Bypassing a Server Console account.

[.:HyPeX:.]

Hello guys, can someone explain this for me? i've carefully watched out the logs of this month, till today and yesterday a random player(never joined b4) joins logins as console and starts doing damage until server is noticed and taken down by the owner.

Here is when quark logs in and starts: http://pastebin.com/7pADgWYE

if you want the whole month log to search deeper, here you have it: (sorry not making it on pastebin way TOO big)http://www.mediafire.com/download/ll6s72zehc53f8z/server+%2816%29.log

Now, how they actually got the console account? need to know HOW they did it.

[glowdemon1]

Did you put anything in the server that wasn't made by you?

[.:HyPeX:.]

No, all the scripts inside where mostly made by us, and the ones that werent, we roughthly checked over them. we're since yesterday searching all over the scripts and stuff looking for the breach.

[.:HyPeX:.]

we got this information from out attackers:

Quark

General IP Information

IP: 84.169.215.125

Decimal: 1420416893

Hostname: p54a9d77d.dip0.t-ipconnect.de

ISP: Deutsche Telekom AG

Organization: Deutsche Telekom AG

Services: None detected

Type: Broadband

Assignment: Static IP

Geolocation Information

Country: Germany de flag

State/Region: Bayern

City: Fürth

Latitude: 49.4667 (49° 28′ 0.12″ N)

Longitude: 10.9667 (10° 58′ 0.12″ E)

PEG-ProGamer

General IP Information

IP: 93.215.52.30

Decimal: 1574384670

Hostname: p5dd7341e.dip0.t-ipconnect.de

ISP: Deutsche Telekom AG

Organization: Deutsche Telekom AG

Services: None detected

Type: Broadband

Assignment: Static IP

Geolocation Information

Country: Germany de flag

State/Region: Bayern

City: Zirndorf

Latitude: 49.45 (49° 26′ 60.00″ N)

Longitude: 10.95 (10° 56′ 60.00″ E)

[BieHDC]

How is the password for Console created?

Its a Account, so it has a password

and i think this guy knows how to get the password!

[Castillo]

I doubt it has a password, for what I see in the accounts database, the console password is blank.

[BieHDC]

I was looking through your log and this Guy logged in as "Console." and not "Console"

look in your acl if there is such an 2nd account and maybe could be this guy be an ex admin or hacked another admin?

OR a stupid guy has given the Console a password with setAccountPassword ?

[.:HyPeX:.]

No, there was no Console. account at all in the ACL and he somehow had powers. we still didnt found how this happened, but we started to doub about vortex's security (hosting), since we had everything runing smoothly and no one did nothing. (only 3 people in the server had powers to do something at all, and no one of them knows shit about acl stuff)

To fix this, i had to do this: (you guys incase should do this)

register console. [pass]

register Console. [pass]

register Console [pass]

register Console. [pass]

chgpass console. [pass]

chgpass Console. [pass]

chgpass Console [pass]

chgpass console [pass]

On other hand, we got our full attacker list:

1

Quark 84.169.215.125 Serial: D777790C9FA52DC0A9B961FB71FEFE54

ICP|Fire connected Serial: D777790C9FA52DC0A9B961FB71FEFE54

(BOR)Byris Serial: D777790C9FA52DC0A9B961FB71FEFE54

GER]Best connected Serial: D777790C9FA52DC0A9B961FB71FEFE54

2 Persona

-PEG-ProGamer 93.215.52.30 Serial: 574C997975C1252B851D573F80FC48B3

-ftw-uTaWe connected Serial: 574C997975C1252B851D573F80FC48B3

ICP|LoewenZahn Serial: 574C997975C1252B851D573F80FC48B3

3

FrauenTausch connected 188.194.147.108 Serial: D151AB89928018836C8796095B46DF62

CP|EduRulezZ connected Serial: D151AB89928018836C8796095B46DF62

4

ElectroGrizzly connected (IP: 79.206.95.153 Serial: 506A70053F7A7B7A863D1D17DEA8FF42

ICP|Grizzly successfully logged in as 'Vans5' Serial: 506A70053F7A7B7A863D1D17DEA8FF42

5

^l!Fe 84.244.117.18 83AAF05DCD2D3C852E33DD6DA997ECB2

6

NIkE_rUliT 46.181.147.157 1A0D4007D2E384CD16EBED5C887DAD12

[BieHDC]

Is the resource "runcode" running?

and i still think he owned any admin account and then created his "Console" account

and i hope you choosen a very long password (min 32 chars i would say)

but the best would be cleaning user db and resetup the acl

If you have saved everything in the db then you cant so this, but would be most secure

[.:HyPeX:.]

what runcode does?

and yes, i set a 31 char alphanumeric password (not even i remember it)

[BieHDC]

runcode is scripting ingame as i would say

if your admin have accsess, they can start it and start scripting like give all players money or set for all vehicles velocity or whatever

But your server should be secure now(hopefully)

if not then write again in this theard

Why i know so much about server security?

Because i completed some security courses and thats why i know how to handle this

[.:HyPeX:.]

Yeah well.. i'd say we might have found how they got acces, but i wont since it would create alot of mess arround. (Host issue).

[qaisjp]

this is a serious hole. the last time i found out something like this was due to the runcode http interface. im sure this is fixed as its more than a year old now. im more than sure itts due to a hole in your server code, but you'll need to check if runcode has admin access first.

[BieHDC]

btw: if you dont use the web interface then turn it off

[xXMADEXx]

He is logging in with the account "Console." not "Console"

[Imposter]

You never know, the problem may be here:

  
[2013-10-26 05:04:18] ADMIN: Resource 'ReservedSlot' stopped by quark(Console.) 
  

Also, I suggest you check that resource out. May have a leak there. Or maybe he injected code?

[.:HyPeX:.]

i did that resource myself.. and all the resources were checked.

[Quited]

I doubt it has a password, for what I see in the accounts database, the console password is blank.

has password "user.Console" ?

it is impossible to get it

message to the topic owner :

you can simply remove "user.Console" from console group

and secure your server accounts using "acs" and "asm" resources :

https://community.multitheftauto.com/in ... ls&id=7339

+

https://community.multitheftauto.com/in ... ls&id=6464

* asm resource linked with acs resource so don't forget to download acs resource

Follow these steps to protect accounts from from being stolen

* you should added resource.acs + resource.asm in Admin Group

* you should added this lines in mtaserver.conf :

[/color]

[/color]

* you should remove Execute Command buttons in Admin Panel + remove runcode resource

* you should too encrypt "Manage acl" button with password to open it to protect asm + acs resources from remove their rights.

Congratulations: After you follow these steps accounts will be protected from being stolen