Hacked by a player with no ID

[Richie 330]

Hello,

My server has been hacked by some little knob with no player ID and he somehow managed to inject a .vdf file inside of my A3 directory.

One of our regular players reported that a new message was displayed on joining the server, The message reads

Thank you BIS for making my hacking life so much easier. This BIS_fnc_MP command is just what i need to screw people up. Why don't you go bitch on the forums about it? Hmmm ... it's not exactly hacking anymore, now that it's a feature ...

Screen shot of the message > http://i36.tinypic.com/1z4bspi.png

There was also another error message that i hadn't seen before

Cannot open object a3\air_f\gbu12fly.p3d

After checking my A3 installation i noticed a file had been injected in my A3 directory, The file name was installscript.vdf

I still have the file but i won't post it's contents publically, If a moderator or someone from BE wants it i'll send it :)

The player had no game ID, I can't ban someone with no ID :confused:

All i have is

16:10:43 STSu*EroMusha uses modified data file
16:10:43 Player STSu*EroMusha connecting.
16:10:44 Player STSu*EroMusha kicked off - too big custom file 'face.jpg' (83659 B > 10 B).
16:10:44 Player STSu*EroMusha disconnected.

It had to be him/her as nobody else was online and the previous player i can vouch for.

I have VerifySignatures = 2; in my server.cfg so what else can i do ?

No doubt the little knob will be waiting for this post to get their lulz

Any help would be great to stop this or detect it :)

Edited April 24, 2013 by Dwarden
there is no file injected ... installscript.vdf is part of install

[Dwarden 1125]

nothing unexpected

the BIS_fnc_MP https://community.bistudio.com/wiki/BIS_fnc_MP

is evolution of TOH's replacement https://community.bistudio.com/wiki/BIS_fnc_MP_(Take_On_Helicopters)

of A2/OA old MPF (multiplayer framework) https://community.bistudio.com/wiki/Multiplayer_framework

as Alpha has no security yet, cheating or exploiting ingame scripting and functions is bound to happen

[Richie 330]

* Removed after being informed installscript.vdf is a valid file *

Edited April 23, 2013 by Richie

[maddogx 13]

Are you sure that this "installscript.vdf" file was put there by a hacker / wasn't there before? According to Google, it seems to be a pretty standard Steam file that can be created in a Steam game's directory.

EDIT: I just checked my test server (which has only been used by me so far) and it also has an installscript.vdf file in the Arma3 directory. Not sure when that got there, but it certainly wasn't put there by a hacker. False alarm, I dare say.

[Richie 330]

I don't know if it was there or not before the hack but it had been modified today, all other files and folders had an older date on but the installscript.vdf was the only recently modified file.

Removing it hasn't changed anything and my server is running again.

Can you send me a copy of your installscropt.vdf and i'll compare it to the one i have ?

*EDIT*

I got one from someone else, It is a normal file but it was modified today and the time was around the same as the hack.

[maddogx 13]

Sent. Btw. mine wasn't the newest file in the directory, but only a day older than the newest one.

[headswe 17]

installscript oddly holds the install script.

Aka the steps that you must complete before starting the game..

DirectX,registry stuff.

Nothing wrong with it.

[Richie 330]

Thanks for the help so far :)

So i now know VerifySignatures = 2; is pointless, It also causes lots of random lag.

Scripters can't be banned because they can join without a player ID, anyone know a way to kick/block a player without an ID ?

[mariodu62 5]

hi, Richie

Same issue with our servers can you send me private message, we have 2 servers, using console.log and we had the same user connected to the servers.

it was the last one and each time, the hack was deployed.

So i would like to compare if this could be the same guy.

Thanks

[maddogx 13]

I don't think there's much we can do in that regard until the actual security measures are implemented. As Dwarden keeps repeating, security (including ID checks AFAIK) is currently nonexistent.

Hopefully, the situation will improve once the dedi server is out. (Some time next week, if the latest SITREP is to be believed.)

[Profecy 1]

This happened to me a few minutes ago.

Somebody joins my Server that had 40 ppl on it, slowly moves everybody into the sky and kills them one by one over and over and over. Also he starts playing sounds (I wonder how that works O.o) and keeps flashing the message

"I wont stop these attacks until the BIS_fnc_MP command or the BIS scripting library in general are discussed on the forums. No seriously. Go report it. Things will get worse otherwise."

I have my signature verification on 2, so I guess every precaution is in place, but still this person (which I cant identify 100%, I think he's the one thats producing errors in my .rpt about some face texture not being found) manages to get on my Server and execute scripting commands as he pleases ?

If this gets around I might have to close down! Please tell me, is this going to be hotfixed ??

And how can I idetify people who are running (or at least trying to run) script commands on my server?

Edited April 23, 2013 by Profecy

[Dwarden 1125]

ignore him, just attention jerk, cause it's nothing new, just replace of old functionality with newer , more optimized and powerful

various MP frameworks were part of engine since Arma 1 thru A2 and OA ... even while not perfect it's was under BattlEye watchful eye

MPF was then replaced by BIS_fnc_MP in Take On Helicopters and Arma 3 has advanced version of it

so once again I repeat , there is no security in Alpha so this and that script command, function or else can be exploited and abused

and yes, security related 'stuff' will come ...

[white 1]

is there any possibility of file injecting/server scripting compromise the OS in the current alpha state?

[Profecy 1]

What i would like to know is how to identify somebody who is running unauthorized scripting commands. Is there some kind of Log feature or anything ?

I realize Arma 3 is still just an Alpha verison and there are bound to be bugs, but if this goes public an becomes widespread it would really disrupt the gameplay of an otherwise awesome game.

So please tell me how can I identify and ban those people?

[Darkpriest667 10]

Apparently some jerk who has a hard on to make lives miserable for everyone else is attacking every server and will not stop until someone mentions the 819 or BIS (cant tell because of the in game font) scripting library.

Jackass... a thread has been made.. knock it off.. some of us have limited time to actually play the game. Why don't you email or start a thread yourself instead of griefing the entire community?

[Eriksendrul 10]

What is going on ? everyone is dying,everything is exploding and some text appears on the middle of the screen saying the developers have to fix some shit ?

What is this ?

Look at the picture, Wtf

http://i37.tinypic.com/2hquycm.png (321 kB)

Edited April 23, 2013 by Eriksendrul

[davidlasher 1]

What i would like to know is how to identify somebody who is running unauthorized scripting commands. Is there some kind of Log feature or anything ?

I realize Arma 3 is still just an Alpha verison and there are bound to be bugs, but if this goes public an becomes widespread it would really disrupt the gameplay of an otherwise awesome game.

So please tell me how can I identify and ban those people?

This issue is killing MP, almost all of the servers have experienced this issue. It would be a shame if we were forced to require passwords and some archaic process for users to acquire these passwords. I don't want lost functionality, but at the same time, we need a hotfix for servers, even in addon format.

[charlie1210 39]

especially seeing as its on all the servers. ugh. Apparently the forums have been hacked as well

[Eriksendrul 10]

Well if they cant keep a couple of hackers out why the hell do they sell games ?

[charlie1210 39]

Well you have to remember it is still in Alpha they probably haven't got much against this sort of stuff

Yeah all the servers were attacked I checked 5 different ones and everyone reported the same mishap

Edited April 23, 2013 by Charlie1210

[darthbart 10]

This issue is killing MP, almost all of the servers have experienced this issue. It would be a shame if we were forced to require passwords and some archaic process for users to acquire these passwords. I don't want lost functionality, but at the same time, we need a hotfix for servers, even in addon format.

Also note that this compromises local installations. I entered a few servers with this hack, and now when I go into the Editor and create a mission and then enter Spectator mode / Screenshot mode I experience the same 'message' and animations.

Guess I'll be holding off playing the Alpha until this gets sorted out.

[PhunkeyMonkey 10]

Please stop being such a douchebag, your ruining alot of peoples evenings all in your own private vendetta..

Dont know what the fuck your talking about and i dont care, if its that important talk to the devs on twitter or contact them in some other way

Here, now we the players have announced your dickbag'nes, Happy?.. :mad:

[phronk 898]

Literally every public server for ArmA 3 has been hacked, making all players constantly fly up into the air and eventually die, then the process repeats. Not sure if private/passworded servers were affected. All thanks to a 15 year old who googled how to use scripts in ArmA 3. Congrats.

[Eriksendrul 10]

Its idiotic that this is even lasting for more then 5 minutes. Things like this should not happen alpha or not.

[Darkpriest667 10]

Oh Charlie I didn't know that a gaming being in alpha state was an excuse to be a jerk to the entire community. I hope that BI finds out who this guy is and sues him or at least has him arrested.