DayZ Anti-Hax - a very simple server-side console application for automatically banning hackers in DayZ

[madkowa@gmail.com 11]

I've been meaning to reply to your post earlier but I've been a little busy. We still haven't implemented Anti-Hax on our server BUT I see a large potential problem for admins who have this weekend. A cheater came on one of our server and remotely executed cheats on ALL of our players resulting in the following logs for ALL players:

24.08.2012 10:27:18: USERNAME (IP) GUID - #121 "
_whatIsThis = compile fap_fnExec; call _whatIsThis;
"
24.08.2012 10:27:18: USERNAME (IP) GUID - #122 "
_whatIsThis = compile fap_fnExec; call _whatIsThis;
"
24.08.2012 10:27:18: USERNAME (IP) GUID - #97 "if (isnil ("bInvisibleOn")) then {reyalPyMtcejbo hideObject true;};"

Later the last line was replaced with this

24.08.2012 10:31:15: USERNAME (IP) GUID - #20 "
if (isServer) then {
_dsasadsa = createVehicle ['M1030', [554.713, 3819.73, 0], [], 0, 'CAN_COLLIDE'];
_dsasadsa setVariable"

I assume this would have triggered bans for every player logged if I was running AH on our server so hopefully this helps you guys. There were reports of mass deaths and all vehicles be teleported into the ocean.

If the first block of stuff you posted was in scripts.log (i.e. what appeared to be from all players), which I strongly suspect it was based on what you've explained in your post, anyone who uses this tool is fine, as the parser does not ever read/write from/to scripts.txt or scripts.log. At this time, only remoteexec.log and createvehicle.log are parsed for hacker activity. In other words, I appreciate your concern, but I can assure you DayZ Anti-Hax is immune to silly attempts by script kiddies like this.

Edited August 25, 2012 by GreyEcho

[(OCN)Vortech 65]

If the first block of stuff you posted was in scripts.log (i.e. what appeared to be from all players), which I strongly suspect it was based on what you've explained in your post, anyone who uses this tool is fine, as the parser does not ever read/write from/to scripts.txt or scripts.log. At this time, only remoteexec.log and createvehicle.log are parsed for hacker activity. In other words, I appreciate your concern, but I can assure you DayZ Anti-Hax is immune to silly attempts by script kiddies like this.

NP just trying to help but wow that's a major blind spot IMO, I didn't realize you were bypassing those logs. Between the object flood detection issues and this I think we'll wait for the solution to mature some more and continue to follow your progress.

[madkowa@gmail.com 11]

NP just trying to help but wow that's a major blind spot IMO, I didn't realize you were bypassing those logs. Between the object flood detection issues and this I think we'll wait for the solution to mature some more and continue to follow your progress.

A blind spot? You just provided a perfect example yourself of why parsing scripts.log can be quite dangerous, which is why my parser doesn't do it. Also, the log flooding detection can be turned off simply by changing a value in the included configuration file, it's just turned on by default as I've never had a problem with it.

Edited August 25, 2012 by GreyEcho

[(OCN)Vortech 65]

A blind spot? You just provided a perfect example yourself of why parsing scripts.log can be quite dangerous, which is why my parser doesn't do it. Also, the log flooding detection can be turned off simply by changing a value in the included configuration file, it's just turned on by default as I've never had a problem with it.

Yes, this is the first case we've ever encountered falsified entries due to remote executions in this log. Quite dangerous IMO is Object Flood Detection in it's current form, automated createvehicle parsing due to remote execution of morphs on players, or remoteexec parsing now that cheaters are spoofing BIS_Effects. I hope custom filters take these things into consideration. We're all working towards the same goal, and you hard work is appreciated. I look forward to the continued efforts of our community developers towards a robust solution.

[Suxxor 0]

Hi guys.

I want install Anti Hax on my server but I have a problem.

It said " You have not the permission" when i want to upload the program.

Is there someone who had the same thing ? My host is Host Altitude.

Thx a lot.

[domistyle 221]

Hi guys.

I want install Anti Hax on my server but I have a problem.

It said " You have not the permission" when i want to upload the program.

Is there someone who had the same thing ? My host is Host Altitude.

Thx a lot.

I guess you have a managed server.

This won't work with managed servers.

You need to have a dedicated machine with remote access.

[madkowa@gmail.com 11]

Hi guys.

I want install Anti Hax on my server but I have a problem.

It said " You have not the permission" when i want to upload the program.

Is there someone who had the same thing ? My host is Host Altitude.

Thx a lot.

You should submit a support ticket to your host explaining what you're looking to do and including links to this thread as well as our Google Code page, which includes a download link and instructions/usage guide. It is possible to use this solution under a manager server and not a dedicated one as long as your provider is willing to do so, as the solution is entirely automated when used in conjunction with Battleye Extended Controls (BEC), as explained in the installation instructions.

Edited August 25, 2012 by GreyEcho

[neilff 14]

I'm completely new to running a server, so please bear with me.

I've had two players who are being banned over and over, I've deleted their names from the bans.txt, createvehicle.log and remoteexec.log but they keep getting added to the ban list over and over.

How do I get them off the ban list?

Edited August 29, 2012 by lingo

[madkowa@gmail.com 11]

I'm completely new to running a server, so please bear with me.

I've had two players who are being banned over and over, I've deleted their names from the bans.txt, createvehicle.log and remoteexec.log but they keep getting added to the ban list over and over.

How do I get them off the ban list?

First off, stop the DayZ Anti-Hax parser, then proceed to do as you did before, removing the applicable entries in bans.txt and remoteexec.log and/or createvehicle.log according to what got those users banned, which is listed in DayZAntiHax.log. After you've done this, restart the parser. If they are still banned, you've done something wrong. If they are banned *again* as soon as they join or something, which is entirely different, check DayZAntiHax.log for the time, date and log file to look in to see what's getting them banned and report that to me either here or in a private message and I'll try to help you out.

[polli 57]

Could it be that AntiHax doesn´t work with the new ArmA2OA Patch 96476? I have illegal items in the createvehicle.log but these seems to be not recognized from AntiHax.

[madkowa@gmail.com 11]

Could it be that AntiHax doesn´t work with the new ArmA2OA Patch 96476? I have illegal items in the createvehicle.log but these seems to be not recognized from AntiHax.

This is certainly possible as it hasn't been updated in some time, however I would strongly advise only using the file I include with each major release of DayZ Anti-Hax. Using filters from anywhere else, including the DayZ Community Banlist, can result in false-positives and other unintended consequences. It is, however, safe to use any scripts.txt file you please, as neither scripts.txt nor scripts.log is touched in any way by my parser.

I'm quite busy as of late and probably won't have time to look into any such issues for a while. The solution is open-source, so I would appreciate it if someone who knows C# and is familiar with advanced DayZ server administration could take over things for now...

[domistyle 221]

This is certainly possible as it hasn't been updated in some time, however I would strongly advise only using the file I include with each major release of DayZ Anti-Hax. Using filters from anywhere else, including the DayZ Community Banlist, can result in false-positives and other unintended consequences. It is, however, safe to use any scripts.txt file you please, as neither scripts.txt nor scripts.log is touched in any way by my parser.

I'm quite busy as of late and probably won't have time to look into any such issues for a while. The solution is open-source, so I would appreciate it if someone who knows C# and is familiar with advanced DayZ server administration could take over things for now...

I could do the C# part but I am not really familiar with parsing logs.

Someone else would need to make the filters.

[polli 57]

Thanks guys. I would be very thankfull when this tool will stay alive :)

[nohrt 18]

keep this app alive!

we need fixes for the "Remote Code Execution" bans. Besides that this app works great.

[celtec 0]

yes remote code execution is a big problem. i got a ban for this.

[tal0 0]

Seems Im gettin alot of ppl bypassing the whole program somehow, they manage to spaw stuff thats entered into objects.lst.

Just wanna confirm if this is happening to somone else?

[(OCN)Vortech 65]

This is certainly possible as it hasn't been updated in some time, however I would strongly advise only using the file I include with each major release of DayZ Anti-Hax. Using filters from anywhere else, including the DayZ Community Banlist, can result in false-positives and other unintended consequences. It is, however, safe to use any scripts.txt file you please, as neither scripts.txt nor scripts.log is touched in any way by my parser.

I'm quite busy as of late and probably won't have time to look into any such issues for a while. The solution is open-source, so I would appreciate it if someone who knows C# and is familiar with advanced DayZ server administration could take over things for now...

There it is. Whoever picks up the development please post accordingly or msg me if you get a chance.

[madkowa@gmail.com 11]

keep this app alive!

we need fixes for the "Remote Code Execution" bans. Besides that this app works great.

yes remote code execution is a big problem. i got a ban for this.

Assuming DayZ Anti-Hax has been installed properly, it could be related to this issue posted about a week ago, in which case I fear there's very little that can be done until the BattlEye guys step up their game yet again, because it seems the script kiddies might be one step ahead of us (again).

Seems Im gettin alot of ppl bypassing the whole program somehow, they manage to spaw stuff thats entered into objects.lst.

Just wanna confirm if this is happening to somone else?

I'd be surprised if this was true. Are you seeing the items appear in createvehicle.log and they just aren't being banned or does stuff not appear in the log and you're seeing the items in-game? If it's the latter, I'm afraid there's very little me or anyone else can do...

[TheWeedMan 132]

Im getting honest regular players being kicked from my server on a false positive "object access flooding" any ideas what this is, what causes it, and how to fix it.

Edited September 2, 2012 by TheWeedMan

[madkowa@gmail.com 11]

Im getting honest regular players being kicked from my server on a false positive "object access flooding" any ideas what this is, what causes it, and how to fix it.

'Object Access Flooding' detection is an experimental feature that may result in false-positives during heavy desync and when clients are executing many actions at once. Any servers frequently encountering this issue are advised to disable the feature by editing DayZ Anti-Hax's 'config.cfg' file and setting 'shouldCheckForFlooding' to 'false' instead of 'true' (it is enabled by default). Keep in mind this will make you more susceptible to hackers though.

[tal0 0]

I'd be surprised if this was true. Are you seeing the items appear in createvehicle.log and they just aren't being banned or does stuff not appear in the log and you're seeing the items in-game? If it's the latter, I'm afraid there's very little me or anyone else can do...

Sad to say it is the latter, no traces whatsoever in logs.

Now a freshly spawned player with full loadout is a dead give away, but when you are gettin like 10 of these cheaters an hour it sucks.

And they don't spawn stupid crap either, just items within DayZ parameters, so unless you activly looking at each new player in the db you might miss it and if somone been playing for 5min then you can't really be sure they havent gotten their stuff legit :(

Well doesn^'t matter I just wanted to make sure I hadn't fucked something up, not that i thought so cause im still gettin a few bans in on stupid skiddies who try to spawn all kinds of vehicles/artillery and really stupid stuff. ^^

[hohlraum 9]

http://forums.bistudio.com/showthread.php?138736-Introducing-Server-side-Event-Logging-Blocking

Check out the new publicvariable.txt blocking at the bottom of the first post.

[madkowa@gmail.com 11]

http://forums.bistud...ogging-Blocking

Check out the new publicvariable.txt blocking at the bottom of the first post.

I'm not actively developing DayZ Anti-Hax at the moment, but seeing as this appears to be a new feature with one of the latest beta patches, it should take some time for servers to transition over to this anyway. This is definitely something I'd like to see considered for a future release though...I just haven't been monitoring my server or keeping up with DayZ in general as of late, so I don't feel comfortable fiddling around with my own source code at this point. Great suggestion though, thank you -- hopefully someone else has a look at it in the meantime.

[Kadavar 5]

I do not know how scripting in Arma works and how it is used in DayZ. But i have a question - why you make database of illegal scripts? I imagine what it should be more productive to make database of valid scripts (RegExp can be used) and then ban everything what is not in it.

Or I missed something?

[mtuckner 46]

I run a private hive and have been using your tool. I recently installed an anti-cheat fsm to my mission file which appears to have ejected me from my helo when I flew over the border. Subsequently, DayZ Anti-Hax banned me and loaded my GUID into the community banfile. How do I get this removed?

Nevermind, i got myself off - missed a second remote exec hit in the log.

Edited September 7, 2012 by SuperTuck