Jump to content
DayZ Forums
zKryT

Log Examples [hacking]

By zKryT, in Mod Servers & Private Hives

Recommended Posts

zKryT    2

zKryT
Posted

Hello Everyone,

I've recently been getting a lot of emails about hackers on my servers. I've been trying to explore the logs to try and pinpoint when, and most importantly, by whom are these hacks taking place. I was hoping those that are more experienced with reading these logs might be able to list a few examples of what to look for when searching for a sign of hacking.

Mainly:

What does it look like when someone spawns a weapon/vehicle, or duping a weapon/items?

What does it look like when a player teleports themselves around the map?

Any other things to look for that may be considered suspicious.

Thanks for your help,

zKryT

  • Like 1

Share this post

Link to post
Share on other sites

suspense    210

suspense
Posted

Hello Everyone,

I've recently been getting a lot of emails about hackers on my servers. I've been trying to explore the logs to try and pinpoint when, and most importantly, by whom are these hacks taking place. I was hoping those that are more experienced with reading these logs might be able to list a few examples of what to look for when searching for a sign of hacking.

Mainly:

What does it look like when someone spawns a weapon/vehicle, or duping a weapon/items?

What does it look like when a player teleports themselves around the map?

Any other things to look for that may be considered suspicious.

Thanks for your help,

zKryT

Like this


{
	vehicleToSpawn = 'ATV_US_EP1';
	if (isServer) then
	{
		(vehicleToSpawn createVehicle (position player))setVariable ['ObjectID', 521, true];
		dayz_serverObjectMonitor set [count dayz_serverObjectMonitor,getPos player nearestObject vehicleToSpawn];
	};
}];

This is specifically for vehicle spawns, i have removed some stuff from this to render it useless to people, but in essense, this is what you will see.

Share this post

Link to post
Share on other sites

Grimlok (DayZ)    134

Grimlok (DayZ)
Posted

Either way the script is useless without a bypass for battleye. So even if it was the full script it would be an instant ban if anyone used it.

  • Like 1

Share this post

Link to post
Share on other sites

suspense    210

suspense
Posted

Either way the script is useless without a bypass for battleye. So even if it was the full script it would be an instant ban if anyone used it.

Bypassing battleye is only the first step. Writing your own scripts to avoid script detection in_case the bypass is detected, is completely different. They are both equally important.

Share this post

Link to post
Share on other sites

zKryT    2

zKryT
Posted

Like this


{
	vehicleToSpawn = 'ATV_US_EP1';
	if (isServer) then
	{
		(vehicleToSpawn createVehicle (position player))setVariable ['ObjectID', 521, true];
		dayz_serverObjectMonitor set [count dayz_serverObjectMonitor,getPos player nearestObject vehicleToSpawn];
	};
}];

This is specifically for vehicle spawns, i have removed some stuff from this to render it useless to people, but in essense, this is what you will see.

Thank you for the response. If I come across this within the logs, Will I see the Player name/id or GUID accompanied with the script so I'll be able to tell who is actually trying to initiate it?

Share this post

Link to post
Share on other sites

suspense    210

suspense
Posted

Thank you for the response. If I come across this within the logs, Will I see the Player name/id or GUID accompanied with the script so I'll be able to tell who is actually trying to initiate it?

Yes.

Share this post

Link to post
Share on other sites

Guest   

Guest
Posted

Bypassing battleye is only the first step. Writing your own scripts to avoid script detection in_case the bypass is detected, is completely different. They are both equally important.

Incorrect. If you code a proper BattlEye bypass, it is disabled on your system and no longer checks anything you do. You could run the most detected script in the world, so long as battleye has been bypassed it won't even log what you do to the server.

Share this post

Link to post
Share on other sites

suspense    210

suspense
Posted (edited)

Incorrect. If you code a proper BattlEye bypass, it is disabled on your system and no longer checks anything you do. You could run the most detected script in the world, so long as battleye has been bypassed it won't even log what you do to the server.

Thats not what i was saying. Battleye bypass is only one part of the job. The bypass is usually injected into memory. If this is detected, battleye will ban if you inject into memory. HOWEVER, if you use scripts with other methods, and no battleye bypass, you can still initiate scripts that are undetected and all you will do, is show in the logs.

Most admins have a scripts.txt that they keep updated, with the public known variables. Using selfwritten private ones, allows you to continue.

Edited by Suspenselol
  • Like 1

Share this post

Link to post
Share on other sites

Guest   

Guest
Posted

Thats not what i was saying. Battleye bypass is only one part of the job. The bypass is usually hooked in memory, and injected. If this is detected, battleye will ban if you inject into memory. HOWEVER, if you use scripts with other methods, and no battleye bypass, you can still initiate scripts that are undetected and all you will do, is show in the logs.

Most admins have a scripts.txt that they keep updated, with the public known variables. Using selfwritten private ones, allows you to continue.

Ah, my bad I misread your comment. That being said, BattlEye is a piece of flaming shit, you don't need to inject anything to bypass it >.>.

Share this post

Link to post
Share on other sites

suspense    210

suspense
Posted (edited)

EDIT: Didnt mean to quote myself lol

Edited by Suspenselol

Share this post

Link to post
Share on other sites

dolph    41

dolph
Posted

These would show up in the arma2oaserver.rpt right?

Share this post

Link to post
Share on other sites

zKryT    2

zKryT
Posted

the file i've been looking in has been the large scripts.log file. its the only scripts.log that is 600+mb or more.

Share this post

Link to post
Share on other sites

dolph    41

dolph
Posted

Well, shit. I don't even have a scripts.log

I have a scripts_old.txt and a scripts.txt in two different folders.

I know battleye is running because I've seen it kick for pings and it kicked someone for Gamehack #38 today.

I saw that live in dao's rcon though - 1.85 Beta II. Which appears to log in the server_console.log in the cfgdayz folder.

Share this post

Link to post
Share on other sites

dolph    41

dolph
Posted (edited)

Does that mean the scripts they're running are just bypassed so I have nothing to look up?

Edit: Or does my host suck?

Edited by RS-Dolph

Share this post

Link to post
Share on other sites

dolph    41

dolph
Posted

Send support ticket for host to reinstall BE.

scripts.log now shows up and it's ~20MB.

Scanning now.

Share this post

Link to post
Share on other sites

dolph    41

dolph
Posted (edited)

How about this? Are they spawning themselves backpacks and toolboxes?

06.08.2012 12:08:47: James (70.124.92.124:3004) c35c7bbdb8ed9faca48f2de611aefc79 - #1

player addWeapon 'Itemtoolbox';

player addBackpack 'DZ_Backpack_EP1';

(Unitbackpack player) a

06.08.2012 15:37:29: Mr. Chip (68.231.238.13:2304) baacf3da37d8843b317183579cb52c97 - #1

player addWeapon 'Itemtoolbox';

player addBackpack 'DZ_Backpack_EP1';

(Unitbackpack player)

06.08.2012 15:37:32: iamwilliam (68.224.190.79:2304) 861f41ce22d6a3bcab10cb952138341a - #1

player addWeapon 'Itemtoolbox';

player addBackpack 'DZ_Backpack_EP1';

(Unitbackpack player)

EDIT:

Or this guy

06.08.2012 16:45:00: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['V3S_Civ', [5029.15

06.08.2012 17:10:18: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['UH1H_DZ', [13149.4

06.08.2012 17:11:37: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['PBX', [13149.7, 70

06.08.2012 17:12:04: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['UAZ_CDF', [13144,

06.08.2012 17:12:16: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['Skoda', [13140.9,

06.08.2012 17:12:41: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['V3S_Civ', [13198.9

06.08.2012 17:12:56: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['UH1H_DZ', [13225.6

Edited by RS-Dolph

Share this post

Link to post
Share on other sites

suspense    210

suspense
Posted (edited)

How about this? Are they spawning themselves backpacks and toolboxes?

06.08.2012 12:08:47: James (70.124.92.124:3004) c35c7bbdb8ed9faca48f2de611aefc79 - #1

player addWeapon 'Itemtoolbox';

player addBackpack 'DZ_Backpack_EP1';

(Unitbackpack player) a

06.08.2012 15:37:29: Mr. Chip (68.231.238.13:2304) baacf3da37d8843b317183579cb52c97 - #1

player addWeapon 'Itemtoolbox';

player addBackpack 'DZ_Backpack_EP1';

(Unitbackpack player)

06.08.2012 15:37:32: iamwilliam (68.224.190.79:2304) 861f41ce22d6a3bcab10cb952138341a - #1

player addWeapon 'Itemtoolbox';

player addBackpack 'DZ_Backpack_EP1';

(Unitbackpack player)

EDIT:

Or this guy

06.08.2012 16:45:00: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['V3S_Civ', [5029.15

06.08.2012 17:10:18: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['UH1H_DZ', [13149.4

06.08.2012 17:11:37: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['PBX', [13149.7, 70

06.08.2012 17:12:04: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['UAZ_CDF', [13144,

06.08.2012 17:12:16: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['Skoda', [13140.9,

06.08.2012 17:12:41: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['V3S_Civ', [13198.9

06.08.2012 17:12:56: Tyler Reinelt (66.203.182.214:2304) e0f39c0b361d3606383fd5056c343d70 - #39 sleep 0.1; player setVehicleInit "

if (isServer) then {

_object = createVehicle ['UH1H_DZ', [13225.6

No, those 2 are hives messages. The first one, is the hive granting the person the gear that he has saved on the hive, the 2nd one is a person saving a boat.

EDIT: Just checked the last messages from createvehicle, that indeed looks fishy. He might actually be spawning vehicles right there.

Edited by Suspenselol

Share this post

Link to post
Share on other sites

dolph    41

dolph
Posted

Out of that log, which was ~45MB, those were the only addWeapon, addBackpack or createVehicle.

Banned.

Share this post

Link to post
Share on other sites

miragexl    33

miragexl
Posted

Finding this in my logs quite a lot with 2-3 players.

dayz_spawnPos = getPosATL player;

Hack?

Share this post

Link to post
Share on other sites

miragexl    33

miragexl
Posted

Also:

05.08.2012 21:53:04: ExaltedVoid (24.10.121.143:2344) 94b0f1131f16473334900b8961e1f25f - #107 if (!isDedicated) then {

if (!isNull _agent) then {

deleteVehicle _agent;

};

} else {

[_agent] call

Share this post

Link to post
Share on other sites

dolph    41

dolph
Posted

I see both of them frequently.

I think it's legit.

Share this post

Link to post
Share on other sites

ZiiP_Scottyboy    17

ZiiP_Scottyboy
Posted

Is there a help guide for this about anywhere? Best way to understand is by doing but il be asking someone every two minutes.

Is this normal?

08.08.2012 09:23:50: Palyer Name removed (xxx.xxx.xxx.xxx.xxxx) GUID - #27 awn player_alertZombies;

sleep 0.5;

player setDamage 1;

0.1 fadeSound 0;

_id = player spawn spawn

Share this post

Link to post
Share on other sites

PolarBearJ    8

PolarBearJ
Posted

Ya 27 seems normal, I get it from everyone in my 3 servers. I usually look for 147 or something like that and others ones that aren't common. The most common ones I see are 55, 54, and 27 usually. But be sure to rename the log every now and then before it gets too big to even want to bother looking thru. I check mine at least once a day maybe twice if I am not too busy. But also be sure to check out hacking websites such as *** for people who post scripts so you know what to look for and to put in your scripts.txt file to prevent it.

  • Like 1

Share this post

Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Go To Topic Listing Mod Servers & Private Hives
×