Help With Logs

[boxman80 964]

Hi folks, can anyone point me in the right direction for a tutorial or a guide on what sort of things i'm looking for in our server logs in regard to people using scripts or hacks/suspicious behaviour? Which logs in particular are most useful?

Thanks

[ziellos2k 35]

Learn some common ArmA script commands, check whether the scripts ran in the logs are originating from DayZ, if not, ban. :D

[Wotuu 11]

Sorry for off topic, but as seeing as there's a lot more people wanting to know this, maybe it's time for someone to write a comprehensive tutorial on how to find suspicious behaviour? I could do it myself, but at the moment my time is limited. It'll have to wait a week at least. Maybe someone else with more time, and/or split up the work?

I'd write up something for you, but it's simply too much to just do it in a reply.

[boxman80 964]

Learn some common ArmA script commands, check whether the scripts ran in the logs are originating from DayZ, if not, ban. :D

I'd love to "learn" some common script commands, but as I said inthe original post, are tehre any decent starting points, tutorials, guides etc? Also which logs are the ones to be even looking at?

[Wotuu 11]

To get you started

SetPos

Logs teleporting, however, SetPos containing "shot" or "Shot" is legit. The rest most likely isn't

RemoteControl

Ban anyone in this log

CreateVehicle

Check for people spawning boxes, PipeBombs, a lot of entries from a single character (HE / smoke grenades)

RemoteExecute

Ban for anything that's not related to choppers crashing down. "_this spawn fnc_plyrHit;" is legit as well. Things containing "+"'s are hackers as well, ban.

AddMagazineCargo

Check for people with massive amounts of logs, spawning chests with all weapons in them. Instant ban those.

DeleteVehicle

Check for people with massive amounts of logs

SetDamage

Search for 1.00000, but this may sometimes be legit. Ban with caution, multiple logs per person = definite ban.

AttachTo

I've heared sounds of everything that's in here and contains a vehicle is from a hacker, but I'm not sure. Worth looking into anyways.

ARMA2OASERVER.RPT

Use this to detect combat loggers, people that are spawning in empty and killing others with CCO SD's 5 minutes later, etc.

That's roughly it, in short.

[ziellos2k 35]

A2 scripting commands: http://www.ofpec.com/COMREF/ and http://community.bistudio.com/wiki/Category:Scripting_Commands_ArmA2

I'm not fully sure of how things are currently as I haven't ran a server for a few months but this is what I used to do back then.

Step 1: Unpack all DayZ pbo's with cPBO

Step 2: Grab a random script log from the log files

Step 3: Check if it originates from DayZ's code

Step 3.a: Open a command console (cmd.exe) in the folder where you unpacked all PBO's

Step 3.b: run findstr /snip "<your search string>" * in the command console

Step 3.c: check findstr's output

Step 4: Did findstr output anything that matches your string? If yes, go to Step 4.a else go to Step 4.b.

Step 4.a: Most likely something where you shouldn't worry about.

Step 4.b: Most likely something that shouldn't happen. But be careful, it could also be something which is being ran by A2 itself!!

+ the post above :)

Edited January 16, 2013 by ziellos2k

[Kipale 78]

To get you started

SetPos

Logs teleporting, however, SetPos containing "shot" or "Shot" is legit. The rest most likely isn't

RemoteControl

Ban anyone in this log

CreateVehicle

Check for people spawning boxes, PipeBombs, a lot of entries from a single character (HE / smoke grenades)

RemoteExecute

Ban for anything that's not related to choppers crashing down. "_this spawn fnc_plyrHit;" is legit as well. Things containing "+"'s are hackers as well, ban.

AddMagazineCargo

Check for people with massive amounts of logs, spawning chests with all weapons in them. Instant ban those.

DeleteVehicle

Check for people with massive amounts of logs

SetDamage

Search for 1.00000, but this may sometimes be legit. Ban with caution, multiple logs per person = definite ban.

AttachTo

I've heared sounds of everything that's in here and contains a vehicle is from a hacker, but I'm not sure. Worth looking into anyways.

ARMA2OASERVER.RPT

Use this to detect combat loggers, people that are spawning in empty and killing others with CCO SD's 5 minutes later, etc.

That's roughly it, in short.

I'm new and i don't know where i can even check these logs, my server hoster is dayz.st but i can't seem to find where i can check those?

edit: should i just search those keywords on my scripts.log file?

Edited January 16, 2013 by Kipale

[Wotuu 11]

No, where you found your scripts.log file, you should have those logs as well. If you don't, you're going to have to ask someone from Dayz.st, I only have knowledge of Vilayer.

[terrorizer33 131]

1 of my mates and server owner (of UK498) is in the process of writing a tutorial document on where to look in the logs for hackers (and what exact files). I havent seen his work yet, but knowing his background in IT it will be a very usefull document. He's writing it mainly for our own (future) server admins (including myself). When it's finished me and him will have a chat and will most likely try to contact 1 of the DayZ mods/devs to see if this document is usefull for a wider group of server admins.

I'll keep eyes on this topic and update news when there is any...

[Kipale 78]

Anyone who got dayz.st server know how to check theyr script log in most viable way?

I had guy teleporting around today but i didint see anything on logs :s

Edited January 18, 2013 by Kipale

[Wotuu 11]

Anyone who got dayz.st server know how to check theyr script log in most viable way?

I had guy teleporting around today but i didint see anything on logs :s

That happens, they're getting smarter, and there's not much you can do about that manually. Check foe other things person may've done. Downloading all logs (except scripts.log) and searching for their names using Notepad++ Find in Files function helps with that.

GL

[munkie 40]

This thread and the Admins that have given thier input is great news for the other admins.

Just a quick question, are you activily 'banning' players?

I wasnt aware that we are allowed - Im running a Public Hive, are you chaps also?

Thanks

d.

[theirongiant 200]

Sorry for off topic, but as seeing as there's a lot more people wanting to know this, maybe it's time for someone to write a comprehensive tutorial on how to find suspicious behaviour? I could do it myself, but at the moment my time is limited. It'll have to wait a week at least. Maybe someone else with more time, and/or split up the work?

I'd write up something for you, but it's simply too much to just do it in a reply.

I think this is something that would be a great help to a huge number of hosts. Given the amount of hackers, I find it quite surprising that there isn't a straightforward community reference of what to look out for in the logs.

[Wotuu 11]

This thread and the Admins that have given thier input is great news for the other admins.

Just a quick question, are you activily 'banning' players?

I wasnt aware that we are allowed - Im running a Public Hive, are you chaps also?

Thanks

d.

Sorry for the delayed reply, but yes I am actively banning players on my server. If you're on a private hive, you can ban people for whatever reason you like. If you're on public, you can ban someone for hacking, but you must report the banned player in the Cheat Reporting section of this forum.

I run a private hive though, so I can ban anyone for any reason (but I don't). Yesterday evening alone for example, yielded the grand total of 11 bans. My server was full~ almost all night, and I was actively policing it (as in, programming with one eye, and keeping an eye on the logs/chat with the other). The best result was this though:

10:30:49 : (Direct) FuzzyPeePee: what up fellow hacker

10:30:50 : (Direct) Owner: trouble

10:30:51 : (Direct) FuzzyPeePee: <3

10:30:53 : (Direct) FuzzyPeePee: fuck yeah

10:30:55 : (Direct) FuzzyPeePee: got skype ?

10:30:57 : (Direct) Owner: lol watch this

10:31:03 : (Direct) Owner: watch these hacks I got

10:31:21 : (Direct) Owner: look up

10:31:39 : (Direct) Owner: lol

10:31:47 : (Direct) Owner: They don't stop!

10:31:51 : (Direct) Owner: for like 3 in

10:31:53 : (Direct) Owner: min

Made my night worthwhile :D. The only lasted for about 3 minutes on the server.

[terrorizer33 131]

The guide I mentioned in an earlier post is finished. My mate did a splendid job writing it if I may say so. It's being looked at by the forum mods atm and hopefully it can be released to the rest of the community soon enough. Its written based on the server we're currently renting (UK498) so probably needs a bit of finetuning to make it suitable for other servers as well. I'll keep updating this topic ;-)

[theirongiant 200]

The guide I mentioned in an earlier post is finished. My mate did a splendid job writing it if I may say so. It's being looked at by the forum mods atm and hopefully it can be released to the rest of the community soon enough. Its written based on the server we're currently renting (UK498) so probably needs a bit of finetuning to make it suitable for other servers as well. I'll keep updating this topic ;-)

Look forward to reading this.

[NonovUrbizniz (DayZ) 137]

I will try to take some time going through this and posting a helpful reply.

here are the main problems IMO...

1. Submitting to the Cheat reporting thread here is all but useless (although I do for serious offenders)

COUNTLESS people who are hacking (actual hackers not script purchasers/downloaders) can swap their key in under 1 minute and be right back in...

2. TONS of hacks/scripts/cheats are not detected by ANYTHING... other than a counter hacker... even then new key, new id, back in and back at it.

3. They NEED NEED NEED to give public hive admins a locked admin tool that ONLY works on their server and blocks them from playing on their server, IF they are caught or reported for using the information from their admin tool to aid TS or Skype buddies they should have their server pulled and put up for grabs to other proven responsible admins.

4. For Private hives, The hosts and access varies SOOOO much it's impossible to write a comprehensive how too w/o having admin'd a server on EVERY host for at least a month or two.

Frankly to keep the public hive alive I think there needs to be a community group that takes over adminning of public hives. and leave it to THEM to organize a community ban list for the public hive.

I ban on average 40 players a week on my relatively LOW POPULATION public hive server... people jump on spawn shit go on killing sprees do mass teleports that I witness personally and the ONLY things that get detected are the explosions...

You can hack all day long on any public or private server and never ever get caught if you are even remotely smart about it.

I had a guy spawn 20 AI helicopters in Elektro (after nuking it) and the ONLY reason I knew what was going on is the moron talked about it in direct and I had the Rcon panel open so I saw the conversation... RAN all the way south to check it out and sure enough even after banning him and his client, and kicking just about everyone off the server I didn't know they're still flying around shooting and crashing....

Shameless Youtube plug Search for "Helicopter Swarm" or "Cifor dayz" and you'll find the vids, 3 part video...

[R.J. 70]

The only real way to keep them off of your server most of the time is to be actively monitoring. You will need something to check player loadouts and positions in real time on the map. A new player that comes into your server and all of a sudden has a full loadout or starts on the coast and magically flies somewhere else is easy to spot. The issue arises when a player joins your server and teleports innocent players to cover himself, hands everyone on the server a full loadout of the same items, plays on your server and maintains a low profile (Ie: spawns in a few items so as to not draw attention) or nukes a city. This is where the logs will be helpful in trying to determine who's the perp. Keep in mind that scripters sometimes will join your server in twos or threes and unleash complete chaos leaving you zero time to comb the logs.

Like yourself, I used to wonder what the hell I'm looking at in the log files. I don't really bother unless an issue as stated above arises. You will want to try and identify log entries that are not like the others. Scripts that shouldn't belong usually contain lots of symbols like + or () in a string. Also, even though your server is being assaulted, you may never find anything in the logs to identify who the culprit may be.

Lately, I've been banning 20-30 players a day and have had to roll the server back 3 times yesterday alone. Despite your best efforts to keep your server clean, you'll still have cheaters that will get through and spending hours combing the logs for each one is a huge undertaking that gets old fairly quick.

[tripl_b 9]

Anyone who got dayz.st server know how to check theyr script log in most viable way?

I had guy teleporting around today but i didint see anything on logs :s

You can find all of your logs on the left hand side of the control panel at the bottom. But....they are reset every time the server restarts so you're going to have a few hours at most to review them.

[R.J. 70]

Anyone who got dayz.st server know how to check theyr script log in most viable way?

I had guy teleporting around today but i didint see anything on logs :s

Why even bother with the logs? You have a live map with a live feed already. Teleports will appear as straight lines or if they move to different positions, sharp angles. Non-cheating players will appear as squiggly or not symmetrical except if they're in a fast vehicle like a plane or Mi-17. In addition, if you leave the map window open, all of the players who joined and moved around will stay on the map so you're able to investigate later.

[Kipale 78]

Yeah i gave up on logs, just monitoring player loadouts, positions and those things what u said.

I also reduced max players to 30 on my server as always server went +30 people hackers started to join more often and it's imposibble to monitor 50 people anyway.

Edited January 24, 2013 by Kipale

[NonovUrbizniz (DayZ) 137]

You guys know there are programs that actively monitor this stuff and autokick/ban for teleporting (there are bugs in some of the programs that ban players for changing clothes (the trip to debug island is technically a teleport)).

The best one's requires SQL access which rules out public hives, but some are just modified script files that kick/ban more aggressively... which can be used on public hives.

I'll try to post some links in an edit later but I'm swamped with other stuff right now

[terrorizer33 131]

You guys know there are programs that actively monitor this stuff and autokick/ban for teleporting (there are bugs in some of the programs that ban players for changing clothes (the trip to debug island is technically a teleport)).

The best one's requires SQL access which rules out public hives, but some are just modified script files that kick/ban more aggressively... which can be used on public hives.

I'll try to post some links in an edit later but I'm swamped with other stuff right now

Every help we can get is appriciated, we're already running some extra scripts (anti hacked in weapons and stuff), but can't hurt to take a deeper look into anti-hack scripts. Cheers!

[Wotuu 11]

Every help we can get is appriciated, we're already running some extra scripts (anti hacked in weapons and stuff), but can't hurt to take a deeper look into anti-hack scripts. Cheers!

Take a look at http://www.gotcha-antihack.com/. It's a RCON and anti-cheat tool in one. You need to register on the forums and post in the "Alpha registration and Installation Guide" forum to be able to download it.

[NonovUrbizniz (DayZ) 137]

Above are both good from what I understand, there are LOTS out there, and even if you know some basic programming you can put together some things that will drastically reduce hacking...

I have been lazy about updating the autokicking/banning on my server or looking into customizing scripts as I actively monitor it for most of it's active hours... however after I finish the current project I'm working on... super secret....

Then I'm going to focus on trying to figure out what to do about security... I have some good ideas and a good group of people I'm working on some stuff with. But we are laser beam focused on our current project and until that's out no chance of getting into this. There are LOTS of guys out there providing GREAT software for Private hives, and a lot of good stuff for public too, but it's all a huge PITA to go through compare and decide... I think a lot of admins who have either get so tired of it they stop participating before contributing a lot of their knowledge, OR they consider it trade secrets type stuff..

I would love to see someone with a lot more experience and specific suggestions/experience chime in...