jlane0 Posted June 1, 2010 Share Posted June 1, 2010 I have a sales rep stating his CSS server was hacked. He states he is 99% sure this was done through RCON. He states he seen a whole bunch of errors in RCON console. He states he was froze - It was simular to a DDOS. BUT - The person that did this was able to move around the server, this is what I dont understand. 2nd - He deleted his whole server for security reasons. While he was in the server he noticed a unfamiliar DLL file that had just been created (according to dates and times), this file was in the root directory of his server. It was titled steam*a few numbers and letters here*.dll - The only mods that were on the server were CSS DM (CSS Deathmatch) Latest version Sourcemod and MetaMod Latest version I was unable to see any console errors or anything of that sort due to the server being deleted. The log files in the TCA folder showed no weird activity. Additional Information : The name of this person is "Tez" http://steamcommunity.com/profiles/76561198020362956 Link to comment Share on other sites More sharing options...
Shepsie Posted June 2, 2010 Share Posted June 2, 2010 Do you run your game servers on their own users accounts? Link to comment Share on other sites More sharing options...
jlane0 Posted June 2, 2010 Author Share Posted June 2, 2010 I own a company. Link to comment Share on other sites More sharing options...
bullfrog3459 Posted June 2, 2010 Share Posted June 2, 2010 I own a company. Jlane0 what they were meaning is referring to this thread: http://clientforums.tcadmin.com/showthread.php?t=6021 it runs each game server on its own individually created user so it doesnt compromise the entire server like what possibly has happened. If the 'System' user has been compromised or the administrator account, then likely what is happening is you have given this "hacker" free rein of your server to do what they would like with it. I would not be worried about one server at this time, i would be worried about the database, the users, the physical server(s), and the rest of the game servers over one tiny incident. Now as far as that file could be, being a .dll, likely means you may not have enough security running on the server and not blocking the .dll extension on the FTP upload, unless said physical server is compromised. Take a look at the physical server, run virus scanners, spyware and malware scans on it to start and from there, then harden the OS and the security on it. Thats where i would start first. Others may be able to help you a little more in what to do, im going off of my Network Administration experience and knowledge. Link to comment Share on other sites More sharing options...
adamnp Posted June 2, 2010 Share Posted June 2, 2010 this is through the remote upload/download exploit in the valve engine. You can read more about it here: http://aluigi.altervista.org/adv/sourceupfile-adv.txt And fix it like the others stated, by not allowing your gameservers to run under a privledged root account. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.