Hacker causing all players' clients to crash simultaneously

[Durendal 1]

Hi, I'm an admin for Global Chaos Gaming's Zargabad Life server, on a few rare occasions over the last month or so we've experienced an attack that causes all players connected to crash to desktop. After an occurrence today, I was able to find some unique entries in publicvariable.log at the exact time that are very likely connected to the issue.

Here's an excerpt, but this was run on every player:

16.11.2012 00:22:47: Durandal (**IP**) **GUID** - #0 "ISSE_pub_Pstr_18" = "
  [] spawn {
  BIS_fnc_chk = {  [_this,_this] call BIS_fnc_chk;};
  disableSerialization;
  _display = findDisplay 46;
  _display displayAddEventHandler  ["MouseMoving","_this call BIS_fnc_chk"];
};
 "
16.11.2012 00:22:47: Shane (**IP**) **GUID** - #0 "ISSE_pub_Pstr_14" = "
  [] spawn {
  BIS_fnc_chk = {  [_this,_this] call BIS_fnc_chk;};
  disableSerialization;
  _display = findDisplay 46;
  _display displayAddEventHandler  ["MouseMoving","_this call BIS_fnc_chk"];
};
 "
16.11.2012 00:22:47: Zargero (**IP**) **GUID** - #0 "ISSE_pub_Pstr_11" = "
  [] spawn {
  BIS_fnc_chk = {  [_this,_this] call BIS_fnc_chk;};
  disableSerialization;
  _display = findDisplay 46;
  _display displayAddEventHandler  ["MouseMoving","_this call BIS_fnc_chk"];
};
 "

I'm mostly posting this so it can hopefully be prevented in an upcoming ver. Our server should be fine in the long run, but as far as inconveniencing the playerbase, a forced crash is about as disruptive as it gets.

If anyone has advice for now, or if I need to provide more information specific to our mission please let me know :)

[maddogx 13]

Looks like the script being broadcast is designed to create an infinite recursion loop when the player moves the mouse. That's probably what crashes the game.

One solution could be to block displayAddEventHandler in the publicvariableval.txt. (But only if it isn't required by the mission itself.)

[Durendal 1]

Looks like displayAddEventHandler is used in our mission, albeit in limited capacity. I understand most of how logging/blocking works but haven't begun to use publicvariableval.txt (just publicvariable.txt).

Do you have any other advice or would you be able to point me to a resource to learn more about using publicvariableval.txt? Almost all info I can find on this file is in regards to Day-Z which has very different, specific restrictions.

Thank you, MadDogX!

[maddogx 13]

From what I understand, publicvariable.txt checks the name of a broadcast variable, while publicvariableval.txt checks its value. Btw. even if displayAddEventHandler is used in the mission, you'll be okay to block it in publicvariableval.txt as long as it's not actually broadcast via public variable by a legit script.

And no, unfortunately I haven't found any single resource for learning this stuff either - I've simply been trying to keep up to date with it since the beginning, snatching up bits of info here and there. I don't actually run a server at the moment either, so I'm very far from being an expert on the subject. :)

I'd say your best bet will be to contact Dwarden and ask for the details of one of those server admin Skype channels.

[Durendal 1]

Thanks for your help, sure enough nothing with displayAddEventHandler is broadcast so this will work :)

Edited November 18, 2012 by Durendal

[Durendal 1]

Sorry to reply to my own post, but I need to reopen this issue as it does not appear to be resolved, and I have a follow-up question:

Since the questionable public variable is set for the players targeted (not the player running the attack) will the victims get kicked instead of the attacker?

[maddogx 13]

Sorry to reply to my own post, but I need to reopen this issue as it does not appear to be resolved, and I have a follow-up question:

Since the questionable public variable is set for the players targeted (not the player running the attack) will the victims get kicked instead of the attacker?

The attacker will be the first one to broadcast it to the other players, so if his attack is caught it will stop there. No one else should be kicked.

However, there is a possibility that he is using a different vector, for example processInitCommands, to spread malicious code. You will need to figure that out before you take measures against it - ideally you should be logging all events in the various txt files.