wth is this?

**g0atz** · January 3rd, 2012, 08:36 PM

Some flooding on the server today lagging it down...after the patch had successfully loaded:

Code:

------------------ MoH:AA 1.12 Reborn Patch InitGame ------------------ 
Initializing CVARS. Done!
-> RC2.x version has auto-update system disabled. Check our website frequently for fixes and patches!
Initializing Chat Filter. Done!
Initializing Banned Names List. Done!
Initializing Banned IPs List. Done!
Initializing Allowed Votes List. Done!
Initializing Allowed Maps List. Done!
Initializing Admins List. Done!
LocalizationError fix Address: 0x080ADE9E
LocalizationError removal fix applied.
BulletAttack Address: 0x4834990
GetMuzzlePosition Address: 0x4825be0
GetEntityTag Address: 0x4767990
Player::Respawn Address: 0x47b3cb0
Player::Killed Address: 0x47b3e60
Entity::Damage Address: 0x4764af0
BulletAttack: Hooked correctly.
Anti Wallhack/Visuals Protection applied
Black Window Patch Address: 0x483515a
Shoot through Black Window/Furniture/Light Bulbs Hack Protection applied
RConFlood Patch Address: 0x808ce4f
RConFlood Crash Protection applied
InfoBoom Patch Address: 0x807930b & 0x8079296
InfoBoom Crash Protection applied
SV_UpdateUserinfo_f Address: 0x8087c00
UserInfo Buffer overflow protection applied (512 chars limit)
ScriptedEvents System Initialized
---------------- MoH:AA 1.12 Reborn Patch InitFinished ----------------

Code:

Solid Genius has entered the battle
client text ignored for Solid Genius
clientDownload: Solid Genius Done
SV_SendClientGameState() for Solid Genius
Going from CS_CONNECTED to CS_PRIMED for Solid Genius
clientDownload: Solid Genius Done
SV_SendClientGameState() for Solid Genius
Going from CS_CONNECTED to CS_PRIMED for Solid Genius
clientDownload: Solid Genius Done
SV_SendClientGameState() for Solid Genius
Going from CS_CONNECTED to CS_PRIMED for Solid Genius
clientDownload: Solid Genius Done
SV_SendClientGameState() for Solid Genius
Going from CS_CONNECTED to CS_PRIMED for Solid Genius
clientDownload: Solid Genius Done
SV_SendClientGameState() for Solid Genius
Going from CS_CONNECTED to CS_PRIMED for Solid Genius
clientDownload: Solid Genius Done
SV_SendClientGameState() for Solid Genius
Going from CS_CONNECTED to CS_PRIMED for Solid Genius
clientDownload: Solid Genius Done
SV_SendClientGameState() for Solid Genius
Going from CS_CONNECTED to CS_PRIMED for Solid Genius
clientDownload: Solid Genius Done
SV_SendClientGameState() for Solid Genius
Going from CS_CONNECTED to CS_PRIMED for Solid Genius
clientDownload: Solid Genius Done


-- does this 1000's of times, the name changes occasionally

I've got seta sv_allowdownload "0" cvar in the server.cfg too.

Is this a new kind of attack?

**armageddon** · January 4th, 2012, 06:26 AM

clientDownload: Solid Genius Done ?????????????????????

**James** · January 4th, 2012, 07:49 AM

looks like even though sv_allowdownload is turned off, the client download is enabled so it's trying to pull stuff from the server, but it doesn't look like anything is actually transferring. He may be trying to exploit the server, but he's unable to do so so it looks like he's trying bruteforcing of some sort hense why you see so many attempts from this client. I'm just guessing here, but it seems that way.

Try banning his IP and see if it still happens.

**Razo[R]apiD** · January 4th, 2012, 12:50 PM

Before banning, I would type into console: sv_allowDownload and see what it returns, maybe some mods are overwritting your setting.

This message should how up. It's showed when player finished downloading from server. And then server resends game state to that client so he can do "re-load current map and set up scenery" sort of stuff and properly connect to server.

Doing this in a loop will cause server to send tons of packets and will make server busy and soon dead (DoS).

It's an attack similar to Ping of Death actually. In PoD server dies because it can't handle processing so many requests and the connection gets filled so no traffic for others.

**g0atz** · January 4th, 2012, 04:20 PM

I checked the sv_allowDownload. It's showing "0". I banned the ip after that.

Checked the logs today and no further occurrences. But this guy could just change his ip and do it again right?

==============================

On another note...I was doing some server trolling last night. This kept popping up on a lot of servers: www.alliedassault.webs.com
in th upper left hand corner of the hud like an iprintln. I think the guy who runs that site is the same guy named “clint” from this post:
http://www.x-null.net/forums/showthr...-how-its-Works

Doing some marketing ehh? Just wondering how he got that to run on those servers without obviously having admin access to them.
These were 3 specifically that it was running on but there were like 7 I saw the message scrolling on all at the same time:

Trashdog: 8.9.16.26
Brothers in War: 208.43.15.176
Swett Betty: 68.232.161.29

**James** · January 4th, 2012, 04:44 PM

He's a coder. Obviously he found some kind of exploit. More specifically a buffer overflow.

**Midnight1138** · January 4th, 2012, 05:37 PM

He has put "//" after his name like so: www.alliedassault.webs.com//

That way, when connecting (and reconnecting over and over again) it looks like a printline but the two slashes apperantly
cut off the normal "Playername is preparing for deployment" connectmessage.
When in my server his ping remained at 999, like he had a bad connection.

Appearantly the cvar sv_reconnectlimit doesn't work to stop this kind of attack...

**Razo[R]apiD** · January 5th, 2012, 03:13 AM

He's using fake players attack with hand crafted name like Midnight pointed.

**NANLINDA2002** · January 5th, 2012, 03:44 AM

we need help on this plz

**g0atz** · January 5th, 2012, 10:09 AM

Got him trying again last night. Banned the IP.
Hasn't been back as far as I can tell.

But I've seen this on several different servers all at the same time.
How? Virtual boxes all running the game?

Code:

SV packet 174.56.223.203:1110 : connect
SVC_DirectConnect ()
>>>\challenge\-2104114887\qport\59616\protocol\8\rate\10000\name\www.alliedassault.webs.com//\snaps\20\dm_playermodel\american_army\dm_playergermanmodel\german_wehrmacht_soldier<<<
version 8 connecting to 8
Client 0 connecting with 1600 challenge ping
Client 0 rejected on a too high ping
SV packet 83.218.113.207:-2245 : getstatus
SV packet 174.56.223.203:1110 : getchallenge
SV packet 174.56.223.203:1110 : getchallenge
SV packet 174.56.223.203:1110 : connect
SVC_DirectConnect ()
>>>\challenge\1491432097\qport\59616\protocol\8\rate\10000\name\www.alliedassault.webs.com//\snaps\20\dm_playermodel\american_army\dm_playergermanmodel\german_wehrmacht_soldier<<<
version 8 connecting to 8
Client 1 connecting with 50 challenge ping
IP: 174.56.223.203:1110
Filter IP used: 174.56.223.203
Game rejected a connection: Banned IP.

This ip is from Augusta, GA ..the same region for the ip I got from the "Solid Genius" attack. Be nice to have this pricks home address. I'm close.

Thread: wth is this?

Thread Tools

Display

wth is this?

Posting Permissions