Jump to content
Bohemia Interactive Forums
Sign in to follow this  
Followers 0
gonk

Fennec.ws network traffic

By gonk, in ARMA 2 & OA - Servers & Administration

Recommended Posts

gonk    0

gonk
Posted

Hi

Does anyone know why arma2oaserver.exe want to continuously send data to 208.53.128.27.. ie fennec.ws. ?? The data usage sits at about 88k/sec.

That i,s when I start the server and resource monitor, tick server.exe, and watch the network traffic, I can see packets going to various address but this one stands out as a bandwidth hog.

just looks sus...

Thanks....

Share this post

Link to post
Share on other sites

.kju    3244

.kju
Posted

Did you do an AV/malware check? Maybe your server got infected.

Share this post

Link to post
Share on other sites

_x_    10

_x_
Posted

Got the same thing here, just a couple of hours ago. Killed a2oa since its not being used atm anyway.

Share this post

Link to post
Share on other sites

Dwarden    1125

Dwarden
Posted

from where you obtained the arma2oaserver.exe (just for sure) ?

using any "3rd" party tools from unknown sources ?

Share this post

Link to post
Share on other sites

OB1    10

OB1
Posted
Did you do an AV/malware check? Maybe your server got infected.

We done a full virus scan and found nothing, the server is newly built and only been running for 5 days in a new data centre.

from where you obtained the arma2oaserver.exe (just for sure) ?

using any "3rd" party tools from unknown sources ?

All arma files obtained from sprocket. Fire Daemon and Rcon. We first suspected Rcon and shut it down but the problem persisted. As Gonk said its coming from or directed at the arma2oaserver.exe..

We ip blocked it and don't have any further issues. but still doing a google search and trace route on it finds some very shady info.

Share this post

Link to post
Share on other sites

76    0

76
Posted (edited)

Does FDC Servers or DirectNIC have some kinda of relationship or are owned by etc your ISP?

Edited by 76

Share this post

Link to post
Share on other sites

gonk    0

gonk
Posted

Scanning the arma2oaserver.exe finds nothing.... using Security essentials and Nortons. still looking...

Share this post

Link to post
Share on other sites

_x_    10

_x_
Posted

I was using the Linux server from the sticky with the rest of the required content downloaded via Steam (using a VM). A friend of mine was toying with mission editing and had access to the machine but he hasn't logged in for a month. According to ntop it was sending stuff over port 21.

Share this post

Link to post
Share on other sites

Dwarden    1125

Dwarden
Posted

port 21 is FTP ...

Share this post

Link to post
Share on other sites

gonk    0

gonk
Posted

I have also notice more and more ip's having only Outbound network traffic from arma2oaserver.exe. They usually sit at about 50-70 k/sec. With no one connected to the game server... ip's like.. 109.169.x.x , 89.238.x.x, 216.246.x.x. Is there a security hole in this exe that ppl are exploiting ???

Share this post

Link to post
Share on other sites

Nicholas    5

Nicholas
Posted

Where are you renting your server from? Or are you running the server on your PC?

Share this post

Link to post
Share on other sites

gonk    0

gonk
Posted (edited)

we have our own server located at a Data Centre... (Co-location). We are only running on instance of amra2oaserver.exe. Just curious wheter other server admins are see this kind of activity.

Edited by gonk

Share this post

Link to post
Share on other sites

.kju    3244

.kju
Posted

Could this be related?

> XML parsing error: empty attribute name

http://dev-heaven.net/issues/21289

Either a mission (a picture or html file) or the server exe infected by the malware as it looks like.

I wasn't able to get to the source though.

Share this post

Link to post
Share on other sites

focher    15

focher
Posted (edited)

I see similar behavior but connecting to chi.xfactorservers.com (88.198.6.24). No one on the server and the UDP traffic is from the arma2oaserver.exe. I disabled Battleye just to check, but the traffic still appears.

Confirmed the MD5 hash is correct, so don't think malware or a virus is at play.

I then added a firewall rule to block that IP address then restarted the arma2oaserver.exe. It tried to connect to the same address, but couldn't and eventually got to 0 bytes being sent. Then I restarted arma2oaserver.exe again and this time it connected to 66.150.214.8 (dallas-vetrilo.nfoservers.com). I repeated the same, blocking that IP and then restarted. So far it hasn't reconnected to anything with that high packet count.

Both xfactorservers.com and nfoservers.com are game server hosting companies, but can't see a reason why arma2oaserver.exe starts immediately sending 25k+ traffic continually to it ... with no traffic back that I can see.

Edited by Focher

Share this post

Link to post
Share on other sites

gonk    0

gonk
Posted

Yep.those two are also on the block list. Saw them a couple of days ago. There must be away to see what is being sent.

Share this post

Link to post
Share on other sites

.kju    3244

.kju
Posted

Where are your servers located?

Share this post

Link to post
Share on other sites

.kju    3244

.kju
Posted

Cheers

Could you describe briefly how you do check the outgoing traffic,

so that others can check too that we get more data here. Thanks!

Share this post

Link to post
Share on other sites

EDcase    87

EDcase
Posted

Most basic way to check network traffic within windows is to start Task Manager:

'Performance' Tab. At the bottom click 'Resource Monitor'.

Then 'Network' Tab

Share this post

Link to post
Share on other sites

gonk    0

gonk
Posted
Most basic way to check network traffic within windows is to start Task Manager:

'Performance' Tab. At the bottom click 'Resource Monitor'.

Then 'Network' Tab

yep... then select arma2oaserver.exe to filter....

Share this post

Link to post
Share on other sites

focher    15

focher
Posted
There must be away to see what is being sent.

Install Wireshark and capture the traffic. I will attempt that today but, as I pointed out above, after I temporarily blocked the IP address in my firewall rules the traffic stopped even after I removed the rules.

Share this post

Link to post
Share on other sites

gonk    0

gonk
Posted
Install Wireshark and capture the traffic. I will attempt that today but, as I pointed out above, after I temporarily blocked the IP address in my firewall rules the traffic stopped even after I removed the rules.

rgr.. let us know what you find... I am plugging holes left and right...

174.x.x.x popped up today sucking 100k/sec. Will have a closer look on the weekend...

Share this post

Link to post
Share on other sites

focher    15

focher
Posted (edited)

I came back this morning to find a new UDP session against 85.17.96.111 (hosted-by.leaseweb.com). I have checked with Wireshark and it's just ICMP (ping) traffic. There's no data in the packets I'm seeing on my server.

It's now really up to BIS to explain to us why the server is doing this as I really don't think it's a hack of any kind. I suspect it's related to the Gamespy support.

Edited by Focher

Share this post

Link to post
Share on other sites

gonk    0

gonk
Posted
I came back this morning to find a new UDP session against 85.17.96.111 (hosted-by.leaseweb.com). I have checked with Wireshark and it's just ICMP (ping) traffic. There's no data in the packets I'm seeing on my server.

It's now really up to BIS to explain to us why the server is doing this as I really don't think it's a hack of any kind. I suspect it's related to the Gamespy support.

Have you tried the beta server yet ? this non-stop pinging response is eating into out data limit.

Share this post

Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  
Followers 0
Go To Topic Listing ARMA 2 & OA - Servers & Administration
×