(OCN)Vortech

OP please make sure to submit these to the Community Ban List (CBL) https://code.google.com/p/dayz-community-banlist/ so that more admins may benefit. https://code.google.com/p/dayz-community-banlist/issues/entry

Unfortunately this form of cheating is still undetected and now that vehicles save locations all servers are susceptible to this form of griefing. This form of griefing has become much more effective now that vehicle locations save to the hive, it is almost effortless for them to do this, and it has major impact on the balance of the server. You did the right thing, seek out the vehicles and destroy. That effectively is resetting the vehicles as it distributes most of them back across your server. The helo is a different animal and can take up to 7 days to re-spawn, As far as destroying them goes explosives are good but kamikaze runs are best.

We used to have a similar problem before we started locking the servers after a restart. The theory is that if multiple users rush the server on restart it can cause synchronization issues with the hive. Accurate or not by locking the server immediately (0.1 seconds) after a restart for 3 minutes with the BEC scheduler (http://ibattle.org/i...-the-scheduler/) we have reduced occurrences of this happening by 99%. Hopefully this is helpful.

Here ya go, hopefully these are helpful (read both). http://dayzmod.com/forum/index.php?/topic/80738-psa-cheaters-now-spoofing-bis-effects/ http://dayzmod.com/forum/index.php?/topic/88001-bis-effects-airdestruction/

Well done! This form of griefing has become much more effective now that vehicle locations save to the hive.

lol, you try so hard. I'm just an admin like so many others, if you misinterpret my posts as somehow having "inside knowledge" then I apologize for confusing you. My posts are based on actual data/results we've collected across our servers. In this instance our results disproved Dwardens theories (someone with "inside knowledge"). His instructions likely led to a few innocent players receiving bans, my posts were attempt to share knowledge with other admins and prevent innocent players from inconvenience. Nobody is right all the time but the only dangerous thing I see in this thread is an attempt to disregard viable information. IMO the only dangerous thing admins can do is not share with one another, post logs, and discuss trends.

Exactly. I'm a proud American, no need to over-complicate. Glad to see BIS put it to rest, it was the only chink in the remoteexec armor (see what I did there). That being said, his previous statement of remoteexec = ban can be reinstated once again. Still waiting on those "Glaring inaccuracies" btw :rolleyes:

lol I thought you were getting better but your true colors showed themself.. Experience? https://code.google....ary&cells=tiles. "Glaring inaccuracies" enlighten me.

Are you entries from a private server as well? Which releases/packages are you guys running? On a vanilla server this is a legit execution: 05.09.2012 15:49:48: USER (IP) GUID - #39 "[this] spawn BIS_Effects_AirDestruction" 05.09.2012 15:49:51: USER (IP) GUID - #39 "[this, 0.732595, 2883.57]spawn BIS_Effects_AirDestructionStage2" 05.09.2012 15:49:55: USER (IP) GUID - #39 "[this, 0.732595, 2883.57,false,true]spawn BIS_Effects_Burn" Notice the individual legit executions of #39, those #38 #39 executions look like the early spoof attempts of cheaters. Keep in mind like I said this stuff is always evolving, cheaters don't spoof single or double lines any longer as they know it can get them flagged by active admins. Further, recent public cheats are focusing on client side methods only rendering these risky methods nonviable. Like I said before it comes down to admin communication and submissions to the CBL allowing them to do their job. Restriction number isn't directly correlated to seriousness.

Thanks for the report, in your case on our server we were able to justifiably issue four bans around the time you mentioned. Unfortunately though this is the nature of DayZ in it's current form, teleporting is just not something BIS has equipped us to track or prevent at this time. Our servers our quite popular and unfortunately that makes us a target to script kiddies looking to interrupt a large number of players at a time. We both utilize and contribute to the Community Ban List (https://code.google.com/p/dayz-community-banlist/) and employ every anti-hack counter measure currently viable. Overclock.net provides our servers and with it comes a game server administration staff that has real experience. Again sorry for your trouble and thanks for taking the time to post. Sincerely, [OCN]Vortech of Overclock.net

Let me help you there, not every BIS_effects on a private server is a cheat. :) There is always the possibility of exceptions, you yourself just proved that Dwardens logic is incorrect in respect to private servers running modified files. The point is we need to adapt quickly and speak freely to one another about what we're seeing. Results are truth, everything else is opinionated until proven otherwise. The cheaters will keep evolving as will the tools we have to identify them, it's a constant game of cat and mouse.

The CBL is not outright listing users for these executions when submitted. It takes multiple of these submissions for a user to be listed. If I combine all of our logs since BIS started being logged we've only had a two line execution appear 4x times total. All 4x of these executions were banned locally at our discretion and submitted to the CBL, NONE of these bans were appealed or disputed locally or otherwise. As an admin of a DayZ server in this situation given the nature of the spoof it is better to ban local first for the sake of your players and ask questions if they appeal. Let me clarify, crashing and explosions are different. The execution is triggered by the explosion not the crash itself. Dwarden is a huge help to the community but he's wrong on this one, test it for yourself and you'll see. Honestly I think you're confusing the context, up until the BIS spoof remoteexec did always equal a ban. Honestly anything ELSE in remoteexec should constitute a ban, BIS is the only known exception.

Thanks for the report, we've cleared up the situation and restarted. Unfortunately this form of cheating is still undetected and now that vehicles save locations all servers are susceptible to this form of griefing.

It's not hypothetical it's factual.. Simply crash a helo legit and you'll see the lines for yourself, it doesn't get much easier to disprove "hypothetical evidence". The remoteexec.log simply logs executions, it doesn't know if their legit or not. The cheaters realized this and spoofed the legit execution in the hopes we could not identify them easily. Single and double lines were earlier attempts, full 3x line are more difficult but publicvar should help there. No theory, just truth. Hope it helps.

It is legit, http://dayzmod.com/forum/index.php?/topic/88001-bis-effects-airdestruction/#entry829125

dat search (http://dayzmod.com/f...ng-bis-effects/). We were tracking the evolution of this spoof and documented it for everyone.. Long story short if you see a single or double line execution ban local and submit to the CBL, the full 3x line spoof cannot be determined real or fake. Now that we have publicvar hopefully we'll be able to smoke out the spoofing cheaters, we haven't seen one yet but we're ready. To clarify "[this] is not an indicator of a cheater.

One of my admins had that happened because of how they copied the filters (*.txts). To update your list click the RAW link, copy & paste it over your local or download it. Double check you're downloading the most recent release, there were older filters that had functionality issues like that. The final thing would be remote execution on your players by a malicious cheater. While not very common, it does happen so you'll have to keep an eye of the number of executions, and use your head if it is something that could be remotely executed on a player. Obviously at the time of posting there were only 3. Now there is a fourth filter publicvariable.txt that is only logging at in current form.

I've made some informative posts explaining different things to look for that you might find helpful.. Otherwise I'd recommend you just look over our CBL submissions for examples (https://code.google.com/p/dayz-community-banlist/issues/list?can=1&q=reporter%3Aoverclocked&sort=-id&colspec=ID+Type+Status+Priority+Milestone+Owner+Summary&cells=tiles).

Striker, Thanks for making such a detailed post and sorry for any trouble you may have incurred on US 1993. Based on your explanation it sounds like a cheater teleported all players up in the air over water, which is a common thing they do to grief a server. As a server nears capacity it quickly becomes a target to cheaters as they wish to maliciously interrupt a large number of players at one time. Our servers utilize every countermeasure viable to stop, identify, and punish cheaters if possible. We also both utilize and contribute to the Community Ban List (https://code.google....munity-banlist/) regularly strengthening the DayZ Admin community. I assure the actions you described were not those of one of our staff members. Overclock.net is the community that provides our servers and we have a history of professionally managing and administrating a variety of different game servers. We administrate DayZ just as well as our other titles if not more so due to the rampant cheating due partially to the games Alpha status. Moving forward feel free to join us on our VOIP server, it's one of the many ways you can reach us if an incident like this occurs. Also I'd like to personally apollogize for not seeing your post soon enough, somehow this thread got pushed off my first page. I try to respond to any post as quickly as possible. :) Sincerely, [OCN]Vortech of Overclock.net

Players started mentioning a teleporter running around and shooting at them.. One player in our VOIP said someone popped out of nowhere but she got the best of him. She inspected his body, took some nice gear, inspected the body (this server is nametag off), and moved on. Moments later he snuck up on her again and she claims he looked to have the same gun. Lucky for us she got the name so I had something specific to look for. I noticed something that I think could be helpful: BEC Log ?16:50:25 : Player #5 USRNAME (IP) connected ?16:50:26 : Player #5 USRNAME - USRNAME: GUID (unverified) ?16:50:26 : Verified USRNAME (GUID) of player #5 USRNAME ?16:58:23 : Player #5 USRNAME disconnected ?16:58:46 : Player #5 USRNAME (IP) connected ?16:58:47 : Player #5 USRNAME - USRNAME: GUID (unverified) ?16:58:47 : Verified USRNAME (GUID) of player #5 USRNAME *.RPT Log 2012/08/27, 16:51:39 "LOGIN ATTEMPT: "PID" USRNAME" 2012/08/27, 16:51:40 "READ/WRITE: ['PASS',false,'29748204',[82,[9708.16,1994.9,0.534232]],[["ItemFlashlight"],["ItemPainkiller","ItemBandage"]],["DZ_Patrol_Pack_EP1",[[],[]],[[],[]]],[5,9,9],Bandit1_DZ,0.94]" 2012/08/27, 16:51:40 "LOGIN LOADED: B 1-1-A:40 (USRNAME) REMOTE Type: Survivor1_DZ" 2012/08/27, 16:51:41 Server: Object 54:6 not found (message 94) 2012/08/27, 16:51:41 "READ/WRITE: ['PASS',[false,false,false,false,false,false,false,12000,[],[0,0],0,[18.68,19.5579]],[0,0,0,0],["","amovpercmstpsnonwnondnon",37],[82,[9708.16,1994.9,0.534232]],-88853]" 2012/08/27, 16:51:41 "LOGIN PUBLISHING: B 1-3-H:1 (USRNAME) REMOTE Type: Bandit1_DZ" 2012/08/27, 16:55:34 "PDEATH: Player Died PID" 2012/08/27, 16:55:41 "DISCONNECT START (i): USRNAME ("PID") Object: 2c16e040# 1087266: man_bandit.p3d REMOTE" 2012/08/27, 16:55:53 "LOGIN ATTEMPT: "PID" USRNAME" 2012/08/27, 16:55:56 "READ/WRITE: ['PASS',false,'29748204',[345,[10516.3,2242.06,0.00143862]],[["ItemFlashlight"],["ItemPainkiller"]],["DZ_Patrol_Pack_EP1",[[],[]],[[],[]]],[9,13,13],"Bandit1_DZ",0.94]" 2012/08/27, 16:55:56 "LOGIN LOADED: B 1-1-A:18 (USRNAME) REMOTE Type: Survivor1_DZ" 2012/08/27, 16:55:57 Server: Object 54:29 not found (message 94) 2012/08/27, 16:55:57 "READ/WRITE: ['PASS',[false,false,false,false,false,false,true,7817.48,[],[0.921826,0],0,[117.155,126.888]],[0,0,0,0],["","amovpercmrunsnonwnondf",39],[345,[10516.3,2242.06,0.00143862]],-88853]" 2012/08/27, 16:55:57 "LOGIN PUBLISHING: B 1-2-I:1 (USRNAME) REMOTE Type: Bandit1_DZ" So at 16:50:25 the player is logged by BEC, at 16:51:39 the player connects to the game, yet there is NO TRACE OF HIM in createvehicle EVER. To clarify we can see this player is a bandit but there is NO trace of him in createvehicle. Which would look like: DATE TIME: USRNAME (IP) GUID - #0 "BanditW1_DZ" ##:## [#,#,#] Both DZ_Patrol_Pack_EP1 and Survivor1_DZ are not logged but the skin BanditW1_DZ is and there should be an entry for this player. So this is a leap but I'm guessing after the handshake his bypass goes into effect and BE can't see him so nothing he does gets logged? If so, then theoretically someone could make a parser that sweeps the *.RPT or BEC.log and compares it against createvehicle.log? While very primitive it might help us.. Parse *.RPT or BEC.log then compare against createvehicle.log? What do you guys think? PS - He isn't the only one, his buddy is in my BEC log but never appears in the *.RPT or creatvehicle.. Which I don't even understand how that happens.He connected under one name, switched to another.. Never shows up in anything but BEC.log on either. I will continue to review the logs on the other Korean players.

This thread (http://dayzmod.com/forum/index.php?/topic/80719-psa-false-remote-execution-on-players-whatisthis-long-weekend-incoming/) would be a good start for entries. I'm sure Dwarden or someone at BIS will compile an official list soon and post it on the CBL (https://code.google.com/p/dayz-community-banlist/source/browse/#git%2Ffilters). We're testing a custom file based on the false remote executions we've seen and publicly available griefing attempts.

No problem, let me just place this here: 2012/08/05, 4:47:10 "LOGIN ATTEMPT: "7485830" Sluth0e" 2012/08/05, 4:47:21 "SETUP: attempted with ["24612383",B 1-2-F:1 (Sluth0e) REMOTE,"7485830"]" 2012/08/05, 4:47:22 "READ/WRITE: ['PASS',[false,false,false,true,true,true,true,11970,["Pelvis","aimpoint","lelbow","relbow","neck"],[2.35777,0],183,[0.05,0.694444]],[40,10,2,0],["PipeBombMuzzle","aidlpercmstpsnonwnondnon_player_idlesteady04",41],[23,[369.289,2481.93,0.00131226]],-3980]" 2012/08/05, 4:47:22 "SETUP: RESULT: Successful with ["PASS",[false,false,false,true,true,true,true,11970,["Pelvis","aimpoint","lelbow","relbow","neck"],[2.35777,0],183,[0.05,0.694444]],[40,10,2,0],["PipeBombMuzzle","aidlpercmstpsnonwnondnon_player_idlesteady04",41],[23,[369.289,2481.93,0.00131226]],-3980]" 2012/08/05, 4:47:22 "WORLDSPACE: [23,[369.289,2481.93,0.00131226]]" 2012/08/05, 4:47:22 "LOGIN PUBLISHING: B 1-2-F:1 (Sluth0e) REMOTE Type: SurvivorW2_DZ" 2012/08/05, 4:47:22 "player7485830 = myObj" 2012/08/05, 4:49:09 "HIVE: WRITE: "CHILD:201:"24612383":[212,[384.507,2349.41,0.00189209]]:[["ItemMap","ItemGPS"],["PipeBomb"]]:["",[[],[]],[[],[]]]:[]:false:false:0:0:0:0:["PipeBombMuzzle","aidlpercmstpsnonwnondnon_player_idlesteady03",100]:0:0:"SurvivorW2_DZ":0:" / "24612383"" 2012/08/05, 4:49:45 "HIVE: WRITE: "CHILD:201:"24612383":[]:[]:[]:[]:false:false:0:0:0:0:["PipeBombMuzzle","aidlpercmstpsnonwnondnon_player_idlesteady02",100]:0:0::0:" / "24612383"" 2012/08/05, 4:50:23 "HIVE: WRITE: "CHILD:201:"24612383":[83,[4841.54,10250.7,0.00143433]]:[["ItemMap","ItemGPS","M4A1_AIM_SD_camo","Binocular","NVGoggles"],["PipeBomb"]]:["",[[],[]],[[],[]]]:[false,false,false,true,true,false,true,5820.29,["aimpoint"],[0.194391,0],0,[25.9687,39.0041]]:false:false:0:0:9074:0:["","amovpknlmstpsnonwnondnon_amovpknlmstpsraswlnrdnon",100]:0:0::0:" / "24612383"" 2012/08/05, 4:51:04 "HIVE: WRITE: "CHILD:201:"24612383":[]:[]:[]:[false,false,false,true,true,false,true,2313.46,["aimpoint"],[1.06098,0],0,[34.4846,45.9569]]:false:false:6:0:0:0:["M4A1_AIM_SD_camo","amovpknlmstpsraswrfldnon",42]:0:0::0:" / "24612383"" I killed you 2012/08/05, 4:53:24 "PDEATH: Player Died 7485830" sluth0e You came back empty, geared up, went invisible, and killed someone. 2012/08/05, 5:03:15 "LOGIN PUBLISHING: B 1-2-H:1 (Sluth0e) REMOTE Type: SurvivorW2_DZ" 2012/08/05, 5:03:15 "player7485830 = myObj" 2012/08/05, 5:03:15 "SETUP: attempted with ["24830652",B 1-2-H:1 (Sluth0e) REMOTE,"7485830"]" 2012/08/05, 5:03:15 "READ/WRITE: ['PASS',[],[0,0,0,0],[],[],-3980]" 2012/08/05, 5:03:15 "SETUP: RESULT: Successful with ["PASS",[],[0,0,0,0],[],[],-3980]" 2012/08/05, 5:07:06 "UPDATE: [B 1-2-H:1 (Sluth0e) REMOTE,["30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","ItemSodaCoke","ItemSodaPepsi"],false]" 2012/08/05, 5:07:06 "HIVE: WRITE: "CHILD:201:24830652:[]:[["ItemFlashlight","ItemGPS","M4A1_AIM_SD_camo","Binocular","NVGoggles"],["30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","ItemSodaCoke","ItemSodaPepsi"]]:["DZ_Patrol_Pack_EP1",[[],[]],[[],[]]]:[]:false:false:0:0:0:1:["Binocular","amovppnemstpsraswrfldnon_awopppnemstpsoptwbindnon",42]:0:0::0:" / 24830652" 2012/08/05, 5:07:06 "WRITE: ['PASS']" 2012/08/05, 5:09:54 "UPDATE: [B 1-2-H:1 (Sluth0e) REMOTE,[["30Rnd_556x45_StanagSD",25],"30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","ItemSodaPepsi","ItemBloodbag","PipeBomb"],false]" 2012/08/05, 5:09:54 "HIVE: WRITE: "CHILD:201:24830652:[]:[["ItemFlashlight","ItemGPS","M4A1_AIM_SD_camo","Binocular","NVGoggles"],[["30Rnd_556x45_StanagSD",25],"30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","ItemSodaPepsi","ItemBloodbag","PipeBomb"]]:["DZ_Patrol_Pack_EP1",[[],[]],[[],[]]]:[]:false:false:0:0:0:1:["M4A1_AIM_SD_camo","amovppnemsprslowwrfldf",42]:0:0::0:" / 24830652" 2012/08/05, 5:09:54 "WRITE: ['PASS']" 2012/08/05, 5:13:08 "PDEATH: Player Died 5_PID_6" USERNAME The rest 2012/08/05, 5:15:32 "UPDATE: [B 1-2-H:1 (Sluth0e) REMOTE,[["30Rnd_556x45_StanagSD",25],"30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD",["30Rnd_556x45_G36SD",28],"30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","ItemSodaPepsi","ItemBloodbag","ItemBloodbag","ItemBloodbag"],false]" 2012/08/05, 5:15:32 "HIVE: WRITE: "CHILD:201:24830652:[176,[4598.01,10571.1,0.00143433]]:[["ItemFlashlight","ItemGPS","M4A1_AIM_SD_camo","Binocular","NVGoggles"],[["30Rnd_556x45_StanagSD",25],"30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD",["30Rnd_556x45_G36SD",28],"30Rnd_556x45_G36SD","30Rnd_556x45_G36SD","ItemSodaPepsi","ItemBloodbag","ItemBloodbag","ItemBloodbag"]]:["DZ_Patrol_Pack_EP1",[[],[]],[[],[]]]:[]:false:false:0:0:37:0:["M4A1_AIM_SD_camo","amovpknlmstpsraswrfldnon",42]:0:0::0:" / 24830652" 2012/08/05, 5:15:32 "WRITE: ['PASS']" 2012/08/05, 5:16:17 "DISCONNECT START (i): Sluth0e ("7485830") Object: B 1-2-H:1 (Sluth0e) REMOTE" While the tools were different we still had measures to track cheaters like you. There's more then enough in there, also worth mentioning you never appeared in the BEC.log as you were likely running a bypass. There was also that encounter where you and magikh0e were driving a URAL when our server had no vehicles and took multiple shots to the head from multiple shooters. You had you invincibility on that time though.

They each server their own purpose, this is an older post of mine *.RPT - Good for login, disconnect, initial gear, and deaths. 3x BE *.log - Are all pretty empty now, you'll only catch basic/public script kiddies, and *.sqf gear injectors in here now. BEC - A catch all. We use this to track the effectiveness of the CBL bans, restriction kicks, and compare it's output against the *.rpt and createvehicle.log for suspicious activity. Unfortunately many cheaters have evolved and adapted to circumvent the current countermeasures.

PM sent.

Well aware of the reason for the denial, not that it makes any sense. Glad to hear about the staff, hopefully it makes a difference. The big issue was the fact that a representative replied to each request in minutes only to pass us off to someone else who never got around to it. I don't know what more information then the new IP would be necessary but we included everything we were told to. If there was anything missing then that seems like the first representatives fault as he directed us on exactly how to re-submit. In the end it wouldn't have made a difference because NOBODY looked at it anyhow. If you care to continue this feel free to PM me as our conversation doesn't have anything to do with the OP. I was simply providing an example of a situation we were once in that I've read all to many times on these forums. No need to be snarky.