PSA: False Remote Execution on Players - _whatIsThis - Long weekend incoming

[(OCN)Vortech 65]

Keep an eye out for spam in your scripts.log this weekend, we had a visit from a cheater on one of our servers. There were reports of mass deaths and all vehicles be teleported to a remote location in the ocean. All players had the following scripts remotely executed for them resulting in the following logs for ALL players:

24.08.2012 10:27:18: USERNAME (IP) GUID - #121 "
_whatIsThis = compile fap_fnExec; call _whatIsThis;
"
24.08.2012 10:27:18: USERNAME (IP) GUID - #122 "
_whatIsThis = compile fap_fnExec; call _whatIsThis;
"
24.08.2012 10:27:18: USERNAME (IP) GUID - #97 "if (isnil ("bInvisibleOn")) then {reyalPyMtcejbo hideObject true;};"

In our case the invisibility was later replace with this createVehicle:

24.08.2012 10:31:15: USERNAME (IP) GUID - #20 "
if (isServer) then {
    _dsasadsa = createVehicle ['M1030', [554.713, 3819.73, 0], [], 0, 'CAN_COLLIDE']; 
    _dsasadsa setVariable"

Both createvehicle and remoteexec were clear of any entries during this time so there must be functional bypasses working going into the weekend. Prepare for a long one and think twice before you ban for the executions above as they may be falsified.

[flyscan@gmail.com 0]

Yep, I can confirm that I'm seeing similar.

Any word on what these things are doing (and more importantly, how to stop them)?

EDIT: Also to note, if you're using the dayz-community-banlist settings, this will mean that everyone else in the server will be kicked.

Edited August 25, 2012 by AnotherAccount

[(OCN)Vortech 65]

I assume they're attempting to make our lives difficult by spamming the logs and grief both servers & players alike. I think they're trying to trigger kicks/bans on legititment players and I think they're trying to make us doubt the filters. As far as stopping them goes I don't know, I've never seen remote executions on players like this before in scripts.log so we'll have to wait on BIS.

I think the kick is in the best interest of your players so I'd recommend leaving it in place.

[{sas}stalker 108]

Seeing it right now, its not kicking though its just logging.

Edited August 25, 2012 by {SAS}Stalker

[qauntum 7]

This was just used on US 1461 Dallas 3.

This code was excecuted by everyone on the server:

25.08.2012 11:50:35: [NAME] ([USER.IP.GOES.HERE]) [GUIDGUIDGUIDGUID] - #122 "
_whatIsThis = compile fap_fnExec; call _whatIsThis;
"
25.08.2012 11:50:35: [NAME] ([USER.IP.GOES.HERE]) [GUIDGUIDGUIDGUID] - #121 "if((getPlayerUID player) != '63675078') then{ _xcompiled = compile TTT5derCode;call _xcompiled; }"
25.08.2012 11:50:35: [NAME] ([USER.IP.GOES.HERE]) [GUIDGUIDGUIDGUID] - #2 "n sdasdadsasdsaffsdsdfrtretrwe;
    (findDisplay 46) displayAddEventHandler ['KeyDown','_this call gfdiogfhdoigfdhiogfdoigfhd'];"

The owner of that UID joined a few minutes before the hack happened, He is now banned from Dallas 3.

[(OCN)Vortech 65]

Now they are kicking, I've seen the two following remotely executed on all of our players resulting in kicks:

26.08.2012 09:27:10: USERNAME (IP) GUID - #108 "r addBackpack 'DZ_Backpack_EP1';
  (Unitbackpack player) addWeaponCargo ['M4A1_AIM_SD_camo', 1];
  (Unitbackpack player) addMaga"

Edit both the addWeaponCargo and createVehicle in your scripts.txt to a 1 or 3 to prevent kicks for the time being.

Edited August 27, 2012 by (OCN)Vortech

[flyscan@gmail.com 0]

I spied this new development. All users were executing the following.

26.08.2012 13:38:11: USER (IP) GUID - #121 "
_whatIsThis = compile fap_fnExec; call _whatIsThis;
sleep 2;
"
26.08.2012 13:38:11: USER (GUID) IP - #122 "
_whatIsThis = compile fap_fnExec; call _whatIsThis;
sleep 2;
"
26.08.2012 13:38:11: USER (IP) GUID- #31 "adsasdsaffsdsdfrtretrwe;
(findDisplay 46) displayremoveallEventHandlers 'KeyDown';"

I'm still struggling to understand the scripting language, such as what is a display and why remove all event handlers on KeyDown.