Jump to content
Sign in to follow this  
$able

Introducing Server-side Event Logging/Blocking

Recommended Posts

BE Server v1.162 in combination with OA beta server v1.62.96584 provides protection against remote code execution via "publicVariable" and its variants.

See the first post for more information.

If anyone has a chance to cook one of these (publicvariable.txt) up for DayZ and/or DayZ Lingor a link would be much appreciated.

Share this post


Link to post
Share on other sites
If anyone has a chance to cook one of these (publicvariable.txt) up for DayZ and/or DayZ Lingor a link would be much appreciated.

I replied to a post of yours over at DayZMod with some information that should get you started. We're currently testing a custom file on our servers but I'm confident something is in the works, when it's ready it'll be with the CBL filters (https://code.google.com/p/dayz-community-banlist/source/browse/#git%2Ffilters).

Keep up the good work BE & BIS :yay:

Share this post


Link to post
Share on other sites
BE Server v1.162 in combination with OA beta server v1.62.96584 provides protection against remote code execution via "publicVariable" and its variants.

See the first post for more information.

It sounds great, but what can you advice regarding the following commands: "{_x setdamage 1} forEach allunits; {_x setpos [x,y,z]} foreach allunits;" How can we detect them, if the script restriction blocks on clientside?

Share this post


Link to post
Share on other sites

Still having server hacked to bits at will. publicvariable.txt identified a single guy a couple days ago and he just kept changing his ip and generating new keys everytime I banned him. Nothing in the logs with regards to the guy who just teleported 50 people to the same location a few minutes ago on our server.

Share this post


Link to post
Share on other sites

Not sure where to place this one. But I have been getting the following with multiple users. I would reply/post this on Dayz Forums but they seem to be down right now.

Any guesses? Latest Publicvaribale.txt script.

Found this on

14.09.2012 09:21:14 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack6"]
14.09.2012 09:21:14 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:15 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack7"]
14.09.2012 09:21:15 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack8"]
14.09.2012 09:21:15 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]]
14.09.2012 09:21:16 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"]
14.09.2012 09:21:16 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"]
14.09.2012 09:21:16 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:17 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"]
14.09.2012 09:21:17 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack5"]
14.09.2012 09:21:17 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_6",100]]
14.09.2012 09:21:18 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"]
14.09.2012 09:21:18 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"]
14.09.2012 09:21:19 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]]
14.09.2012 09:21:19 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack5"]
14.09.2012 09:21:19 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack2"]
14.09.2012 09:21:19 - #6 "remExField" = [,<NULL-object>,"say",["z_panic_0",40]]
14.09.2012 09:21:20 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_1",100]]
14.09.2012 09:21:20 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]]
14.09.2012 09:21:21 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"]
14.09.2012 09:21:21 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack1"]
14.09.2012 09:21:21 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]]
14.09.2012 09:21:21 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]]
14.09.2012 09:21:22 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"]
14.09.2012 09:21:22 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack2"]
14.09.2012 09:21:22 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]]
14.09.2012 09:21:22 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_2",100]]
14.09.2012 09:21:23 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack9"]
14.09.2012 09:21:23 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"]
14.09.2012 09:21:23 - #6 "remExField" = [,<NULL-object>,"say",["z_spotted_6",40]]
14.09.2012 09:21:24 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:24 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_1",100]]
14.09.2012 09:21:24 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed4"]
14.09.2012 09:21:24 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed5"]
14.09.2012 09:21:25 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:25 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:25 - #6 "remExField" = [,<NULL-object>,"say",["z_scream_2",100]]
14.09.2012 09:21:26 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed4"]
14.09.2012 09:21:26 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed5"]
14.09.2012 09:21:26 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_1",100]]
14.09.2012 09:21:26 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_2",100]]
14.09.2012 09:21:27 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed2"]
14.09.2012 09:21:27 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed3"]
14.09.2012 09:21:27 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_1",100]]
14.09.2012 09:21:28 - #6 "remExField" = [,<NULL-object>,"say",["z_scream_3",100]]
14.09.2012 09:21:28 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieFeed3"]
14.09.2012 09:21:28 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:29 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"]
14.09.2012 09:21:29 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"]
14.09.2012 09:21:29 - #6 "remExField" = [,<NULL-object>,"say",["z_spotted_2",40]]
14.09.2012 09:21:29 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_2",100]]
14.09.2012 09:21:29 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:30 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"]
14.09.2012 09:21:30 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"]
14.09.2012 09:21:30 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]]
14.09.2012 09:21:30 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_6",100]]
14.09.2012 09:21:31 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack5"]
14.09.2012 09:21:31 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack1"]
14.09.2012 09:21:31 - #6 "remExField" = [,<NULL-object>,"say",["z_panic_0",40]]
14.09.2012 09:21:32 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]]
14.09.2012 09:21:32 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_2",100]]
14.09.2012 09:21:32 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack5"]
14.09.2012 09:21:32 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack10"]
14.09.2012 09:21:33 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:33 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_3",100]]
14.09.2012 09:21:33 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack4"]
14.09.2012 09:21:33 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"]
14.09.2012 09:21:34 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]]
14.09.2012 09:21:34 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_4",100]]
14.09.2012 09:21:34 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack3"]
14.09.2012 09:21:34 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack9"]
14.09.2012 09:21:34 - #6 "remExField" = [,<NULL-object>,"say",["z_panic_0",40]]
14.09.2012 09:21:35 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:35 - #6 "remExField" = [,<NULL-object>,"say",["z_hit_5",100]]
14.09.2012 09:21:36 - #6 "remExField" = [<NULL-object>,<NULL-object>,"playmove","ZombieStandingAttack6"]

Share this post


Link to post
Share on other sites
Not sure where to place this one. But I have been getting the following with multiple users. I would reply/post this on Dayz Forums but they seem to be down right now.

Any guesses? Latest Publicvaribale.txt script.

Found this on

Normal stuff, that log gets spammy from time to time. Dwarden >.> If you want to see examples of entries you can try our CBL submissions (https://code.google.com/p/dayz-community-banlist/issues/list?can=1&q=reporter:overclocked&sort=-id&colspec=ID%20Type%20Status%20Priority%20Milestone%20Owner%20Summary) OR the CBL in general.

Share this post


Link to post
Share on other sites

As I understand any of DayZ admin may compose false report with false detail information in scripts.log? What mechanisms of protection are used to prevent influence of a human factor?

Share this post


Link to post
Share on other sites

Any reason why the first post hasn't been updated to include any of the new event log types that have been added recently? (setpos, setdamage, publicvariableval, etc)

Share this post


Link to post
Share on other sites

I'm getting lots of these types in the createvehicles.log

21.09.2012 16:22:14: Naga (109.94.14.220:1195) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #0 "SmallSecondary" 81:117 0:0 [8415,2384,11] [0,0,0]

21.09.2012 16:22:19: Naga (109.94.14.220:1195) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #0 "SmallSecondary" 81:118 0:0 [8415,2384,11] [0,0,0]

21.09.2012 17:15:21: BAKA (109.94.14.220:1195) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #0 "PipeBomb" 97:131 97:110 [12867,13951,15] [0,0,0]

21.09.2012 16:47:44: Riki (109.94.14.220:1195) xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx - #0 "HelicopterExploBig" 90:130 0:0 [6671,2620,9] [0,0,0]

Am I correct these are hacks due to the Position being 0,0,0?

Still getting people teleporting around the map with no way to detect them. Also hackers moving all the vehicles on mass to the beach....

Nothing in the log despite keeping up to date.

Suggestions on keeping these horrible people out would be _very_ welcome. :)

Share this post


Link to post
Share on other sites
As I understand any of DayZ admin may compose false report with false detail information in scripts.log? What mechanisms of protection are used to prevent influence of a human factor?

Per https://code.google.com/p/dayz-community-banlist/:

As stated above, we are very careful about who we add to the banlist and generally only add GUIDs who have been reported multiple times and for scripts that we know with reasonable certainty are not legitimately executed and cannot be executed on other players.

Share this post


Link to post
Share on other sites
reported multiple times

Does it mean the player should be detected on multiple servers with restricted scripts or multiple BE records of the one server at random time (for ex. Monday, Tuesday, Friday, Sunday, next week...)?

Anyway it means it's possible. Just need to compose few false reports at random time and few random servers, for example at my servers and servers of my friend which administrates some other server(s).

Right?

Basically I thought it is FULLY automated process with no intervention of the admin(s).

Share this post


Link to post
Share on other sites

It'd be great if it was also possible to log/block public setVariable on objects.

Share this post


Link to post
Share on other sites
It'd be great if it was also possible to log/block public setVariable on objects.
setVariable.txt and deleteVehicle.txt is all what we need to prevent cheater attacks on server.

Share this post


Link to post
Share on other sites
setVariable.txt and deleteVehicle.txt is all what we need to prevent cheater attacks on server.

It looks like the mpeventhandler.txt mentioned above can block deleteVehicle. I'm not sure about setVariable.

Share this post


Link to post
Share on other sites

i do hope people posting in this thread realize while scripts.txt is client side,

the rest, namely:

remoteexec.txt, publicVariable.txt, publicVariableVal.txt, mpeventhandler.txt, createVehicle.txt, setpos.txt, setDamage.txt

are server side !

working sets from me are available there (for DayZ): http://code.google.com/p/dayz-community-banlist/source/browse/filters

also be sure You run the latest betas for security reasons

http://forums.bistudio.com/showthread.php?140521-ARMA-2-OA-beta-build-97332-(1-62-MP-compatible-build-post-1-62-release)

or newer

---------- Post added at 15:57 ---------- Previous post was at 15:54 ----------

setVariable.txt and deleteVehicle.txt is all what we need to prevent cheater attacks on server.

wip and discussed

Edited by Dwarden

Share this post


Link to post
Share on other sites

Any chance we could get some explanation of the new log types? I'm seeing entries in setpos.log for people who I am certain are not scripting so I don't know what I should be looking out for in there, and no idea what should and shouldn't be showing up in any of the others. Also, explaining to server admins who are submitting bans to the CBL that "seagull" showing up in createVehicle does not instantly mean someone is hacking would be good.

That said, your continued work on securing servers both directly through the script detecting system and through the CBL is very much appreciated, scripters keep getting caught and banned and that makes me very happy.

Share this post


Link to post
Share on other sites

So can we get an update on what these new filters actually do or..... am I just expected to know what all these random lines mean?

Share this post


Link to post
Share on other sites

setpos gives information about any position change originating from that client against any other object in global space (so not himself)

setdamage is same but related to damage and values like 1.000000 indicate use of script command

x:y are entity IDs ...

note: both are WIP and experimental so use common sense while going thru the results ...

Share this post


Link to post
Share on other sites

so is it safe to assume that anyone found in "setpos" is good to be banned?

Share this post


Link to post
Share on other sites
so is it safe to assume that anyone found in "setpos" is good to be banned?

Ofcourse not.

Depends on mission, mods and addons as with all other script detections.

Share this post


Link to post
Share on other sites
Ofcourse not.

Depends on mission, mods and addons as with all other script detections.

indeed. I should have made it clear i was referring to dayz

Share this post


Link to post
Share on other sites
indeed. I should have made it clear i was referring to dayz

The setpos command is used 25 times in dayz_code. It will be showing up in the logs for perfectly legitimate reasons.

Share this post


Link to post
Share on other sites

RE: setpos.log

25:507 [11416,3316,54]

So I understand the second block is the coordinates. What are the XX:XX numbers?

Share this post


Link to post
Share on other sites

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×