3rconz.lpatch)

Does that work with the COD engine? Because to simply assume it does because COD1 used the Quake 3 engine will get you into the same trouble as it did Alugi himself, when it was shown that his simple assumption that all Quake 3 patches would work with the COD engine was wrong. Not all of them do.

goddzila
6th December 2014, 22:12
I need to cod2..

YuriJurek
6th December 2014, 22:15
Does that work with the COD engine? Because to simply assume it does because COD1 used the Quake 3 engine will get you into the same trouble as it did Alugi himself, when it was shown that his simple assumption that all Quake 3 patches would work with the COD engine was wrong. Not all of them do.

There is a list of code offsets for particular games in the script:

; CoD2 (the only addition in 0.1.2b)
BYTES_ORIGINAL
A1 ?? ?? ?? ?? ; mov eax, dword ptr [0849FBF4]
8B 55 EC ; mov edx, dword ptr [ebp-14]
29 C2 ; sub edx, eax
89 D0 ; mov eax, edx
3D F3 01 00 00 ; cmp eax, 000001F3
7F 13 ; jg 00000026
8D 85 ?? ?? FF FF ; lea eax, dword ptr [ebp+FFFFFBC8]

BYTES_PATCH
?? ?? ?? ?? ??
?? ?? ??
?? ??
?? ??
?? ?? ?? ?? ??
eb ??

Edit: Also I thought those latest binaries already contain 'rcon query limit disabler' by default: http://killtube.org/showthread.php?1719-Latest-cod2-linux-binaries-%281-0-1-2-1-3%29&highlight=binaries

Mitch
6th December 2014, 22:42
time = Com_Milliseconds();
if (time<(lasttime+500)) {
return;
}
lasttime = time;


The patch removes this (^) from the function that handles rcon commands.

IzNoGoD
6th December 2014, 23:35
The ip you are getting this from is listed on at least 4 banlists: spamhaus, SEM BLACK, RATS Dyna, BARRACUDA

Maybe it's time to start including blocklists with cod2 servers?

YuriJurek
7th December 2014, 00:19
Yeah well, bet it's the same guy that tried to steal my scripts, his common name is Kabus so just watch out for him guys, but you wont be able to block him anyway cuz non-static ip ;x

IzNoGoD
7th December 2014, 01:04
Actually got him on my friendslist. Just make your server secure (which is always a good advice) and you dont have to worry about a thing

filthy_freak_
7th December 2014, 01:36
LOL OMG

Not this guy...

Yes, stay far away from this person



[06:16] .BadBoy: you're starting to piss me off, stop making it sound like its my fault that I don't want to give you my hard work and stop making it sound like its my fault for not wanting to give you an unfair advantage. You're a dick for escelating what was nothing into something major and i'm sick of hearing this shit. Your gone from my friends list and i'm happy i don't have to listen to you're annoying questions anymore
[06:17] |h@x| |Kabus|: ok -,,, look u crying but i never cry
[06:18] .BadBoy: and now you're trying to insult me, it's not going to work
[06:18] .BadBoy: get over it
[06:18] |h@x| |Kabus|: want me to release ur scripts? don worry im not badass like u for dying for a fKing game
[06:18] .BadBoy: that would show what a great character you are, befriending someone and then releasing their private stuff
[06:19] .BadBoy: i know i can't stop you from doing that, so i'm not going to even try and talk you out of it
[06:19] .BadBoy: get lost
[06:19] |h@x| |Kabus|: im not releasing yet ... and don want to do it ... just ur big talking make me angry
[06:19] |h@x| |Kabus|: untill this time u dont know who am i ...
[06:19] .BadBoy: exactly now you know how I feel, everything you have said during this conversation was uncalled for and makes me angry >:( you wonder why im pissed
[06:20] |h@x| |Kabus|: i said give a fking rank to test what u will say and saw no - u are not like that friend i gues in my memory ...
[06:21] |h@x| |Kabus|: u are not like a Boy
[06:21] .BadBoy: to test? i don't think thats what it sounded like
[06:21] .BadBoy: "[06:02] |h@x| |Kabus|: come inGame and set my rank to Latest"
[06:21] |h@x| |Kabus|: u doing girls work
[06:21] .BadBoy: just get over it dude im done with this convo
[06:21] |h@x| |Kabus|: i dont fu


And yes, he did steal my mod before I had libcod. However its useless these days, being severely outdated.

Mitch
7th December 2014, 15:13
It is probably best to make something like this with libcod.

http://www.urbanterror.info/forums/topic/13962-another-server-exploit-foundabused/page__view__findpost__p__201750

Edit: Something like (example)



int hook_SVC_RemoteCommand(int from, int msg)
{
if(sendpass != rconpass)
{
int time = ...; //

if (time<(lasttime+1000)) { // limit bad password by 1s
return;
}

lasttime = time;
}

SVC_RemoteCommand(from, msg);
}

Mitch
9th December 2014, 17:16
I made a working demo from my example above.


Bad rcon from [IP]:-14751:
cvarlist
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
Rcon from [IP]:-9114:
status
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
Bad rcon from [IP]:-14751:
cvarlist
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
bad rcon delay
Bad rcon from [IP]:-14751:
cvarlist


https://github.com/M-itch/libcod/commit/34ebce73280051df7e9339ed5149d062d7d36f6b
http://znation.nl/libcod/ubuntu/

guiismiti
9th December 2014, 22:26
LOL OMG

Not this guy...

Yes, stay far away from this person



And yes, he did steal my mod before I had libcod. However its useless these days, being severely outdated.


I was just going through someone's screenshots in xfire and I noticed this person was a member of this |h@x| clan. It seems to be a brazilian clan.

Before I say what I have to say, keep in mind I'm not being racist (especialy because brazilian is a nationality, and not a race...). Anyway, 1 - I am brazilian, and 2 - I'm basing what I'm saying in facts, not my personal opinion.

- Almost every brazilian server has copied mods without a single credit. I started modding in 2008, and I can still see codes and stuff that I created (I only found out that scripts can be server side one year ago). The servers that don't have copied mods have unmodified standalone version of mods that were not created by the admins.
My point is, almost 0% of the BR admins don't make the mods they use or don't credit the people who made the codes they use.

Ni3ls
9th December 2014, 22:36
I made a working demo from my example above.


https://github.com/M-itch/libcod/commit/34ebce73280051df7e9339ed5149d062d7d36f6b
http://znation.nl/libcod/ubuntu/

How to apply it to a server?

Mitch
9th December 2014, 22:55
How to apply it to a server?

Install/build my libcod version.



git clone https://github.com/M-itch/libcod.git
cd libcod
./doit.sh base
./doit.sh cod2_1_0
cp bin/*.so /path/to/libs

Ni3ls
11th December 2014, 20:16
Is there not a way to apply it to kungfooman's libcod version?

kung foo man
11th December 2014, 21:42
Is there not a way to apply it to kungfooman's libcod version?

I wasn't able to work all of Mitchs changes into my repo yet, so from that point my repo is kinda outdated. Though mine has some changes to IzNo's async MySQL, which might be just easier to pull/cherry-pick into Mitchs repo and reverting the free_slot()-bug (sorry, I just interpreted commit message wrong).

Always wanted to address this git incompatibility stuff with some tutorial/video or so, but just lacking motivation in last time. ^^

serthy
12th December 2014, 17:54
just lacking motivation in last time

http://www.schleckysilberstein.com/2014/12/der-sinn-des-lebens-einfach-erklart/