james222 49 Posted August 5, 2012 Incase any other admins want to add this dickbag to their banlist, here is a list of his GUID's, keep in mind some of them are globally banned.Most of these were used under the same IP Address, and he even tried using 2 of them on my server, but they were globally banned. Thus a simple grep through logs revealed this guy.*23:03:27 : Player #9 DeEz (213.141.91.55:2304) connected*23:03:28 : Player #9 DeEz - GUID: b4a183c906d33c06c26e19ea7a199349 (unverified)*23:03:28 : Verified GUID (b4a183c906d33c06c26e19ea7a199349) of player #9 DeEz*23:04:37 : Player #9 DeEz (b4a183c906d33c06c26e19ea7a199349) has been kicked by BattlEye: Global Ban #b4a1*23:05:26 : Player #9 Twoinches (50.136.82.56:55004) connected*23:05:27 : Player #9 Twoinches - GUID: 011046c8eb58f5f47a3834e434a939bb (unverified)*23:05:27 : Verified GUID (011046c8eb58f5f47a3834e434a939bb) of player #9 Twoinches*23:09:18 : Player #5 DeEz (213.141.91.55:2304) connected*23:09:18 : Player #5 DeEz - GUID: 5a3298f89374be909e36ddd91ac21136 (unverified)*23:09:18 : Verified GUID (5a3298f89374be909e36ddd91ac21136) of player #5 DeEz*23:10:36 : Player #5 DeEz (5a3298f89374be909e36ddd91ac21136) has been kicked by BattlEye: Global Ban #5a32His known GUID's.ba686fefe2235367f0d4ccd0bbd5bcda -1 Banned(Deez9)ae47dd83c46f24964b88f520c1fa7856 -1 Banned(Deez8)4499473bd502a723fa908bb79624c8a8 -1 Banned(Deez8)2e3e76ec30434c4d5ccbfe23322a109b -1 Banned(Deez7)f1f043b643cff4c746484608993bde21 -1 Banned(Deez6)4ae46e05f811480b46b8960320424a84 -1 Banned(Deez5)6f2baae215eafd8e6c70cd5d348da9dd -1 Banned(Deez4)5a3298f89374be909e36ddd91ac21136 -1 Banned(Deez3)b4a183c906d33c06c26e19ea7a199349 -1 Banned(Deez2)424279075739ea15cb043657ec9aed9f -1 Banned(Deez1)SQL Data reveals blatant hacking'5698', '47475974', '222', '2012-07-23 21:25:01', '2012-07-23 21:25:01', '[["ItemFlashlight"],["ItemBandage","ItemPainkiller"]]', '["DZ_Patrol_Pack_EP1",[],[]]', '[232,[9980.11,2619.07,0.048]]', [b]'[false,true,false,true,true,false,true,7833.82,["aimpoint","relbow","RightFoot","LeftFoot","neck"][/b],[1.941,0],58,[147.475,187.144]]', '1', '1', '2012-07-23 21:25:01', '2012-07-23 21:25:01', '0', '0', [b]'38386', '2'[/b], '["","",34]', '0', 'SurvivorW2_DZ', '0', '2500'^ The above row used on one of his playerID's indicates he was hacking because as you can see he has broken everything, with 8000Blood, which is kind of suspicious. Then if you keep going through the row you see he has walked a distance of 38386 and has only been in the server for 2 minutes.'6595', '57623174', '222', '2012-07-24 22:44:12', '2012-07-24 23:17:56', '[["ItemFlashlight","ItemKnife","ItemWatch","ItemMatchbox","ItemCompass","ItemHatchet","NVGoggles","ItemToolbox","Colt1911","ItemMap","ItemEtool","Binocular_Vector","M4A3_CCO_EP1"],["30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","30Rnd_556x45_Stanag","HandGrenade_West","ItemBandage","ItemBandage","7Rnd_45ACP_1911","7Rnd_45ACP_1911","7Rnd_45ACP_1911","7Rnd_45ACP_1911","7Rnd_45ACP_1911","ItemBandage"]]', '["DZ_ALICE_Pack_EP1",[["BAF_AS50_scoped"],[1]],[["ItemMorphine","ItemBandage","PartGlass","ItemSodaPepsi","10Rnd_127x99_m107"],[2,1,1,1,6]]]', '[8,[6794.18,4131.53,0.002]]', '[false,false,false,false,false,false,true,12000,[],[0,0],0,[1452.15,10.947]]', '1', '14', '2012-07-24 22:44:12', '2012-07-24 22:44:12', '0', '0', '109343', '47', '["M4A3_CCO_EP1","aidlpercmstpsraswrfldnon_aiming01",42]', '1', 'Survivor2_DZ', '1', '3940'^ This also indicates the same. VERY short duration with maximum gear, his gear does not look very varied either.. it looks artificial.1839, 41970822, 222, 2012-07-19 18:04:40, 2012-07-20 15:10:19, [["ItemFlashlight","Colt1911","ItemWatch","ItemHatchet","ItemKnife","ItemMap","ItemCompass","ItemMatchbox","ItemToolbox","ItemGPS","NVGoggles","Binocular_Vector","M4A1_AIM_SD_camo"],[["30Rnd_556x45_StanagSD",9],["30Rnd_556x45_StanagSD",22],["30Rnd_556x45_StanagSD",25],"30Rnd_556x45_StanagSD","30Rnd_556x45_StanagSD",["10Rnd_127x99_m107",6],["10Rnd_127x99_m107",7],["10Rnd_127x99_m107",6],"FoodSteakCooked","ItemSodaPepsi","ItemBandage","ItemBandage","7Rnd_45ACP_1911","7Rnd_45ACP_1911","7Rnd_45ACP_1911","7Rnd_45ACP_1911","7Rnd_45ACP_1911"]], ["DZ_Backpack_EP1",[["BAF_AS50_scoped"],[1]],[["ItemBandage","ItemMorphine","ItemPainkiller","ItemWaterbottle","FoodSteakCooked"],[2,2,1,1,1]]], [126,[6646.42,3410.79,0.0017395]], [false,false,false,false,false,false,true,12000,[],[0.0305451,0],0,[1057.74,38.5]], 1, 1, 2012-07-19 18:04:40, 2012-07-19 18:04:40, 99, 81, [b]259358, 165[/b], ["M4A1_AIM_SD_camo","aidlpknlmstpslowwrfldnon_player_0s",42], [b]26[/b], "Survivor2_DZ", 0, -141840The above row shows DeZe again, under another playerID(different CD-key or spoofed).This time he has a AS_50, M4A1_SD_CAMO and full gear. But only a duration of 165 yet again has a massive walking distance of 259358. This combined with the massive kill count of 26 players means he was probably teleporting around the map shooting people.Thanks for reading my report, I hope you found it informative and I hope you ban him, and keep a look out incase he buys more CD-Keys. 5 Share this post Link to post Share on other sites
james222 49 Posted August 5, 2012 (edited) More BEC logs:http://pastebin.com/WCexzsUsThis obviously also indicates VPN usage. Edited August 5, 2012 by Chernarus Share this post Link to post Share on other sites
osirish 165 Posted August 5, 2012 I have learned more from this simple post about admining and what to look for than in any other post on the forums for the last two weeks.Beanz for you sir.At the risk of railroading your thread, do you know of any threads, or sites, that give experienced admins, but ARMA 2 server setup noobs, a comprehensive setup guide for their servers? Things like how to set up daily log files automatically, basic script detection files or lines to add to the configs, how to set up rcon protection from the cheat that now grants rcon control .... etc.?Thanks in advance. Share this post Link to post Share on other sites
james222 49 Posted August 5, 2012 (edited) I have learned more from this simple post about admining and what to look for than in any other post on the forums for the last two weeks.Beanz for you sir.At the risk of railroading your thread, do you know of any threads, or sites, that give experienced admins, but ARMA 2 server setup noobs, a comprehensive setup guide for their servers? Things like how to set up daily log files automatically, basic script detection files or lines to add to the configs, how to set up rcon protection from the cheat that now grants rcon control .... etc.?Thanks in advance.You're gonna want to rotate your RPT file into a separate folder every hour or so by using a .bat file and task scheduler.You're also going to want to download BEC(Battleye Extended commands) to log everything that goes on, IE chat etc and you can even use it to schedule restarts and automessages. Learn about BERCON so you can remotely admin your server.If you google most of the stuff you will find it, ex: scripts.txt update Edited August 5, 2012 by Chernarus Share this post Link to post Share on other sites
Publik 404 Posted August 5, 2012 More BEC logs:http://pastebin.com/WCexzsUsThis obviously also indicates VPN usage.Hmm, could you go in some depth about what you mean by "VPN usage" (read: I know it's a virtual private network, but so what, and how did you come to that conclusion?), and what you've read from those logs? All I see is some guy with the same IP/GUID/name connecting/disconnecting several times over a time span. I see his global ban, but I don't get much out of the logs you posted other than they "look artificial", though the broken bones and the distance seem like a solid reason for suspicion at most. Share this post Link to post Share on other sites
james222 49 Posted August 5, 2012 (edited) Hmm, could you go in some depth about what you mean by "VPN usage" (read: I know it's a virtual private network, but so what, and how did you come to that conclusion?), and what you've read from those logs? All I see is some guy with the same IP/GUID/name connecting/disconnecting several times over a time span. I see his global ban, but I don't get much out of the logs you posted other than they "look artificial", though the broken bones and the distance seem like a solid reason for suspicion at most.Same GUID's/Unique alias' in different locations across earth usually indicate VPN usage, not to mention some are hosted in datacenters. Also I'm really quite sure you're trolling.. its obvious as fuck what the logs say as I explained them in one paragraph each. Edited August 5, 2012 by Chernarus Share this post Link to post Share on other sites
Publik 404 Posted August 5, 2012 Same GUID's/Unique alias' in different locations across earth usually indicate VPN usage, not to mention some are hosted in datacenters. Also I'm really quite sure you're trolling.. its obvious as fuck what the logs say as I explained them in one paragraph each.I assure you I am not trolling. In the pastebin log, while he does have multiple keys, he connects from the same IP (in the 94 block) until the last 4, which use a 109 block. Having multiple keys is suspicious, but as far as I can tell completely legal. As for the last IP change, it's also something that does sometimes change under normal conditions. Using a proxy (which is the word I think you mean) is also, from what I can tell, perfectly legal on its own. As for the broken limbs part of the log, which section shows limb status? Is it the array including stuff like ["aimpoint", .., ...] and so on? Share this post Link to post Share on other sites
james222 49 Posted August 5, 2012 (edited) I assure you I am not trolling. In the pastebin log, while he does have multiple keys, he connects from the same IP (in the 94 block) until the last 4, which use a 109 block. Having multiple keys is suspicious, but as far as I can tell completely legal. As for the last IP change, it's also something that does sometimes change under normal conditions. Using a proxy (which is the word I think you mean) is also, from what I can tell, perfectly legal on its own. As for the broken limbs part of the log, which section shows limb status? Is it the array including stuff like ["aimpoint", .., ...] and so on?Everyone knows you don't use a VPN for gaming unless you wan't to cheat under a completely different IP address.Its kind of obvious right now.. he has globally banned GUID's, multiple proxies and extremely suspicious activity.The limb status etc is pulled from MySQL table and FYI dynamic IP addresses don't vary much at all. Edited August 5, 2012 by Chernarus Share this post Link to post Share on other sites
Publik 404 Posted August 5, 2012 (edited) Everyone knows you don't use a VPN for gaming unless you wan't to cheat under a completely different IP address.Its kind of obvious right now.. he has globally banned GUID's, multiple proxies and extremely suspicious activity.The limb status etc is pulled from MySQL table and FYI dynamic IP addresses don't vary much at all.Yes, you do not use a VPN for gaming, unless you're playing at a LAN or tournament or something along those lines. I think you mean proxy, but even that is nothing illegal - only suspicious.A virtual private network (VPN) is a technology for using the Internet or another intermediate network to connect computers to isolated remote computer networks that would otherwise be inaccessible. A VPN provides security so that traffic sent through the VPN connection stays isolated from other computers on the intermediate network. VPNs can connect individual users to a remote network or connect multiple networks together.Forward proxies are proxies where the client server names the target server to connect to.[4] Forward proxies are able to retrieve from a wide range of sources (in most cases anywhere on the Internet).Where in here is limb status? I think it's in the red:'5698', '47475974', '222', '2012-07-23 21:25:01', '2012-07-23 21:25:01', '[["ItemFlashlight"],["ItemBandage","ItemPainkiller"]]', '["DZ_Patrol_Pack_EP1",[],[]]', '[232,[9980.11,2619.07,0.048]]', '[false,true,false,true,true,false,true,7833.82,["aimpoint","relbow","RightFoot","LeftFoot","neck"],[1.941,0],58,[147.475,187.144]]', '1', '1', '2012-07-23 21:25:01', '2012-07-23 21:25:01', '0', '0', '38386', '2', '["","",34]', '0', 'SurvivorW2_DZ', '0', '2500'but I'd like to know for when I check logs myself. Does that mean his legs are broken, and he's at ~8k blood? Edited August 5, 2012 by Publik Share this post Link to post Share on other sites
james222 49 Posted August 5, 2012 Yes, you do not use a VPN for gaming, unless you're playing at a LAN or tournament or something along those lines. I think you mean proxy, but even that is nothing illegal - only suspicious.Where in here is limb status? I think it's in the red:but I'd like to know for when I check logs myself. Does that mean his legs are broken, and he's at ~8k blood?If his neck is broken, in theory he should be dead. Share this post Link to post Share on other sites
Publik 404 Posted August 5, 2012 If his neck is broken, in theory he should be dead.Maybe in the real world, but in Arma? Share this post Link to post Share on other sites
james222 49 Posted August 5, 2012 Maybe in the real world, but in Arma?Yeah if you shoot someone in the neck in DayZ they tend to die. Share this post Link to post Share on other sites
rekrul 91 Posted August 9, 2012 (edited) Would you mind submitting this as a ticket to BIS?http://forums.bistud...head-and-ARMA-2If not, at least copy/paste it on their troubleshooting forum?http://forums.bistud...TROUBLESHOOTING Edited August 9, 2012 by Rakrul Share this post Link to post Share on other sites
