Servers under attack and crashing

[Rawh]

Greetings,

It seems there's someone from the ip address 75.108.37.173 sending false rcon attempts to my server.

Normally, this wouldn't even catch my attention yet my servers are suddenly crashing after getting 15 (or more) of the "bad rcon password for 75.108.37.173" on my console.

Quote:

rcon from "75.108.37.173:49616": Bad Password
rcon from "75.108.37.173:49616": Bad Password
rcon from "75.108.37.173:49616": Bad Password
rcon from "75.108.37.173:49616": Bad Password
rcon from "75.108.37.173:49616": Bad Password
./srcds_run: line 344: 17959 Segmentation fault $HL_CMD
Add "-debug" to the ./srcds_run command line to generate a debug.log to help with solving this problem
Wed Jul 1 17:50:56 CEST 2009: Server restart in 10 seconds
Could not locate steam binary:./steam, ignoring.

I'm guessing someone is having a field day trashing my servers.
Anyone happen to have any idea who / what this ip leads to? My pc can ping the address and gets a 139ms signal yet not dns entries seems to be available...

Trace results:

Quote:

1 <1 ms <1 ms <1 ms cr-campus.routing.utwente.nl [130.89.160.4]
2 2 ms 2 ms 2 ms GE1-3-0.1037.JNR01.Asd001A.surf.net [145.145.4.1]
3 2 ms 2 ms 2 ms AE0.500.JNR02.Asd001A.surf.net [145.145.80.77]
4 2 ms 2 ms 2 ms k715.pni-surfnet.ams1.nl.above.net [82.98.247.1]
5 2 ms 2 ms 14 ms ge-3-0-0.mpr1.ams1.nl.above.net [64.125.26.82]
6 * * * Request timed out.
7 77 ms 77 ms 77 ms so-0-0-0.mpr2.lga5.us.above.net [64.125.28.66]
8 109 ms 109 ms 109 ms so-1-1-0.mpr2.ord2.us.above.net [64.125.27.33]
9 102 ms 102 ms 102 ms xe-1-1-0.er2.ord2.us.above.net [64.125.26.190]
10 109 ms 109 ms 109 ms xe-1-1-0.er2.ord7.above.net [64.125.26.254]
11 102 ms 102 ms 102 ms xe-1-0-0.er1.ord7.us.above.net [64.125.26.5]
12 107 ms 107 ms 107 ms 64.124.200.190
13 119 ms 119 ms 119 ms 66-76-232-42.tyrd.suddenlink.net [66.76.232.42]
14 119 ms 119 ms 119 ms cdm-66-76-236-254.athn.suddenlink.net [66.76.236.254]
15 123 ms 123 ms 123 ms pkbgsysc01-gex1-1-1.atw.sta.suddenlink.net [66.76.225.162]
16 123 ms 122 ms 122 ms pkbgcmtk01-gex0-1.atw.sta.suddenlink.net [66.76.225.174]
17 133 ms 131 ms 133 ms cdm-75-108-37-173.asbnva.dhcp.suddenlink.net [75.108.37.173]

[Rawh]

http://cqcounter.com/whois/ is able to give more detailed info about the ip.

[Sh4x]

Could be just a proxy nah?

[[AE] 82694]

Change the max number of rcon failures to 2 thats a rcon exploit that was just discovered, see this thread http://forums.alliedmods.net/showthread.php?t=96069.

[GeoKill----->]

That ip did not match anyone on these forums

[[AE] 82694]

http://cqcounter.com/whois/?query=75...p_geo_location

[Rawh]

Hlstriker made a plugin which removes the max value for sv_rcon_maxfailures. You can now set the value as high as 999999 which in turn seems to stop the crash attacks (hopefully).

More info about it on the alliedmods forum.

[PartialSchism]

That doesn't sound like a very good fix.... they'll be able to just bruteforce the password, if they want to.

[Rawh]

Sure, if valve would just fix it themselfs, it would be better. But since the bug / exploit seems to be already more then 6 months old and valve being an arse about it not being an exploit, in their eyes... well I guess you could say this would be a temp-fix.

And if people want to bruteforce my empty rcon_password field I wish them the best of luck

[[AE] 82694]

Your welcome for pointing you in the right direction again Rawh.

[Rawh]

Quote:

Originally Posted by [AE] 82694

Your welcome for pointing you in the right direction again Rawh.

* Rawh pats 82694 on the shoulder!

[417]

A plug-in which helps combat the rcon exploit and that also stops several other exploits (which we will leave unnamed) has been made by devicenull and can be downloaded here.

[hlstriker]

Quote:

Originally Posted by 417

A plug-in which helps combat the rcon exploit and that also stops several other exploits (which we will leave unnamed) has been made by devicenull and can be downloaded here.

That jerk stealing my fame! J/k

[PartialSchism]