Jump to content
DayZ Forums

Forums Announcement

Read-Only Mode for Announcements & Changelogs

Dear Survivors, we'd like to inform you that this forum will transition to read-only mode. From now on, it will serve exclusively as a platform for official announcements and changelogs.

For all community discussions, debates, and engagement, we encourage you to join us on our social media platforms: Discord, Twitter/X, Facebook.

Thank you for being a valued part of our community. We look forward to connecting with you on our other channels!

Stay safe out there,
Your DayZ Team

laramie

Possible hacker, banned on my server (Proof and GUID for other admins)

By laramie, in Mod Servers & Private Hives

Recommended Posts

laramie    11

laramie
Posted (edited)

Ok so, standard stuff - player joined and teleported everyone on my server and made them dance. Dropped the server immediately to preserve my players then combed the logs. This is what I came up with:

RPT Log:

Player "scott" logs in @ coordinates 4725.94, 2975.5 @ 19:29:20

Player "scott" next updates @ coordinates 8426.33,2851.02 @ 19:30:16

Suspect teleport, seems obvious enough.

@ 19:31:20 all non-prone players on the server have the text "_dancingduoivan" appeneded to what i call their action string. This is the string sent with every update to the hive listed in the RPT log. It generally looks something like this:

19:31:13 "HIVE: WRITE: "CHILD:201:23710907:[]:[]:[]:[]:false:false:0:0:0:0:["Binocular_Vector","awoppercmstpsoptwbindnon_amovpercmstpsraswrfldnon",42]:0:0::0:" / 23710907"

And with the hack:

19:31:25 "HIVE: WRITE: "CHILD:201:23710907:[189,[4725.79,2957,0.00208282]]:[]:[]:[false,false,false,false,false,false,true,11793,[],[0.604047,0],0,[656.122,381.648]]:false:false:0:0:10:1:["Binocular_Vector","actspercmstpsnonwnondnon_dancingduoivan",42]:0:0::0:" / 23710907"

Since scott was the last person to log on prior to this event, showed what I would consider a teleport in the server log, I have banned his GUID. I have no confirmation that the grid numbers sent in hive updates are coordinates - this is just my understanding of the RPT data file. Anyone know for sure?

If you would like to ban the GUID from your server - here it is;

scott:

cae3ad112cb5a10a9f469aedfc820311

Edited by laramie
  • Like 1

Share this post

Link to post
Share on other sites

laramie    11

laramie
Posted

Bump,

Anyone know the answer to this bit;

I have no confirmation that the grid numbers sent in hive updates are coordinates - this is just my understanding of the RPT data file. Anyone know for sure?

Share this post

Link to post
Share on other sites

ForbiddenArtist    6

ForbiddenArtist
Posted (edited)

Dude, i dont think thats any kind of evidence.

There could be a hacker on your server who recently teleported "Scott" to another location. Thats not Scott's fault. Of course Scott COULD be the hacker. What if he is the victim?

I also think everyone spawns in the "debug area" where nothing is around but endless open fields. Then after loading time and communication with the hive they might get "teleported" to their logout location. You could check if strange things like that occur to every other player joining your server. I dont run a server myself so i dont have the possibility to check.

This happens to me, sometimes i see the background while loading, me and some others (unarmed players who recently joined the server) are in that debug area just standing around and disappearing after a few seconds (when loading and communication with the hive is done) That could be some sort of "legit" teleport.

Edited by ForbiddenArtist
  • Like 1

Share this post

Link to post
Share on other sites

laramie    11

laramie
Posted

Yea, we considered that as well - but felt the teleport coupled with the timing of his login and the hack was suspicious.

I understand what your saying but scott was a new player to the server, that was his first log in - so if I have banned him wrongly he has lost nothing (no vehicles, tents, ect)

Share this post

Link to post
Share on other sites

[email protected]    5

soulsurfsublime@gmail.com
Posted

Yeah I feel yeah there Laramie. It can be tough to admin these servers. You have to do it to try and keep the integrity of the game though. I banned a guy a few days back that was teleporting and setting satchel charges everywhere, had enough proof in my eyes to ban the guy from logs and considering there were 10 people on the server at the time and I was talking to 9 of them. I just don't understand how teleporting around and shooting people in the back can be fun.

Share this post

Link to post
Share on other sites

laramie    11

laramie
Posted

I also think everyone spawns in the "debug area" where nothing is around but endless open fields. Then after loading time and communication with the hive they might get "teleported" to their logout location.

We confirmed this was not the case with scott. The debug area is not the first grid update when a player logs in, the first update is there actual ingame location.

Share this post

Link to post
Share on other sites

Manito    1

Manito
Posted

If that's the only evidence you have, it's pretty circumstancial. Did you see if anyone else had the same coordinates that he was transported to at the time he was transported there? Was anyone else transported there with him? Those coordinates could have been the location that the hacker pulled everyone to. I think you overstepped your bounds in banning a "possible" hacker - you shouldn't ban unless you are 100% certain and have verifiable video/screenshot proof.

Share this post

Link to post
Share on other sites

laramie    11

laramie
Posted

If that's the only evidence you have, it's pretty circumstancial. Did you see if anyone else had the same coordinates that he was transported to at the time he was transported there? Was anyone else transported there with him? Those coordinates could have been the location that the hacker pulled everyone to. I think you overstepped your bounds in banning a "possible" hacker - you shouldn't ban unless you are 100% certain and have verifiable video/screenshot proof.

It is pretty circumstancial, however given the current climate of hackers I think less leeway is a wiser approach. He logged in at one location, teleported to another, then everyone else on the server started dancing and teleported to a third location (not near him). One other player was near his starting location (a fellow server admin), no one was near his teleport location.

Share this post

Link to post
Share on other sites

girthbrooks    5

girthbrooks
Posted (edited)

we did some further research on this, trying to find out who initiated the dancingduoivan action and then the mass teleport. we found that scott had the same IP as another player who we had just killed (player by the name of "sk8riddlebox"). also, in our scripts.log file, there's some type of script "call number" that's appended to every action. #107 is the most common one. there's some different ones (player deaths etc). every player that was mass teleported was appended with the call number #37. of course we could be wrong, but we assume script #37 is teleport. doing a quick Ctrl+F for "#37" shows that, besides the mass teleport, there's only 4 other instances in the entire 48mb file of code, and two of these lines were appended to "sk8riddlebox" just prior to the mass teleport.

his location: 

10373.4,2233.09,4.98883

the mass teleport location: 

10358.8,2244.8,8.99813

ever hear of a hacker teleporting players somewhere and then massacring them? there ya go.

Edited by girthbrooks

Share this post

Link to post
Share on other sites
Go To Topic Listing Mod Servers & Private Hives
×