1 
Offline
YOu have to fix this, my server is full of hackers! PLEASE!
Forum
CS2D General "server hacking" with Lua/Rcon
"server hacking" with Lua/Rcon
32 repliesYOu have to fix this, my server is full of hackers! PLEASE!
so don't tell anyone your rcon password! use a secure password (or disable rcon completely). also don't run your server as root (when using linux).
problem solved edited 1×, last 28.02.11 07:47:29 pm
there are only 3 ways to control a server (to kick or ban people):
rcon - which means that you need to know the rcon password. there is no hack to get it. but of course people can use packet sniffers and trojans to get your password. also make sure that 
mp_maxrconfails is set to a low value. Lua - be careful what scripts you are using. admin scripts can be dangerous if they are written by careless people. full root server access - someone somehow managed to get the password for your server and can now control everything.you should also check your server logs to see whats going on. they show you which rcon commands are executed and who executed them from which ip..
How to hack-proof your server:
1. Don't run Lua on your server.
2. Actually use a secure password.
But hey, what if someone was dedicated enough to actually camp outside of your house and sniff out your wifi traffic? What then?
Conclusion:
Don't play CS2D.
But if you're still stubborn enough to brave against the wrath of Jesus, then please do the following:
1. Security vulnerabilities in the Lua scripts, namely that the scripts do not check for injected exploits going into the parse function. Check your scripts to make sure that there are no such vulnerabilities.
2. Change your RCON password to a random sequence of letters and numbers longer than 8 characters long.
3. Not posting on Unrealsoftware because this isn't the fault of the developer of CS2D and because you refuse to give any real troubleshooting data beside weak anecdotes and strong opinions about what you believe to be true even when DC himself have already given his opinion that you are not qualified to make these types of assessment.
search for the string Parse RCon
this way you will find all commands which have been executed using rcon (unless someone was clever enough to clear/disable the logs)
if you find suspicious rcon lines: disable rcon completely by setting your rcon password to "" (empty string). this way NOBODY will be able to control your server remotely.
if you find nothing: disable all Lua scripts on your server and see if it helps.
DC has written also don't run your server as root (when using linux).
also don't run your server as root (when using linux).Tell me why.
I recommend TrueCrypt if so. Here's a video tutorial on it.
oxytamine has written
Tell me why.
because almost EVERY executable file has a security leak. You can't find all of them. And some of them might be that serious, that you can get shell access with them. So when you start your server as root, they have access to your root user too. When you start it as a normal user, they only have user rights, so they (normally) can't do much harm DC has written also don't run your server as root (when using linux).
also don't run your server as root (when using linux).Tell me why.
Lee has written
Since CS2D doesn't respond to any arbitrary packets, I can only give you the benefit of the doubt and assume that Jesus somehow resurrected himself and started playing CS2D. Having seen the horribleness of the servers that he played on, decided that the dark side pays much better and in turn began dispensing magical hacks against CS2D that somehow defies all logic (yeah, because RCON could not possibly be the cause of it).
Yeah... Jesus did resurrect himself...
Anyways, it's the only logical explanation. Sorta. I know one guy (TeammateDown), who managed to get rcon access on our old CAN Cons and the FG Happy Town...
do you even have a idea how the dedi works or even which security featues it has?
after 5 failed trys (std value) the server just IGNORES all new incomeing rcon login attempts from this ip
mean you cant bruteforce it.
And since here in cs2d there are no ppl who can sniff a rcon password (when sended unprotected) which have such an interrest "hacking" one of these server hosted on a laggy homePC.
i guess that you had a rconpw like "LOLOLOLO" or even "password1234" or "FGhappppy" !
or even better you gave the RCon to somone you "trust"
several reasons:
you simply don't do it. never execute binaries on linux as root unless it is REALLY necessary. doing it anyway is simply stupid because this way you make all security mechanisms of linux useless. every experienced linux user or server admin knows that. a clever user might be able to damage your server IF he manages to get your rcon password. the Lua functionality can be used to access system files and functions. executing your server as non-root will restrict that. and finally the reason that TKD already mentioned. there might be unknown security leaks which could be abused.running it not as root will minimize the possible damage in the worst-case scenario.
Roni has written
ohhhhhhh. COME ON are you serious?
do you even have a idea how the dedi works or even which security featues it has?
after 5 failed trys (std value) the server just IGNORES all new incomeing rcon login attempts from this ip
mean you cant bruteforce it.
And since here in cs2d there are no ppl who can sniff a rcon password (when sended unprotected) which have such an interrest "hacking" one of these server hosted on a laggy homePC.
i guess that you had a rconpw like "LOLOLOLO" or even "password1234" or "FGhappppy" !
or even better you gave the RCon to somone you "trust"
do you even have a idea how the dedi works or even which security featues it has?
after 5 failed trys (std value) the server just IGNORES all new incomeing rcon login attempts from this ip
mean you cant bruteforce it.
And since here in cs2d there are no ppl who can sniff a rcon password (when sended unprotected) which have such an interrest "hacking" one of these server hosted on a laggy homePC.
i guess that you had a rconpw like "LOLOLOLO" or even "password1234" or "FGhappppy" !
or even better you gave the RCon to somone you "trust"
...
The passwords were random numbers and letters.
At one time I managed to guess the correct password for a clan server, I had absolutely no idea that it was correct. And it was on the first try too, I remember thinking "what kind of magic is this?" anyway they let me stay in server which was nice of them, I was only allowed as spectator though but yea... still. I like lame passwords sometimes, free clan war battles to watch.
I'd recommend a stronger password for clan war servers though, if you don't want a audience of course.
The only one I know whose actively hacking & cheating would be uPraTe6. I'm one step ahead of him apparently (hence the "KimKat7" I realised just now). Destroying freeware games is not cool, I hope uPraTe6 one day learn some common sense and drop the guns.
KimKat7 has written
The only one I know whose actively hacking & cheating would be uPraTe6. I'm one step ahead of him apparently (hence the "KimKat7" I realised just now). Destroying freeware games is not cool, I hope uPraTe6 one day learn some common sense and drop the guns.
Doesn't really cot much attention. Anyway, you reminded me a story. I am an admin on CAN Story server, so he stepped by, and said with that smug grin: "You better be careful with me." Before he could say anything more I pushed my ban button. I kinda liked that, because I know he felt horrible.
