Hacking Arma2 Server

[Pillord 10]

Hi!

First sorry for my bad english.

I'm admin of the JgBtl533 Arma2 server and I saw some guys using sidechat for hacking-attacks like described as PHP hacks on this webpage:

http://www.acunetix.com/websitesecurity/php-security-1.htm

They used signs like '/^.+@.+\..{2,3}$/',$_POST' with funktion-names.

Now we have a hacker and he let rain vehicles and other stuff in base and crash the server.

I hope thats helpfully.

Greetings Pillord

[eddieck 10]

I doubt the chat message had anything to do with the hack.

These types of hacks are pretty common. Are you running signature checks at all? Other than that, you can look into mission-level anti-cheat systems like DooACS but they are not 100% effective. (They will, however, get rid of most script kiddies.) If you have a dedicated server with root/administrator access, you can also use a packet sniffer to find these guys easily.

[Rexxenexx 0]

I wouldn't worry about the text in the sidechat. The rain veh sounds like a mod thats it. You using sig check etc??

EDIT: You beat me! lol ;)

[Pillord 10]

We are running a linux-rootserver with debian.

The Serverconfig is:

// JOINING RULES

checkfiles[] = {}; // Outdated.

maxPlayers = 40; // Maximum amount of players. Civilians and watchers, beholder, bystanders and so on also count as player.

kickDuplicate = 1; // Each ArmA version has its own ID. If kickDuplicate is set to 1, a player will be kicked when he joins a server where another player with the same ID is playing.

verifySignatures = 1; // Verifies the players files by checking them with the .bisign signatures. Works properly from 1.08 on

equalModRequired = 0; // Outdated. If set to 1, player has to use exactly the same -mod= startup parameter as the server.

BattlEye = 1; //Server to use BattlEye system

And we don't start a mod with -mod line as start parameters.

Our serverversion is 1.10.80666

I will try DooACS, but I don't know how a sniffer can find a hacker easy.

My knowledge abaout sniffer is, that they log all IP packets. But I think there are many packets to a Arma2 server and it will be a big sniffer.log file.

Thank you for your assistance!

[.kju 3245]

verifySignatures = 1;

=>

verifySignatures = 2;

[Pillord 10]

Hi!

I use Argus now and I can see the connections now.

There are some UDP packets I can't understand UDP-Packets like that

SrcAddr Sport Dir DstAddr Dport SrcPkt DstPkt SrcBytes DstBytes State

udp xx.xx.174.121.9987 -> xx.xx.xx.xx.2314 470 0 24440 0 INT

There are some Server (most of them are viewed at Gametracker).

Our Server send UDP-Packets to other servers with STATE INT too.

2314 is one of our Arma2-Server ports. We are running 3 Arma2-Servers and all of them do that.

Is there someone who knows somethink about that?

Are there any IP's that we need to open in IPTABLES?

[eddieck 10]

I use Argus now and I can see the connections now.

There are some UDP packets I can't understand UDP-Packets like that

SrcAddr Sport Dir DstAddr Dport SrcPkt DstPkt SrcBytes DstBytes State

udp xx.xx.174.121.9987 -> xx.xx.xx.xx.2314 470 0 24440 0 INT

There are some Server (most of them are viewed at Gametracker).

Our Server send UDP-Packets to other servers with STATE INT too.

2314 is one of our Arma2-Server ports. We are running 3 Arma2-Servers and all of them do that.

Is there someone who knows somethink about that?

You only need to look at incoming packets to 2314.

I'm not familiar with Argus, but it uses libpcap so it should be able to output .pcap files. My suggestion is to use ngrep or Wireshark (GUI) to run string searches.

Script commands are sent in plain text, so they're easy to filter.

[Pillord 10]

I installed Wireshark, but our Server is running on a serverfarm and I can't look to a monitor to see resaults.

I don't know how to run Wireshark as server on linux and connect to this server with a Windows-Tool.

I will try to use ngrep and tcpdump.

Thx for helping....

[eddieck 10]

I will try to use ngrep and tcpdump.

Yep, that's what I do.

tcpdump:

tcpdump -w output.pcap -i eth1 dst your.server.ip and dst port SERVERPORT and udp

(eth1 is specified since most providers have a private network now, which uses eth0. If you only have one NIC, you can remove the -i eth1 part.)

ngrep:

ngrep -I output.pcap -i disableuserinput

(-i is case-insensitive)

[Pillord 10]

Yep, that's what I do.

tcpdump:

tcpdump -w output.pcap -i eth1 dst your.server.ip and dst port SERVERPORT and udp

(eth1 is specified since most providers have a private network now, which uses eth0. If you only have one NIC, you can remove the -i eth1 part.)

ngrep:

ngrep -I output.pcap -i disableuserinput

(-i is case-insensitive)

Thx for your support.

I used ->ngrep -I output.pcap -i disableuserinput but it only shows tons of # singns.

Do you konw more?

Thx-

[eddieck 10]

I used ->ngrep -I output.pcap -i disableuserinput but it only shows tons of # singns.

Forgot about that. -qi rather than -i should silence that (# is for every packet that doesn't match the filter).

[Pillord 10]

Forgot about that. -qi rather than -i should silence that (# is for every packet that doesn't match the filter).

Very nice.... Thx. I transfer the output.pcap to my Win7 lokal PC and use wireshark for analyse the UPD packets.

I tryed to use rpcapd on linux-server an wireshark as clienet on the Windows PC but allways I have errors to start sniffing on eth0.

The connection will be establised, but I can only select:

etwork adapter 'USB bus number 1' on remote node 78.46.48.235: rpcap://[78.46.48.235]:1551/usb1

as device. If I use this I get the error: Unable to set data link type (EN10MB is not one of the DLTs supported by this device).

if I change the device to rpcap://78.46.48.235:1551/eth0 it shows The capture session could not be initiated (). /eth0" is the proper interface.

Can you help me?

Thx Pillord.

[Pillord 10]

The attacks are continues.

Our serverconfig is:

// JOINING RULES

checkfiles[] = {}; // Outdated.

maxPlayers = 40; // Maximum amount of players. Civilians and watchers, beholder, bystanders and so on also count as player.

kickDuplicate = 1; // Each ArmA version has its own ID. If kickDuplicate is set to 1, a player will be kicked when he joins a server where another player with the same ID is playing.

verifySignatures = 2; // Verifies the players files by checking them with the .bisign signatures. Works properly from 1.08 on

equalModRequired = 0; // Outdated. If set to 1, player has to use exactly the same -mod= startup parameter as the server.

// VOTING

voteMissionPlayers = 0; // Tells the server how many people must connect so that it displays the mission selection screen.

voteThreshold = 200; // 33% or more players need to vote for something, for example an admin or a new map, to become effective

// INGAME SETTINGS

disableVoN = 1; // If set to 1, Voice over Net will not be available

vonCodecQuality = 4; // Quality from 1 to 10

persistent = 1; // If 1, missions still run on even after the last player disconnected.

// SCRIPTING ISSUES

onUserConnected = ""; // self-explaining

onUserDisconnected = "";

doubleIdDetected = "";

regularCheck = "";

// some ArmA specific stuff - signature verification

onUnsignedData = "kick (_this select 0)"; // unsigned data detected "kick (_this select 0)"

onHackedData = "kick (_this select 0)"; // tampering of the signature detected "ban (_this select 0)"

onDifferentData = ""; // data with a valid signature, but different version than the one present on server detected

BattlEye = 1; //Server to use BattlEye system

There is no mod started with -mod= and we are using bi2.bikey only.

DooACS is installed.

But sometimes there is a guy who can create 1000 of vehicles in base.

Are we the only Arma2-server guys with a hacker?

Thx Pillord.

[.kju 3245]

Did you try to run the beta patch on server?

Edit: You have linux machine, right?

1.60 should be out soon or maybe BI will release another be linux build to test the signature problem.

[Pillord 10]

Our running Version is 1.10.80666, I can't see any higher version, I try any betaversion If I can see one.

Thx Pillord.

[.kju 3245]

Well 1.10 is another story.

What about your attempts to sniff and filter the traffic to stop the hackers?

[Pillord 10]

My problem is, if i start the sniffing-tool it takes a lot of diskspace after some minutes, so i can't run this tool round about the clock.

The hacker use his tool only if I'm not online.

So i havn't any results.

Be sure I use other ingamenames!

Thx Pillord.

[Pillord 10]

Now I found out that I can't do anythink against that hackingtools.

Here is the reason:

If I want to hack Armaserver i need only knowledge about Arma-scripting and some c or c++ knowledge.

The only think I need to do is to create a small mission.

First i need to place a character in missioneditor and save that mission.

Than I use AddAction and let create a Vehicle.

Now I start this Mission on an dedected Server and Log some UPD-packet while creating Vehilcles.

Now I create a .dll with Userinput-Windows and bind that .dll with Arma2.exe. Than I'm starting Arma2 and connect to a public dedected Server. Now the .dll need to send the same createvehicle packet like logged with my own mission.

I think the only protection can be done by BIS.

My suggestion is:

1. Change scriptshandling! In future use two scripts. One for server one for client and only the serverscript can create vehicles.

2. Remove all adminfunctions from dedecated server and let them use only lokal. Then all admins needs an admin-tool, but this tool can have differend ports and manage all Arma2-Servers lokal.

Thx Pillord