Jump to content
Sign in to follow this  
gonk

Fennec.ws network traffic

Recommended Posts

Hi

Does anyone know why arma2oaserver.exe want to continuously send data to 208.53.128.27.. ie fennec.ws. ?? The data usage sits at about 88k/sec.

That i,s when I start the server and resource monitor, tick server.exe, and watch the network traffic, I can see packets going to various address but this one stands out as a bandwidth hog.

just looks sus...

Thanks....

Share this post


Link to post
Share on other sites

Did you do an AV/malware check? Maybe your server got infected.

Share this post


Link to post
Share on other sites

Got the same thing here, just a couple of hours ago. Killed a2oa since its not being used atm anyway.

Share this post


Link to post
Share on other sites

from where you obtained the arma2oaserver.exe (just for sure) ?

using any "3rd" party tools from unknown sources ?

Share this post


Link to post
Share on other sites
Did you do an AV/malware check? Maybe your server got infected.

We done a full virus scan and found nothing, the server is newly built and only been running for 5 days in a new data centre.

from where you obtained the arma2oaserver.exe (just for sure) ?

using any "3rd" party tools from unknown sources ?

All arma files obtained from sprocket. Fire Daemon and Rcon. We first suspected Rcon and shut it down but the problem persisted. As Gonk said its coming from or directed at the arma2oaserver.exe..

We ip blocked it and don't have any further issues. but still doing a google search and trace route on it finds some very shady info.

Share this post


Link to post
Share on other sites

Does FDC Servers or DirectNIC have some kinda of relationship or are owned by etc your ISP?

Edited by 76

Share this post


Link to post
Share on other sites

Scanning the arma2oaserver.exe finds nothing.... using Security essentials and Nortons. still looking...

Share this post


Link to post
Share on other sites

I was using the Linux server from the sticky with the rest of the required content downloaded via Steam (using a VM). A friend of mine was toying with mission editing and had access to the machine but he hasn't logged in for a month. According to ntop it was sending stuff over port 21.

Share this post


Link to post
Share on other sites

I have also notice more and more ip's having only Outbound network traffic from arma2oaserver.exe. They usually sit at about 50-70 k/sec. With no one connected to the game server... ip's like.. 109.169.x.x , 89.238.x.x, 216.246.x.x. Is there a security hole in this exe that ppl are exploiting ???

Share this post


Link to post
Share on other sites

Where are you renting your server from? Or are you running the server on your PC?

Share this post


Link to post
Share on other sites

we have our own server located at a Data Centre... (Co-location). We are only running on instance of amra2oaserver.exe. Just curious wheter other server admins are see this kind of activity.

Edited by gonk

Share this post


Link to post
Share on other sites

Could this be related?

> XML parsing error: empty attribute name

http://dev-heaven.net/issues/21289

Either a mission (a picture or html file) or the server exe infected by the malware as it looks like.

I wasn't able to get to the source though.

Share this post


Link to post
Share on other sites

I see similar behavior but connecting to chi.xfactorservers.com (88.198.6.24). No one on the server and the UDP traffic is from the arma2oaserver.exe. I disabled Battleye just to check, but the traffic still appears.

Confirmed the MD5 hash is correct, so don't think malware or a virus is at play.

I then added a firewall rule to block that IP address then restarted the arma2oaserver.exe. It tried to connect to the same address, but couldn't and eventually got to 0 bytes being sent. Then I restarted arma2oaserver.exe again and this time it connected to 66.150.214.8 (dallas-vetrilo.nfoservers.com). I repeated the same, blocking that IP and then restarted. So far it hasn't reconnected to anything with that high packet count.

Both xfactorservers.com and nfoservers.com are game server hosting companies, but can't see a reason why arma2oaserver.exe starts immediately sending 25k+ traffic continually to it ... with no traffic back that I can see.

Edited by Focher

Share this post


Link to post
Share on other sites

Yep.those two are also on the block list. Saw them a couple of days ago. There must be away to see what is being sent.

Share this post


Link to post
Share on other sites

Where are your servers located?

Share this post


Link to post
Share on other sites

Cheers

Could you describe briefly how you do check the outgoing traffic,

so that others can check too that we get more data here. Thanks!

Share this post


Link to post
Share on other sites

Most basic way to check network traffic within windows is to start Task Manager:

'Performance' Tab. At the bottom click 'Resource Monitor'.

Then 'Network' Tab

Share this post


Link to post
Share on other sites
Most basic way to check network traffic within windows is to start Task Manager:

'Performance' Tab. At the bottom click 'Resource Monitor'.

Then 'Network' Tab

yep... then select arma2oaserver.exe to filter....

Share this post


Link to post
Share on other sites
There must be away to see what is being sent.

Install Wireshark and capture the traffic. I will attempt that today but, as I pointed out above, after I temporarily blocked the IP address in my firewall rules the traffic stopped even after I removed the rules.

Share this post


Link to post
Share on other sites
Install Wireshark and capture the traffic. I will attempt that today but, as I pointed out above, after I temporarily blocked the IP address in my firewall rules the traffic stopped even after I removed the rules.

rgr.. let us know what you find... I am plugging holes left and right...

174.x.x.x popped up today sucking 100k/sec. Will have a closer look on the weekend...

Share this post


Link to post
Share on other sites

I came back this morning to find a new UDP session against 85.17.96.111 (hosted-by.leaseweb.com). I have checked with Wireshark and it's just ICMP (ping) traffic. There's no data in the packets I'm seeing on my server.

It's now really up to BIS to explain to us why the server is doing this as I really don't think it's a hack of any kind. I suspect it's related to the Gamespy support.

Edited by Focher

Share this post


Link to post
Share on other sites
I came back this morning to find a new UDP session against 85.17.96.111 (hosted-by.leaseweb.com). I have checked with Wireshark and it's just ICMP (ping) traffic. There's no data in the packets I'm seeing on my server.

It's now really up to BIS to explain to us why the server is doing this as I really don't think it's a hack of any kind. I suspect it's related to the Gamespy support.

Have you tried the beta server yet ? this non-stop pinging response is eating into out data limit.

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×