New Major BattlEye Anti-Cheat Features

[falcon911 19]

What do you mean "eliminate?" Ban? Sure.

Eliminate it from going to the Script.txt..Not sure if I should just ""//"" #132 and leave myself open or not.

[Gogster (DayZ) 626]

Eliminate it from going to the Script.txt..Not sure if I should just ""//"" #132 and leave myself open or not.

Erm he's scripting a vehicle in, why would you want to ignore it?

[falcon911 19]

Erm he's scripting a vehicle in, why would you want to ignore it?

We have a location on a list or something for these "Not sure but..." instances?? Would really help.

Also why did this not show up in the Createvehicles.log?

Edited September 3, 2012 by Falcon911

[falcon911 19]

Erm he's scripting a vehicle in, why would you want to ignore it?

Uh?? You mean #125.... not #132..

[Gogster (DayZ) 626]

We have a location on a list or something for these "Not sure but..." instances?? Would really help.

Also why did this not show up in the Createvehicles.log?

Normally because the string to search for such an instance hasn't been added to the createvehicle.txt file, Dwarden's files are good, but as you get more and more used to them, you'll find you will customize them.

[Gogster (DayZ) 626]

Uh?? You mean #125.... not #132..

Where's 132?

[(OCN)Vortech 65]

So I understand it remoteexec.log and the rpt file are the ones to watch.

They each server their own purpose, this is an older post of mine

There are multiple logs now:

cfgdayz\

arma2oaserver.RPT - Was gimped and doesn't provide much more then supplemental information.

cfgdayz\BattlEye\

scripts.log - Execution log based on respective .txt, if cheater is utilizing a BE bypass then there won't be anything here.

createvehicle.log - Spawn log based on respective .txt, you'll be looking for the entries listed with a 5 infront from the .txt file.

remoteexec.log - Remote Execution/Spawn log based on respective .txt, basically ban anything here except BIS_Effects.

YOURBECDIR\

Be_YYYY-MM-DD - BattlEye Extended Controls log, basically incident reporter. Think of it as a catchall, combines events from scripts, createvehicle, and remotexec .log files.

You should look into renaming and relocating directories to further secure your server. I'd recommend Cheat Finder by disorder if you didn't have BEC installed at the time of the incident.

*.RPT - Good for login, disconnect, initial gear, and deaths.

3x BE *.log - Are all pretty empty now, you'll only catch basic/public script kiddies, and *.sqf gear injectors in here now.

BEC - A catch all. We use this to track the effectiveness of the CBL bans, restriction kicks, and compare it's output against the *.rpt and createvehicle.log for suspicious activity.

Unfortunately many cheaters have evolved and adapted to circumvent the current countermeasures.

[Frop 33]

Well, look at the bright side - at least I get kicked by BE when I crash or blow up a chopper.

[polli 57]

Well, look at the bright side - at least I get kicked by BE when I crash or blow up a chopper.

This is a known issue. When I see these "helicopter crash" entrys in remoteexec.log, I mostly unbann these people.

[hohlraum 9]

Very cool.

http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Event-Logging-Blocking&p=2219646&viewfull=1#post2219646

If anyone has a chance to cook one of these (publicvariable.txt) up for DayZ and/or DayZ Lingor a link would be much appreciated.

[(OCN)Vortech 65]

Very cool.

http://forums.bistud...l=1#post2219646

If anyone has a chance to cook one of these (publicvariable.txt) up for DayZ and/or DayZ Lingor a link would be much appreciated.

This thread (http://dayzmod.com/forum/index.php?/topic/80719-psa-false-remote-execution-on-players-whatisthis-long-weekend-incoming/) would be a good start for entries. I'm sure Dwarden or someone at BIS will compile an official list soon and post it on the CBL (https://code.google.com/p/dayz-community-banlist/source/browse/#git%2Ffilters). We're testing a custom file based on the false remote executions we've seen and publicly available griefing attempts.

[violentnava@gmail.com 7]

Ok,

I dont have the logs as im not home atm, but ive been getting something to this effect in my logs.

beeeh = this

mysheep = this

I have a few entries a long those lines, using nothing but those 2 exact codes, they show up in my createvehicle.log.

Any idea what these are? I feel like they might be stealth code executions.

EDIT: OK, so here are some examples. There has to be something going on here, as it happening very frequently, and im noticing more and more heli crashes before restarts. Must be a new method of spawning vehicles.

05.09.2012 21:27:50: player (ip) guid - #0 "_spawnAIS = this;"
05.09.2012 21:28:00: player (ip) guid - #0 "_spawnAIS = this;"
05.09.2012 21:28:03: player (ip) guid - #0 "_spawnAIS = this;"
05.09.2012 21:28:06: player (ip) guid - #0 "_spawnAIS = this;"
05.09.2012 21:28:07: player (ip) guid - #0 "_spawnAIS = this;"
05.09.2012 21:28:10: player (ip) guid - #0 "_spawnAIS = this;"
05.09.2012 21:28:35: player (ip) guid - #0 "beeeh = this"
05.09.2012 21:53:15: player (ip) guid - #0 "[this] spawn BIS_Effects_AirDestruction"
05.09.2012 21:53:20: player (ip) guid - #0 "[this, 8.34463, 21965.1]spawn BIS_Effects_AirDestructionStage2"
05.09.2012 21:53:24: player (ip) guid - #0 "[this, 8.34463, 21965.1,false,true]spawn BIS_Effects_Burn"

Considering that [this] is called for in the crash, I believe that the above * = this is referring to spawning a heli by some means.

Thoughts?

Edited September 6, 2012 by Nava

[SqTH 260]

old old classic code : beeh = this is part of a script to spawn a chopper.

PLEASE go to ADMINZ forum.

[icetbag 3]

Hi Chaps,

Using the CBL filters I have several instances of the following entry in my scripts.log:

03.09.2012 02:28:53: PLAYER_NAME (IP:PORT) GUID - #197 "rivate ["_dummy"]; _dummy = [_this,"players"] execVM "\ca\ui\scripts\dedicatedServerInterface.sqf";"

I've noticed the typo "rivate" as opposed to "private" for similar entries such as:

02.09.2012 12:11:59: PLAYER_NAME (IP:PORT) GUID - #122 "private ['_dummy']; _dummy = [_this,'onload'] call compile preprocessfile '\ca\ui\scripts\server_interface.sqf';"

I still cant fathom out how to work out which line #197 refers to in my scripts.txt due to the whole commented + thing, so given that Im having a blonde moment, can anyone tell me if the line with the typo is nothing to worry about?

Cheers

Edited September 10, 2012 by icetbag

[Frop 33]

That's just people (accidentally) opening the Server Control menu and getting kicked for it. It's mostly nothing to worry about, but there's also a RCON password retrieval exploit, so it just kicks by default to be on the safe side.

[aphex187 52]

Any idea what this means guys:

Script Restriction #123 "player_medMorphine" = {

_whatIsThis = compile fap_fnExec; call _whatIsThis;

sleep 2;

This is in the public variable logs.

[Frop 33]

Any idea what this means guys:

Script Restriction #123 "player_medMorphine" = {

_whatIsThis = compile fap_fnExec; call _whatIsThis;

sleep 2;

This is in the public variable logs.

The new log is for remote code executions, so I'm assuming it means someone is using external "aids" to supply morphine.

[Frop 33]

I've just updated my scripts and it has been spamming publicvariables.txt with (presumably innocent) stuff from all players.

http://pastebin.com/aK6EnQBX

Edit: I found the comment ("logs are more spammy but quite informative, until future BE improvements it needs to be visible") that came with the change. I don't see how this is informative or even needed when 99% of the log is regular behaviour.

Edited September 14, 2012 by Frop

[Frop 33]

These came from the new setpos.txt. A lot of people either died or disconnected short after and all our vehicles were gone too (hugging the ocean floor I guess). Wouldn't it make sense to kick for every entry in this filter?

15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:185 [10108,2813,43]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:196 [10111,2807,42]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:176 [10111,2798,41]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:170 [10062,2838,54]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:171 [10133,2829,36]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:172 [10124,2786,39]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:173 [10105,2802,43]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:174 [10098,2836,44]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:175 [10098,2816,44]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:177 [10079,2805,49]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:178 [10068,2794,51]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:179 [10118,2801,39]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:180 [10086,2836,46]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:181 [10118,2784,40]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:182 [10081,2804,49]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:183 [10068,2793,52]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:184 [10075,2803,51]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:187 [10087,2813,47]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:188 [10129,2848,36]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:189 [10099,2821,44]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:190 [10117,2823,39]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:191 [10089,2835,46]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:192 [10112,2848,40]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:193 [10107,2811,42]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:194 [10124,2828,37]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:195 [10131,2820,36]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:197 [10088,2794,48]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:198 [10087,2828,47]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:199 [10097,2824,45]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:200 [10063,2805,53]
15.09.2012 14:47:44: DleseMur (<hidden>) <hidden> - 2:201 [10119,2786,40]
15.09.2012 14:49:49: DleseMur (<hidden>) <hidden> - 45:427 [-10000,-10000,100]
15.09.2012 14:49:49: DleseMur (<hidden>) <hidden> - 50:148 [-10000,-10000,100]
15.09.2012 14:49:49: DleseMur (<hidden>) <hidden> - 48:109 [-10000,-10000,100]
15.09.2012 14:49:49: DleseMur (<hidden>) <hidden> - 54:84 [-10000,-10000,100]
15.09.2012 14:49:49: DleseMur (<hidden>) <hidden> - 55:4 [-10000,-10000,100]
15.09.2012 14:49:54: DleseMur (<hidden>) <hidden> - 45:427 [-10000,-10000,100]
15.09.2012 14:49:54: DleseMur (<hidden>) <hidden> - 50:148 [-10000,-10000,100]
15.09.2012 14:49:54: DleseMur (<hidden>) <hidden> - 48:109 [-10000,-10000,100]
15.09.2012 14:49:54: DleseMur (<hidden>) <hidden> - 54:84 [-10000,-10000,100]
15.09.2012 14:49:54: DleseMur (<hidden>) <hidden> - 55:4 [-10000,-10000,100]

Edited September 15, 2012 by Frop

[quatermass 9]

Had someone on my DAYZ server a few days ago that somehow moved ALL vehicles to the beach and upset the people using them at the time!

Only saw lines like this in the BE log:

09/13/12 19:01:01 INFO [main] dayz_1.Chernarus command E: call updIH(239, '[["wheel_1_1_steering",1],["wheel_1_2_steering",1],["wheel_2_1_steering",1],["wheel_2_2_steering",1],["motor",1],["palivo",1],["glass1",1],["glass2",1],["glass3",1],["glass4",1]]', 1)
09/13/12 19:01:01 INFO [main] dayz_1.Chernarus command E: call updIH(239, '[["wheel_1_1_steering",1],["wheel_1_2_steering",1],["wheel_2_1_steering",1],["wheel_2_2_steering",1],["motor",1],["palivo",1],["glass1",1],["glass2",1],["glass3",1],["glass4",1]]', 1)
09/13/12 19:01:01 INFO [main] dayz_1.Chernarus command E: call updIH(239, '[["wheel_1_1_steering",1],["wheel_1_2_steering",1],["wheel_2_1_steering",1],["wheel_2_2_steering",1],["motor",1],["palivo",1],["glass1",1],["glass2",1],["glass3",1],["glass4",1]]', 1)
09/13/12 19:01:01 INFO [main] dayz_1.Chernarus command E: call updIH(239, '[["wheel_1_1_steering",1],["wheel_1_2_steering",1],["wheel_2_1_steering",1],["wheel_2_2_steering",1],["motor",1],["palivo",1],["glass1",1],["glass2",1],["glass3",1],["glass4",1]]', 1)
09/13/12 19:01:01 INFO [main] dayz_1.Chernarus command E: call updIH(239, '[["wheel_1_1_steering",1],["wheel_1_2_steering",1],["wheel_2_1_steering",1],["wheel_2_2_steering",1],["motor",1],["palivo",1],["glass1",1],["glass2",1],["glass3",1],["glass4",1]]', 1)
09/13/12 19:01:01 INFO [main] dayz_1.Chernarus command E: call updIH(239, '[["wheel_1_1_steering",1],["wheel_1_2_steering",1],["wheel_2_1_steering",1],["wheel_2_2_steering",1],["motor",1],["palivo",1],["glass1",1],["glass2",1],["glass3",1],["glass4",1]]', 1)
09/13/12 19:01:01 INFO [main] dayz_1.Chernarus command E: call updIH(239, '[["wheel_1_1_steering",1],["wheel_1_2_steering",1],["wheel_2_1_steering",1],["wheel_2_2_steering",1],["motor",1],["palivo",1],["glass1",1],["glass2",1],["glass3",1],["glass4",1]]', 1)
09/13/12 19:01:02 INFO [main] dayz_1.Chernarus command E: call updIH(239, '[["wheel_1_1_steering",1],["wheel_1_2_steering",1],["wheel_2_1_steering",1],["wheel_2_2_steering",1],["motor",1],["palivo",1],["glass1",1],["glass2",1],["glass3",1],["glass4",1]]', 1)
09/13/12 19:01:02 INFO [main] dayz_1.Chernarus command E: call updIH(146, '[["karoserie",1],["palivo",1],["Pravy predni tlumic",1],["Pravy zadni tlumic",1]]', 1)
09/13/12 19:01:02 INFO [main] dayz_1.Chernarus command E: call updIH(146, '[["karoserie",1],["palivo",1],["Pravy predni tlumic",1],["Pravy zadni tlumic",1]]', 1)
09/13/12 19:01:02 INFO [main] dayz_1.Chernarus command E: call updIH(146, '[["karoserie",1],["palivo",1],["Pravy predni tlumic",1],["Pravy zadni tlumic",1]]', 1)
09/13/12 19:01:02 INFO [main] dayz_1.Chernarus command E: call updIH(146, '[["karoserie",1],["palivo",1],["Pravy predni tlumic",1],["Pravy zadni tlumic",1]]', 1)

Going on for tens of thousands of lines across 5 log files each 10MB long....!!

No idea who did this as there was nothing else in the logs!! :(

Any idea how I can stop this happening again?

I had to do a DB restore from the previous evening.

Oh hum...

Edited September 16, 2012 by quatermass

[falcon911 19]

Mostly seem like these hackers are teleporting/creating vehicles now. Most of the hacking in weapons I am catching.

[aenima 4]

so the .txt. files are always loaded when the server restarts, or I load them with "loadScripts" and I don't need to add something to have them workin, right?

and can you tell me what this means in the scripts.log ?

16.09.2012 12:14:48: El_DIABLO (xxxxxx:2304) xxxxxxxxxxxxxx - #82 "skipTime random -2;

and in the createvehicles.log:

15.09.2012 16:04:48: Slayer (xxxx:2304) xxxxxxxxxxxxxxxxxxxx - #0 "Hedgehog_DZ" 59:370 [6770,2521,6]

Edited September 16, 2012 by aenima

[tickle_me_jesus 37]

Guys,

anyone else having trouble using the later versions of scripts.txt. Everytime I use one of the versions found on http://code.google.c...se/#git/filters my server starts kicking all the players who are logged in with script restriction #41 and # 45.

Now when looking at line #41 it shoud not even result in a kick

1 setCurrentTask !"\"setCurrentTask\"," !"rsetCurrentTask = 'setCurrentTask'" !"rsetCurrentTaskcode = compile PreprocessFile (BIS_PathMPscriptCommands + 'setCurrentTask.sqf')" !"rsetCurrentTaskArrays = 'setCurrentTaskArrays'" !"rsetCurrentTaskArrayscode = compile PreprocessFile (BIS_PathMPscriptCommands + 'setCurrentTaskArrays"

I'm a bit lost here and wondering if any of you have encountered the same problem and if so how did you solve it?

Edited September 16, 2012 by tickle_me_jesus

[aenima 4]

oh damn, i just copied it over on the server and didn't back up the older version, hopefully it won't kick the players then?! perhaps you should disable that line

[tickle_me_jesus 37]

oh damn, i just copied it over on the server and didn't back up the older version, hopefully it won't kick the players then?! perhaps you should disable that line

Yes, That is what i wanted to do but 'script restriction #41' can 't be pointing to that line because it is kicking players. Line 41 in scripts.txt has a 1 in front of it, meaning it only logs. The problem for me is reading the script.txt file, because with all the // lines I really can't find out which line is which. Strange that nobody else is experiencing this problem though.

I must be doing something wrong