Advertising
Is your server exploited (Part 1)

15.01.2011 - 12:12:30

ATTENTION -- fits only for linux OS -- ATTENTION

Hi all,


Yesterday I noticed, that the ETPro server of my clan (ETW-FunZone) produced an upstream of 3MBit/s even if no player was online.

That was the point, I remembered the
ET Getstattus Exploit (fixed by applying this patch)

But for now, I`m starting from beginniing.

You don`t know if your server is also flooded?

It`s simple to test out this:

Step 1:
Run "vnstat -l" (if vnstat not is installed on your server, simply do that following the description found here

Run vnstat -l for about a minute and stop the app by CRTL + C
Now you`ll see a result-page, showing the up- and downstream.

 Quote
eth0 / traffic statistics

rx | tx
--------------------------------------+------------------
bytes 168 KiB | 22 KiB
--------------------------------------+------------------
max 100 kbit/s | 20 kbit/s
average 89.60 kbit/s | 11.73 kbit/s
min 96 kbit/s | 8 kbit/s
--------------------------------------+------------------
packets 2865 | 49
--------------------------------------+------------------
max 208 p/s | 6 p/s
average 191 p/s | 3 p/s
min 200 p/s | 2 p/s
--------------------------------------+------------------
time 15 seconds


those one looks not bad, but if you have an upstream of more than 1 MBit/s, even if no player is connected, you should go to step 2

On ETW-Funzone, for example we had this report:
 Quote
max 756 kbit/s | 4.57 Mbit/s
average 600.71 kbit/s | 3.82 Mbit/s
min 536 kbit/s | 3.59 Mbit/s


Notice the 4,57MBit/s upstream!

Step 2:
Check with tcpdump if the getstatus exploit trigger this.
If tcpdump is not installed on your server yet, do it (should be located in the most distribution repos). Use your packege-manager to install tcpdump.

Now capture 1000 tcp packets with the command
tcpdump -c1000 -A 2>/dev/null | grep -B1 getstatus | wc -l

which will output the linecount. Divide it through 2 and you`ll get the number of
getstatus packets your server received within the few seconds tcpdump runs.

If the number increases 50 (empty server!), you should be warned!
And you should go forward with step 3.

Because this attack is driven with spoofed ip-adresses, there`s no sence in writing tons of abuse-messages to the concerned hosters.


Step 3:
Fix your etded.x86 (works only with 2.60B AFAIK!) with the Exploit Fix

Aus/Ein-klappen How to do this?


Restart the server, and use the tcpdump command to see the results
tcpdump -c1000 -A 2>/dev/null | grep -B1 getstatus | wc -l



Example:
On ETW-FZ, the first tcpdump - output showed, that 436 from 1000 packets where getstatus requests and the ansers the server gave (output 872 / 2).
After the fix was applied, the count decreased to 320 of 1000.
It sounds not realy successfull, but use
vnstat -l
to see the real effort!

The reason, tcpdump shows a high count, even the fix is applied is simple:
The server still receive the getstatus queries, but only 1 of those queries from each IP is answered every 4 seconds.
This fix isn`t made to stop those attacks completly, but it will help massiv to decrease the attackers acc :D

REMARK:
This fix will cause your server is shown laggy in HSLW.
This occours because some getstatus-packaged from HSLW were dropped by the server.


last changed by schnoog am 15.01.2011 - 14:29:37

  schnoog
First Sergeant

User Pic

Posts: 281
Registred: 08.12.2010
Origin: Südbaden

    

0 approved this posting.


15.01.2011 - 16:53:36

sicher das der tcpdump befehl richtig ist?
ich hab da keine ahnung davon.
hab den patch schon eingespielt da ich 2mb/s download hatte.
dein tcpdump befehl ergibt bei mir als antowrt zahlen knapp unter 2000
wenn ich den abänder nach
tcpdump -c1000 -A 2>test2.txt | grep -B1 getstatus | wc -l
sollte er mir die ungefilterte liste ja nach test2.txt schreiben.
in der textdatei steht allerdings nur

 Code
1:
2:
3:
4:
5:
6:
7:
 
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
1000 packets captured
6328 packets received by filter
5212 packets dropped by kernel


trotzdem gibt der befehl dir rückmeldung "1969"


gemessen ohne players mit up/down von vllt 30-50 kb

edit: bist du im hetznerforum der vbraun?


last changed by Meister Gandalf am 15.01.2011 - 16:55:00

  Meister Gandalf
Private First Class

User Pic

Posts: 30
Registred: 13.01.2011

   

0 approved this posting.


15.01.2011 - 18:26:50

Was bei Dir in test2.txt landet ist die stderr - Ausgabe.
stdout wird mit der Pipe an grep weitergeleitet, der gibt es an wc -l weiter.
Mach das
| wc -l
weg und dafür
>test2.txt
hin. Dann landet alles in der Datei. Die Zeilenanzahl kannst Du dann problemlos mit
cat test2.txt | wc -l
ermitteln.

Bezüglich Hetzner Forum würd ich sagen "ins schwarze getroffen" :)

  schnoog
First Sergeant

User Pic

Posts: 281
Registred: 08.12.2010
Origin: Südbaden

    

0 approved this posting.


02.08.2011 - 22:20:24

Does it work with 2.55+ by RedSector?

EDIT:
Nevermind, I've read that this script is not bugfree :)


last changed by Dragon am 02.08.2011 - 22:43:24

  Dragon
Private

User Pic

Posts: 9
Registred: 25.03.2011

  

0 approved this posting.


02.08.2011 - 23:05:49

Referring to http://wolffiles.de/index.php?forum-showposts-44-p3#459

this file works well for me since many weeks: http://wolffiles.de/index.php?filebase&fid=4286


last changed by schnoog am 02.08.2011 - 23:06:16

  schnoog
First Sergeant

User Pic

Posts: 281
Registred: 08.12.2010
Origin: Südbaden

    

0 approved this posting.


27.08.2011 - 21:18:15

 Zitat von schnoog

ATTENTION -- fits only for linux OS -- ATTENTION

Hi all,


Yesterday I noticed, that the ETPro server of my clan (ETW-FunZone) produced an upstream of 3MBit/s even if no player was online.



Hi Schnoog!

It seems that we got the same problem at our servers, but since we run our servers on windows we cant use your patch/fix for it, can you help me out on that? i seriously got no clue about linux stuff at all so im pretty lost in what to do by now, also im not quite a pro regarding thoose kinds of attacks.

regards val

  valhalla
Private

User Pic

Posts: 3
Registred: 27.08.2011

  

0 approved this posting.


27.08.2011 - 22:06:18

Which windows and which firewall are you running?

  schnoog
First Sergeant

User Pic

Posts: 281
Registred: 08.12.2010
Origin: Südbaden

    

0 approved this posting.


28.08.2011 - 11:34:58

 Zitat von schnoog

Which windows and which firewall are you running?


server 1: 2003 server. firewall: dont know ( ill ask my provider if needed )

server 2: windows xp home. firewall: windows firewall and avast

  valhalla
Private

User Pic

Posts: 3
Registred: 27.08.2011

  

0 approved this posting.


06.09.2011 - 17:53:53

any help on this?

  valhalla
Private

User Pic

Posts: 3
Registred: 27.08.2011

  

0 approved this posting.


06.09.2011 - 18:07:47

oh fuck. I was sure I subscribed this thread..... and I was wrong.

Server:
Its neccessary to know the firewall located on the server.
AFAIK the original W2K3 fw supports commandline functions.
So at least it should be possible.
What kind of server is it? Managed, only GS, ???

HomePC:
Unfortunality I found no information concerning the usability of command line added rules to the avast firewall.

  schnoog
First Sergeant

User Pic

Posts: 281
Registred: 08.12.2010
Origin: Südbaden

    

0 approved this posting.


02.11.2011 - 20:34:39

hi we having a spoof attack like you described here on our game server
and we like to know if you have a similar solution for a Windows 2008 R2 server?

specially the patches you have as you described for the linux server

Thanks in advance

  senna
Private

User Pic

Posts: 2
Registred: 02.11.2011

  

0 approved this posting.


03.11.2011 - 13:55:29

HI Senna,

AFAIK there is no solution for windows based server yet.

And the only firewall for windows I found which is able to handle the package content is the InJoy firewall: http://www.fx.dk/firewall/

Maybe also WFP is able to do such investigations ( http://msdn.microsoft.com/en-us/library/windows/desktop/aa366504(v=vs.85).aspx ) , but tbh, I never tried it.

  schnoog
First Sergeant

User Pic

Posts: 281
Registred: 08.12.2010
Origin: Südbaden

    

0 approved this posting.


03.11.2011 - 21:00:28

 Zitat von schnoog

HI Senna,

AFAIK there is no solution for windows based server yet.

And the only firewall for windows I found which is able to handle the package content is the InJoy firewall: http://www.fx.dk/firewall/

Maybe also WFP is able to do such investigations ( http://msdn.microsoft.com/en-us/library/windows/desktop/aa366504(v=vs.85).aspx ) , but tbh, I never tried it.


:( but thanks anyway for your swift answer
we gonna have a look at your suggestions and i will let you know the outcome

  senna
Private

User Pic

Posts: 2
Registred: 02.11.2011

  

0 approved this posting.


26.02.2012 - 21:27:32

Maybe you could give this a try: http://wolffiles.de/index.php?filebase&fid=4505

I found it on an russian gamehoster page, seems to be clean (at least virustotal says so),
and worked on my local machine

  schnoog
First Sergeant

User Pic

Posts: 281
Registred: 08.12.2010
Origin: Südbaden

    

0 approved this posting.




Images by phpBB © 2000, 2002, 2005, 2007 phpBB Group
Powered by IlchBB Forum 3.1 © 2010 Weblösungen Florian Körner