Hackers stealing files off servers.

[danni (DayZ) 0]

So I noticed my server had a changed welcome message a few days ago.

After snooping around a bit I found out there is a script out there that allows hackers to download files off your server. Which means they can easily get the rcon password and kick/ban/lock server. Locking a server can get you suspended/cancelled by your host

How are we supposed to protect ourselves from this? It sounds kinda risky to spend your own money on a server when hackers can easily get it offline.

[suspense 210]

That was an old hole that was fixed a while ago, you were properly one of the couple of hundred people that had their rcon login leaked on 4chan about a week or 2 ago

[Never 237]

Man this is bad. I'm staying on Lingor, DayZ vanilla is to much of a backdoor.

[danni (DayZ) 0]

The info I found states that it still works. This hacking madness sure is ruining the game and I'm considering taking the server down for the time being. :/

[tyler@tytanis.com 28]

"A lot of the reddit servers on the sidebar and the majority of servers in general have been comprimised by 4chan.

IF you still have your cfgdayz and battleye folders in your root directory where you launch your DAYZ Server from then they can run a script and find out what your rcon password is to access your server remotly or in-game.

This allows them to ban anyone, kick anyone, spam global admin messages and remove any bans you have set in place.

I have seen quite a few servers on the sidebar in a post on 4chan recently (not going to name them but I will notify everyone I can via PM on here)

To fix this (so far it has worked for us)

• 
  you need to move your cfgdayz folder and battleye folders outside of your root server directory.
  
• 
  Then edit your start_dayz.bat file to point to the new directorys location of where you have moved the folders to.
  

Example: "C:\Users\Administrator\dir\Arma 2\Expansion\beta\arma2oaserver.exe" -port=2302 -mod=EXPANSION\beta;EXPANSION\beta\Expansion;EXPANSION;ca;@dayz;@hive -name=cfgdayz -config=C:\Users\Administrator\dir\cfgdayz\server.cfg -cfg=C:\Users\Administrator\dir\cfgdayz\arma2.cfg -profiles=C:\Users\Administrator\dir\cfgdayz-bepath=C:\Users\Administrator\dir\BattlEye -world=Chernarus -cpuCount=3 -exThreads=3

The stuff i've highlighted in bold is what I have changed. As you can see I pointed it towards where I moved the cfgdayz folder and battleye folder. For security reasons I replaced the directory I used with "dir." Simply change dir to the directory you move the folders to.

This SHOULD stop people from grabbing your passwords. EVERY server is at risk right now who have not done this. I believe even Vipeax's server was exploited the same way.

I know this goes againsted our rules of posting anything related to hacking but as I am providing a fix and a lot of reddit servers have been exploited I decided to allow it."

[suspense 210]

Man this is bad. I'm staying on Lingor, DayZ vanilla is to much of a backdoor.

Theres no difference in regards to how the arma 2 server runs, official hive or not. The reason you dont see "hackers" is because less people play on it, just wait, if it gets popular, itll hit, you wont escape.

[semipr0 402]

Hah just posted about this myself.

We may just take our server down til we can set one up on a linux box and access the server via ssh-rha. I'm getting damn tired of this crap every day.

Between RCon leaks, constant battles with people using ESP hacks and ridiculously annoying scripts....I don't think I've had a legitimate battle with anything but my fucking server logs in a week now.

[danni (DayZ) 0]

I just contacted Vilayer regarding this and all I got was a bullshit answer that they do not store rcon in the server.cfg file, the hack however allows you to download any file. Gotta love their first line technicians just ignoring what you write.

[Alfie (DayZ) 8]

Hah just posted about this myself.

We may just take our server down til we can set one up on a linux box and access the server via ssh-rha. I'm getting damn tired of this crap every day.

Between RCon leaks, constant battles with people using ESP hacks and ridiculously annoying scripts....I don't think I've had a legitimate battle with anything but my fucking server logs in a week now.

Edited August 6, 2012 by Alfie

[grezvany13 56]

I'm sorry to be bold; but if you host a server it's your own responsability to create a safe environment.

Installing an Anti-Virus and a Firewall (and running them) SHOULD be priority number 1 when having a server which may or may not be hacked.

This doesn't only apply to a DayZ server, but for anything that's connected to the internet in any way (especially servers).

Having a Linux server doesn't change anything, they're as simple to hack as Windows servers unless you know what you're doing.

So install a Firewall and configure it correctly, install an AV and run it at least once a week, and make sure user rights are set correctly so no one can ever reach administrator status without being on the system physically.

[danni (DayZ) 0]

I'm sorry to be bold; but if you host a server it's your own responsability to create a safe environment.

Installing an Anti-Virus and a Firewall (and running them) SHOULD be priority number 1 when having a server which may or may not be hacked.

This doesn't only apply to a DayZ server, but for anything that's connected to the internet in any way (especially servers).

Having a Linux server doesn't change anything, they're as simple to hack as Windows servers unless you know what you're doing.

So install a Firewall and configure it correctly, install an AV and run it at least once a week, and make sure user rights are set correctly so no one can ever reach administrator status without being on the system physically.

But if you're renting a server from a host then what you just said does not matter. If I personally had the box I would have sorted the issue a long time ago.

[urbanfox 116]

Anyone who follows the directions in the welcome email is much less likely to be successfully attacked by this exploit.

[KGoBlin 43]

I'm sorry to be bold; but if you host a server it's your own responsability to create a safe environment.

Installing an Anti-Virus and a Firewall (and running them) SHOULD be priority number 1 when having a server which may or may not be hacked.

This doesn't only apply to a DayZ server, but for anything that's connected to the internet in any way (especially servers).

Having a Linux server doesn't change anything, they're as simple to hack as Windows servers unless you know what you're doing.

So install a Firewall and configure it correctly, install an AV and run it at least once a week, and make sure user rights are set correctly so no one can ever reach administrator status without being on the system physically.

Typically exploits like the one mentioned here are vulnerabilities in the game/server engine itself, not in your actual server environment. AV or firewall might help prevent generic attacks but this one, and most from what I've seen, are just serious security holes either in ARMA or Battleye. A firewall's not going to prevent anything since the attack probably comes in thru the same port the server uses for hosting the game. UNLESS you know your attacker's IP, that's a different story but any hacker that's not a complete idiot can get around that in an instant so that's not even a viable solution either.

[jwiechers 92]

KGoBlin:

This is not an exploit. It is a standard feature of the engine and a well known issue that has long been dealt with for vanilla ARMA. The solution, as has been indicated, is simply not locating your configuration folder in the main folder of ARMA2. ARMA2 needs read and write access to the folder in order to load, read and write to, AddOns, not just DayZ.

I admit, that the welcome email uses a security through obscurity approach to solving this, namely, the renaming of the config to something random, but if that was done, no one was compromised. Any compromise that has happened, happened because people did not follow the information we have provided.

In order to deal with this *compliance* issue, we may rewrite the installation instructions to make sure people move the folder out of the ARMA2 root, but in the end, it is the responsibility of server admins to know something about the server software they host.

As previously said, this is not a new issue.

[domistyle 221]

So moving the cfgdayz into a subdirectory like config/cfgdayz is enough?

Or does it have to be outside of server directory?

[KGoBlin 43]

KGoBlin:

This is not an exploit. It is a standard feature of the engine and a well known issue that has long been dealt with for vanilla ARMA. The solution, as has been indicated, is simply not locating your configuration folder in the main folder of ARMA2. ARMA2 needs read and write access to the folder in order to load, read and write to, AddOns, not just DayZ.

I admit, that the welcome email uses a security through obscurity approach to solving this, namely, the renaming of the config to something random, but if that was done, no one was compromised. Any compromise that has happened, happened because people did not follow the information we have provided.

In order to deal with this *compliance* issue, we may rewrite the installation instructions to make sure people move the folder out of the ARMA2 root, but in the end, it is the responsibility of server admins to know something about the server software they host.

As previously said, this is not a new issue.

That's definitely not an exploit then. It sounds like that config should have never ended up in the root directory to begin with if this was already known. You can't blame admins for not knowing something rocket apparently didn't even know at one point. Fortunately our host had the file out of the root directory when we purchased our managed server.

I find it interesting that people are liable for so many things in a game where almost everything is restricted. If my config file weren't in the right place, I wouldn't be able to move it even if I wanted to because our host has it locked down so it can't be tampered with, I'm assuming because they're afraid of getting their IP range banned for breaking all the rules set in place. Placing responsibility on the person furthest down on the totem pole seems to be pretty futile.

[chisel 50]

KGoBlin:

This is not an exploit. It is a standard feature of the engine and a well known issue that has long been dealt with for vanilla ARMA. The solution, as has been indicated, is simply not locating your configuration folder in the main folder of ARMA2. ARMA2 needs read and write access to the folder in order to load, read and write to, AddOns, not just DayZ.

I admit, that the welcome email uses a security through obscurity approach to solving this, namely, the renaming of the config to something random, but if that was done, no one was compromised. Any compromise that has happened, happened because people did not follow the information we have provided.

In order to deal with this *compliance* issue, we may rewrite the installation instructions to make sure people move the folder out of the ARMA2 root, but in the end, it is the responsibility of server admins to know something about the server software they host.

As previously said, this is not a new issue.

Where does this leave server admins of hosted servers such as from HFB etc? We have zero control over the server file locations...

Also, does actually using the BErcon put more risk on the server than is already there. Is the use of BErcon in and of itself the risk or does the risk exist whether someone uses an rcon tool or not?

Isn't the risk the mere fact that the server files contain the rcon password, in other words the risk is the mere existence of the rcon password on the server due to the fact that the files containing the rcon password can be seen from their default locations?

Does BErcon have anything at all to do with the hacker actually gaining access to those files on the server?

Edited August 8, 2012 by chisel

[cm. (DayZ) 28]

how dafuq are people still being affected by this. This is server setup 101. Half of you expect to just throw up any old server and expect it to run 100%.

If you had actually read (yes... you have read something!) the arma 2 server documentation you would have seen the solution to this "problem" before you even started your server.

Believe it or not, running a server isn't as simple as installing the game. If your rcon password has been compromised then it's your own fault not BIS's or the dayz staff or anyone else.

The script to download server files is as old as arma itself, it's nothing new.

Edited August 8, 2012 by cm.

[semipr0 402]

how dafuq are people still being affected by this. This is server setup 101. Half of you expect to just throw up any old server and expect it to run 100%.

If you had actually read (yes... you have read something!) the arma 2 server documentation you would have seen the solution to this "problem" before you even started your server.

Believe it or not, running a server isn't as simple as installing the game. If your rcon password has been compromised then it's your own fault not BIS's or the dayz staff or anyone else.

The script to download server files is as old as arma itself, it's nothing new.

Half the people running servers are running servers that were set up by HFB, Vilayer and Host Altitude. I don't think the blame for this being possible lies in the hands of the administrators that have rented these servers that were configured non-optimally. Also given that they're probably not all dedicated boxes, attempting to move outside the server root directory isn't exactly childs play for someone new to server administration.

These major host resellers are the ones to blame for most of these improper installations....because they did think it was as simple as installing the game and in some cases they won't allow their clients to have the access required to make the changes....and the hosts have damn sure not gotten on the ball with reconfiguring these file locations.

[chisel 50]

how dafuq are people still being affected by this. This is server setup 101. Half of you expect to just throw up any old server and expect it to run 100%.

If you had actually read (yes... you have read something!) the arma 2 server documentation you would have seen the solution to this "problem" before you even started your server.

Believe it or not, running a server isn't as simple as installing the game. If your rcon password has been compromised then it's your own fault not BIS's or the dayz staff or anyone else.

The script to download server files is as old as arma itself, it's nothing new.

Really? lol, who "dafuq" are you? If you were half as knowledgeable as you apparently like to think you are, you'd know that with hosted servers, not dedicated boxes, that users DO NOT have control over the file system.

Who here claimed to have had this happen? I have not. I'd just like to secure the server that I admin so this cannot happen.

Go puff your chest out and impress your friends somewhere else, there are real people in these forums that would like real help. If you can't offer real help I guess you can just keep spewing your trash mouth.

[{sas}stalker 108]

Weve recently had to do this but since doing it the server now has waypoint/map markers turned on. It's set to regular in cfg and its deffo reading the moved cfg file because it picks up the server name etc. Any ideas ?

[Cyphersphere 0]

Hmmmm... on my dedicated server, I had priory moved, renamed, and read-only'd all of my configurations and BattleEye to an outside directory ,and I am now unable to logon or use BEC to include local logins. If anyone knows how to fix this I would greatly appreciate it. Otherwise, it looks like I will be reloading everything.

Yes, my server was patched, updated, fire walled, AV'd, uses strong passwords, the whole 9 yards. I have also seen a couple DOSs , but was not severely effected.

[KField86 237]

That was an old hole that was fixed a while ago, you were properly one of the couple of hundred people that had their rcon login leaked on 4chan about a week or 2 ago

Not true. This happened to me today. I even have it in the server logs. Someone logged in last night on my server, logged into admin, and then restarted the server and changed the slot count. I got a message from Vilayer today that my server would be shut off until I reverted the slot count to 40. I was asleep and I'm the only one with my rcon password. Scanned my computer multiple times for any sign of like a keylogger or anything. It hasn't happened again, and I changed my password..but casey at vilayer told me the same thing.. that there are scripts users can run for malicious intents that allows them to pull the beserver_active.cfg which contains rcon password.

Let's hope this doesn't happen again.