Nasty file-upload exploit

Rawh · 02-11-2010, 06:13 AM

Greetings everyone,

It seems valve / steam has done it again. A nasty exploit has surfaced which threatend my server.

I wasn't able to use any console command to see what was going on.
They all resulted into an error saying `Unknown command "es_msg"`. To my shock it seemed a new folder called 'mani admin' was on my server with just a single steamid as admin.

There are no log entries of what happened. Neither are there any logging attempts I could spot in my firewall (for abusive retrying) or successful login. There's no FTP server on my machine so that wouldn't be the issue.

After a bit of searching with hlsw I spotted some person issuing mani admin commands. The moron who did this goes by the following, so the logs tell me:

Quote:

L 02/10/2010 - 20:57:36: "z0rn | bestmeth0ds<223><STEAM_ID_PENDING><>" connected, address "72.24.117.40:27005"
L 02/10/2010 - 20:57:39: "z0rn | bestmeth0ds<223><STEAM_0:1:20674296><>" STEAM USERID validated

Above steamid resolves to the steamcommunity page here.

Voorgru has made a plugin which should initially block these attacks on your server. You can grab the plugin from here and follow it's instructions on how to install it.
The plugin is both for windows and linux!

Hopefully the thing that happened to me doesn't happen to your server.
I got a reinstall planned for the machine tomorrow seeing I'm not sure about what has been done with it. Better safe then sorrow I suppose.... *snif*

-- Rawh

Rawh · 02-11-2010, 06:22 AM

<cut>

There, install manual is already on the forum

moosh · 02-11-2010, 11:43 AM

Woah,creepy. Thanks for posting the plugin.

Rawh · 02-11-2010, 05:03 PM

Updated main post with "new" plugin which blocks a bit better!

loveripad · 06-06-2010, 11:49 AM

I really understand the situation here, my friend. This is certainly frustrating especially with the error message you are receiving. It seems as if someone can now have access into your account. I say this because you said you couldn’t use your console command. Right? So I am expecting someone has hacked into your account. That is the only possible reason. Furthermore, there are no log entries as to what happened so certainly as you said this must be the job of valve/steam!

02-11-2010, 06:22 AM	#2
Rawh FF Whiner Server Owner Beta Tester Join Date: Sep 2007 Location: Chair.. sometimes a couch Class/Position: D Engy, D Soldier Gametype: Capture the Flag Posts Rated Helpful 1 Times	<cut> There, install manual is already on the forum Last edited by Rawh; 02-11-2010 at 05:02 PM.

06-06-2010, 11:49 AM	#5
loveripad Join Date: Jun 2010 Gametype: Capture the Flag Posts Rated Helpful 0 Times	I really understand the situation here, my friend. This is certainly frustrating especially with the error message you are receiving. It seems as if someone can now have access into your account. I say this because you said you couldn’t use your console command. Right? So I am expecting someone has hacked into your account. That is the only possible reason. Furthermore, there are no log entries as to what happened so certainly as you said this must be the job of valve/steam! __________________ Call Center

02-11-2010, 11:43 AM	#3
moosh WhenNailGrenWillOut? Beta Tester Join Date: May 2009 Gametype: mp_prematch Affiliations: [:)] - Frag Happy, babe\| Posts Rated Helpful 29 Times	Woah,creepy. Thanks for posting the plugin.

02-11-2010, 05:03 PM	#4
Rawh FF Whiner Server Owner Beta Tester Join Date: Sep 2007 Location: Chair.. sometimes a couch Class/Position: D Engy, D Soldier Gametype: Capture the Flag Posts Rated Helpful 1 Times	Updated main post with "new" plugin which blocks a bit better!

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)