hohlraum 1 Posted September 5, 2012 BE Server v1.162 in combination with OA beta server v1.62.96584 provides protection against remote code execution via "publicVariable" and its variants.See the first post for more information. If anyone has a chance to cook one of these (publicvariable.txt) up for DayZ and/or DayZ Lingor a link would be much appreciated. Share this post Link to post Share on other sites
OCNDayZ 1 Posted September 5, 2012 If anyone has a chance to cook one of these (publicvariable.txt) up for DayZ and/or DayZ Lingor a link would be much appreciated. I replied to a post of yours over at DayZMod with some information that should get you started. We're currently testing a custom file on our servers but I'm confident something is in the works, when it's ready it'll be with the CBL filters (https://code.google.com/p/dayz-community-banlist/source/browse/#git%2Ffilters). Keep up the good work BE & BIS Share this post Link to post Share on other sites
kill(o)metr 10 Posted September 6, 2012 BE Server v1.162 in combination with OA beta server v1.62.96584 provides protection against remote code execution via "publicVariable" and its variants.See the first post for more information. It sounds great, but what can you advice regarding the following commands: "{_x setdamage 1} forEach allunits; {_x setpos [x,y,z]} foreach allunits;" How can we detect them, if the script restriction blocks on clientside? Share this post Link to post Share on other sites
hohlraum 1 Posted September 9, 2012 Still having server hacked to bits at will. publicvariable.txt identified a single guy a couple days ago and he just kept changing his ip and generating new keys everytime I banned him. Nothing in the logs with regards to the guy who just teleported 50 people to the same location a few minutes ago on our server. Share this post Link to post Share on other sites
James222 1 Posted September 10, 2012 Does this log publicvariableServer? Share this post Link to post Share on other sites
falcon911 1 Posted September 14, 2012 Not sure where to place this one. But I have been getting the following with multiple users. I would reply/post this on Dayz Forums but they seem to be down right now. Any guesses? Latest Publicvaribale.txt script. Found this on 14.09.2012 09:21:14 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack6"] 14.09.2012 09:21:14 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:15 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack7"] 14.09.2012 09:21:15 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack8"] 14.09.2012 09:21:15 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]] 14.09.2012 09:21:16 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"] 14.09.2012 09:21:16 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"] 14.09.2012 09:21:16 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:17 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"] 14.09.2012 09:21:17 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack5"] 14.09.2012 09:21:17 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_6",100]] 14.09.2012 09:21:18 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"] 14.09.2012 09:21:18 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"] 14.09.2012 09:21:19 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]] 14.09.2012 09:21:19 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack5"] 14.09.2012 09:21:19 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack2"] 14.09.2012 09:21:19 - #6 "remExField" = [,<NULL-object>,"say",["z_panic_0",40]] 14.09.2012 09:21:20 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_1",100]] 14.09.2012 09:21:20 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]] 14.09.2012 09:21:21 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"] 14.09.2012 09:21:21 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack1"] 14.09.2012 09:21:21 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]] 14.09.2012 09:21:21 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]] 14.09.2012 09:21:22 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"] 14.09.2012 09:21:22 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack2"] 14.09.2012 09:21:22 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]] 14.09.2012 09:21:22 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_2",100]] 14.09.2012 09:21:23 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack9"] 14.09.2012 09:21:23 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"] 14.09.2012 09:21:23 - #6 "remExField" = [,<NULL-object>,"say",["z_spotted_6",40]] 14.09.2012 09:21:24 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:24 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_1",100]] 14.09.2012 09:21:24 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed4"] 14.09.2012 09:21:24 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed5"] 14.09.2012 09:21:25 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:25 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:25 - #6 "remExField" = [,<NULL-object>,"say",["z_scream_2",100]] 14.09.2012 09:21:26 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed4"] 14.09.2012 09:21:26 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed5"] 14.09.2012 09:21:26 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_1",100]] 14.09.2012 09:21:26 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_2",100]] 14.09.2012 09:21:27 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed2"] 14.09.2012 09:21:27 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed3"] 14.09.2012 09:21:27 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_1",100]] 14.09.2012 09:21:28 - #6 "remExField" = [,<NULL-object>,"say",["z_scream_3",100]] 14.09.2012 09:21:28 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed3"] 14.09.2012 09:21:28 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:29 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"] 14.09.2012 09:21:29 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"] 14.09.2012 09:21:29 - #6 "remExField" = [,<NULL-object>,"say",["z_spotted_2",40]] 14.09.2012 09:21:29 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_2",100]] 14.09.2012 09:21:29 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:30 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"] 14.09.2012 09:21:30 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"] 14.09.2012 09:21:30 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]] 14.09.2012 09:21:30 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_6",100]] 14.09.2012 09:21:31 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack5"] 14.09.2012 09:21:31 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack1"] 14.09.2012 09:21:31 - #6 "remExField" = [,<NULL-object>,"say",["z_panic_0",40]] 14.09.2012 09:21:32 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]] 14.09.2012 09:21:32 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_2",100]] 14.09.2012 09:21:32 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack5"] 14.09.2012 09:21:32 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"] 14.09.2012 09:21:33 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:33 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]] 14.09.2012 09:21:33 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"] 14.09.2012 09:21:33 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"] 14.09.2012 09:21:34 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]] 14.09.2012 09:21:34 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]] 14.09.2012 09:21:34 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"] 14.09.2012 09:21:34 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack9"] 14.09.2012 09:21:34 - #6 "remExField" = [,<NULL-object>,"say",["z_panic_0",40]] 14.09.2012 09:21:35 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:35 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]] 14.09.2012 09:21:36 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack6"] Share this post Link to post Share on other sites
OCNDayZ 1 Posted September 15, 2012 Not sure where to place this one. But I have been getting the following with multiple users. I would reply/post this on Dayz Forums but they seem to be down right now. Any guesses? Latest Publicvaribale.txt script. Found this on Normal stuff, that log gets spammy from time to time. Dwarden >.> If you want to see examples of entries you can try our CBL submissions (https://code.google.com/p/dayz-community-banlist/issues/list?can=1&q=reporter:overclocked&sort=-id&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary) OR the CBL in general. Share this post Link to post Share on other sites
Prodavec 10 Posted September 16, 2012 As I understand any of DayZ admin may compose false report with false detail information in scripts.log? What mechanisms of protection are used to prevent influence of a human factor? Share this post Link to post Share on other sites
hohlraum 1 Posted September 19, 2012 Any reason why the first post hasn't been updated to include any of the new event log types that have been added recently? (setpos, setdamage, publicvariableval, etc) Share this post Link to post Share on other sites
quatermass 1 Posted September 21, 2012 I'm getting lots of these types in the createvehicles.log 21.09.2012 16:22:14: Naga (109.94.14.220:1195) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #0 "SmallSecondary" 81:117 0:0 [8415,2384,11] [0,0,0] 21.09.2012 16:22:19: Naga (109.94.14.220:1195) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #0 "SmallSecondary" 81:118 0:0 [8415,2384,11] [0,0,0] 21.09.2012 17:15:21: BAKA (109.94.14.220:1195) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #0 "PipeBomb" 97:131 97:110 [12867,13951,15] [0,0,0] 21.09.2012 16:47:44: Riki (109.94.14.220:1195) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #0 "HelicopterExploBig" 90:130 0:0 [6671,2620,9] [0,0,0] Am I correct these are hacks due to the Position being 0,0,0? Still getting people teleporting around the map with no way to detect them. Also hackers moving all the vehicles on mass to the beach.... Nothing in the log despite keeping up to date. Suggestions on keeping these horrible people out would be _very_ welcome. :) Share this post Link to post Share on other sites
eddieck 10 Posted September 22, 2012 As I understand any of DayZ admin may compose false report with false detail information in scripts.log? What mechanisms of protection are used to prevent influence of a human factor? Per https://code.google.com/p/dayz-community-banlist/: As stated above, we are very careful about who we add to the banlist and generally only add GUIDs who have been reported multiple times and for scripts that we know with reasonable certainty are not legitimately executed and cannot be executed on other players. Share this post Link to post Share on other sites
Prodavec 10 Posted September 23, 2012 reported multiple times Does it mean the player should be detected on multiple servers with restricted scripts or multiple BE records of the one server at random time (for ex. Monday, Tuesday, Friday, Sunday, next week...)? Anyway it means it's possible. Just need to compose few false reports at random time and few random servers, for example at my servers and servers of my friend which administrates some other server(s). Right? Basically I thought it is FULLY automated process with no intervention of the admin(s). Share this post Link to post Share on other sites
eddieck 10 Posted September 23, 2012 It'd be great if it was also possible to log/block public setVariable on objects. Share this post Link to post Share on other sites
OCNDayZ 1 Posted September 24, 2012 New filter released mpeventhandler.txt, keep up the good work. Source: https://code.google.com/p/dayz-community-banlist/source/detail?r=1c42a14d531ccb3dcfe48f1ca30ccdf8ec7cb78d Share this post Link to post Share on other sites
kill(o)metr 10 Posted September 24, 2012 It'd be great if it was also possible to log/block public setVariable on objects. setVariable.txt and deleteVehicle.txt is all what we need to prevent cheater attacks on server. Share this post Link to post Share on other sites
eddieck 10 Posted September 24, 2012 setVariable.txt and deleteVehicle.txt is all what we need to prevent cheater attacks on server. It looks like the mpeventhandler.txt mentioned above can block deleteVehicle. I'm not sure about setVariable. Share this post Link to post Share on other sites
Dwarden 1125 Posted September 25, 2012 (edited) i do hope people posting in this thread realize while scripts.txt is client side, the rest, namely: remoteexec.txt, publicVariable.txt, publicVariableVal.txt, mpeventhandler.txt, createVehicle.txt, setpos.txt, setDamage.txt are server side ! working sets from me are available there (for DayZ): http://code.google.com/p/dayz-community-banlist/source/browse/filters also be sure You run the latest betas for security reasons http://forums.bistudio.com/showthread.php?140521-ARMA-2-OA-beta-build-97332-(1-62-MP-compatible-build-post-1-62-release) or newer ---------- Post added at 15:57 ---------- Previous post was at 15:54 ---------- setVariable.txt and deleteVehicle.txt is all what we need to prevent cheater attacks on server. wip and discussed Edited September 25, 2012 by Dwarden Share this post Link to post Share on other sites
Qauntum 1 Posted September 25, 2012 Any chance we could get some explanation of the new log types? I'm seeing entries in setpos.log for people who I am certain are not scripting so I don't know what I should be looking out for in there, and no idea what should and shouldn't be showing up in any of the others. Also, explaining to server admins who are submitting bans to the CBL that "seagull" showing up in createVehicle does not instantly mean someone is hacking would be good. That said, your continued work on securing servers both directly through the script detecting system and through the CBL is very much appreciated, scripters keep getting caught and banned and that makes me very happy. Share this post Link to post Share on other sites
cm. 10 Posted September 26, 2012 So can we get an update on what these new filters actually do or..... am I just expected to know what all these random lines mean? Share this post Link to post Share on other sites
Dwarden 1125 Posted September 26, 2012 setpos gives information about any position change originating from that client against any other object in global space (so not himself) setdamage is same but related to damage and values like 1.000000 indicate use of script command x:y are entity IDs ... note: both are WIP and experimental so use common sense while going thru the results ... Share this post Link to post Share on other sites
cm. 10 Posted September 26, 2012 so is it safe to assume that anyone found in "setpos" is good to be banned? Share this post Link to post Share on other sites
zyklone 1 Posted September 26, 2012 so is it safe to assume that anyone found in "setpos" is good to be banned? Ofcourse not. Depends on mission, mods and addons as with all other script detections. Share this post Link to post Share on other sites
cm. 10 Posted September 27, 2012 Ofcourse not.Depends on mission, mods and addons as with all other script detections. indeed. I should have made it clear i was referring to dayz Share this post Link to post Share on other sites
Qauntum 1 Posted September 27, 2012 indeed. I should have made it clear i was referring to dayz The setpos command is used 25 times in dayz_code. It will be showing up in the logs for perfectly legitimate reasons. Share this post Link to post Share on other sites
hohlraum 1 Posted September 30, 2012 RE: setpos.log 25:507 [11416,3316,54] So I understand the second block is the coordinates. What are the XX:XX numbers? Share this post Link to post Share on other sites
