Urgent help needed

[jlane0]

I have a sales rep stating his CSS server was hacked. He states he is 99% sure this was done through RCON. He states he seen a whole bunch of errors in RCON console. He states he was froze - It was simular to a DDOS. BUT - The person that did this was able to move around the server, this is what I dont understand.

 

2nd - He deleted his whole server for security reasons. While he was in the server he noticed a unfamiliar DLL file that had just been created (according to dates and times), this file was in the root directory of his server. It was titled steam*a few numbers and letters here*.dll -

 

The only mods that were on the server were

 

CSS DM (CSS Deathmatch) Latest version

Sourcemod and MetaMod Latest version

 

I was unable to see any console errors or anything of that sort due to the server being deleted. The log files in the TCA folder showed no weird activity.

 

 

Additional Information :

 

 

The name of this person is "Tez"

 

http://steamcommunity.com/profiles/76561198020362956

[Shepsie]

Do you run your game servers on their own users accounts?

[jlane0]

I own a company.

[bullfrog3459]

I own a company.

 

Jlane0 what they were meaning is referring to this thread:

http://clientforums.tcadmin.com/showthread.php?t=6021

 

it runs each game server on its own individually created user so it doesnt compromise the entire server like what possibly has happened. If the 'System' user has been compromised or the administrator account, then likely what is happening is you have given this "hacker" free rein of your server to do what they would like with it.

 

I would not be worried about one server at this time, i would be worried about the database, the users, the physical server(s), and the rest of the game servers over one tiny incident.

 

Now as far as that file could be, being a .dll, likely means you may not have enough security running on the server and not blocking the .dll extension on the FTP upload, unless said physical server is compromised.

 

Take a look at the physical server, run virus scanners, spyware and malware scans on it to start and from there, then harden the OS and the security on it. Thats where i would start first.

 

Others may be able to help you a little more in what to do, im going off of my Network Administration experience and knowledge.

[adamnp]

this is through the remote upload/download exploit in the valve engine. You can read more about it here:

 

http://aluigi.altervista.org/adv/sourceupfile-adv.txt

 

And fix it like the others stated, by not allowing your gameservers to run under a privledged root account.