Radioman 6 Posted April 25, 2013 As I wrote before I do have HACKER ID , I BANNED HIM and my server runs since yestrday without problem , of course he can buy next copy of arma 3 alpha - next ID but now I know what should I'm looking for and I will catch him again and again. regards, pkpl You know, you probably just banned an innocent player who didn't understand the concept of the virus. It's spread unwillingly by any and all players, not just hackers. Share this post Link to post Share on other sites
naong 1 Posted April 25, 2013 New version of the hack out - this is not 100% effective any longer. We got a new message with "VE mute 3" at the end. So we had to put a password on the server. Same here. I added following code in Xeno's Domination! 2.99d init.sqf file. But my server have been hacked. "BIS_fnc_MP_packet" addPublicVariableEventHandler {}; BIS_fnc_MP = {}; Share this post Link to post Share on other sites
SPJESTER 10 Posted April 25, 2013 New version of the hack out - this is not 100% effective any longer. We got a new message with "VE mute 3" at the end. So we had to put a password on the server. I wonder what the new protocol he is using to get around it is. I've tried multiple ways with that command that guy posted and haven't had any luck. I don't think its the BIS_fnc_MP anymore. If it is how is it still working even after its told to remove/clear itself. And message to the hacker, You want to remove exec VM from the scripting library, i have to say F U, I don't find making almost every script written completely useless progressive at all.. We need a patch that temporarily disables this BIS command if possible until BattleEye or something. This dude has the entire community on its knees, and the only response is that they are working on it. I sure hope this hacker guy is paying for our server's downtime. Douche Share this post Link to post Share on other sites
Fuzzy Bandit 10 Posted April 25, 2013 New version of the hack out - this is not 100% effective any longer. We got a new message with "VE mute 3" at the end. So we had to put a password on the server. Aye. That might've been us. Only server to be up and running with our latest "anti-hacking" technique with 40/40 players (we had confirmed "infected" players joining with absolutely no consequence). About an hour later this new message appears. Feels like being in the freakin' French Resistance. Share this post Link to post Share on other sites
raggamafia 10 Posted April 25, 2013 There are several more ways to remote exec (BIS_fnc_MPexec f.e.), so the only possibility i see is passwording your servers and wait until BIS releases the announced security features. Give BIS time please, there is so much to discover in the alpha already, not only multiplayer - and there are several good adminned servers out there where you still can play MP without beeing interferred by some premature script-kiddy! Share this post Link to post Share on other sites
djporternz 27 Posted April 25, 2013 Just this minute launched ArmA3 via Steam and it's applied a patch... May be nothing as I can't see any notes about it... Just saying... Share this post Link to post Share on other sites
Radioman 6 Posted April 25, 2013 Just this minute launched ArmA3 via Steam and it's applied a patch... May be nothing as I can't see any notes about it... Just saying... What's your version number? Share this post Link to post Share on other sites
Hud Dorph 22 Posted April 25, 2013 and there are several good adminned servers out there where you still can play MP without beeing interferred by some premature script-kiddy! Excuse me - good adminned servers ??? - How will good adminned servers prevent this ?? The only solution i see atm are pwd - close all public servers and set a pwd. Share this post Link to post Share on other sites
Migebuff 0 Posted April 25, 2013 Same here. I added following code in Xeno's Domination! 2.99d init.sqf file. But my server have been hacked."BIS_fnc_MP_packet" addPublicVariableEventHandler {}; BIS_fnc_MP = {}; What exactly does this script do? It has been some time since I wrote my last script, and I dont know much about the new commands. If I unterstand correctly, it adds an eventhandler which gets triggered if the variable "BIS_fnc_MP_packet" is changed. Thats when he sends his script to the client. Then the eventhandler does nothing. It also overwrites the "BIS_fnc_MP" once. What if he changes BIS_fnc_MP back to a working function? Its only overwritten one time, nothing stops him from overwriting it again. The eventhandler detects that he sent something, but doesn't do anything to the data he stored in "bis_fnc_mp_packet". Shouldnt it be something like this? "BIS_fnc_MP_packet" addPublicVariableEventHandler {hint "bis_mp_packet changed, not good.";BIS_fnc_MP_packet="" }; while {not (BIS_fnc_MP == {}) } do {BIS_fnc_MP = {}; }; I didn't test it, just some thoughts. If he starts using a different function, why not check all bis_functions and change them back if necessary? orgfnc = BIS_fnc_MPexec @! BIS_fnc_MPexec == orgfnc BIS_fnc_MPexec = orgfnc Share this post Link to post Share on other sites
djporternz 27 Posted April 25, 2013 What's your version number? 0.55.104517 Share this post Link to post Share on other sites
SPJESTER 10 Posted April 25, 2013 Thats the developer build number?? ---------- Post added at 10:37 ---------- Previous post was at 10:29 ---------- What exactly does this script do? It has been some time since I wrote my last script, and I dont know much about the new commands. If I unterstand correctly, it adds an eventhandler which gets triggered if the variable "BIS_fnc_MP_packet" is changed. Thats when he sends his script to the client. Then the eventhandler does nothing.It also overwrites the "BIS_fnc_MP" once. What if he changes BIS_fnc_MP back to a working function? Its only overwritten one time, nothing stops him from overwriting it again. The eventhandler detects that he sent something, but doesn't do anything to the data he stored in "bis_fnc_mp_packet". Shouldnt it be something like this? "BIS_fnc_MP_packet" addPublicVariableEventHandler {hint "bis_mp_packet changed, not good.";BIS_fnc_MP_packet="" }; while {not (BIS_fnc_MP == {}) } do {BIS_fnc_MP = {}; }; I didn't test it, just some thoughts. If he starts using a different function, why not check all bis_functions and change them back if necessary? orgfnc = BIS_fnc_MPexec @! BIS_fnc_MPexec == orgfnc BIS_fnc_MPexec = orgfnc Gonna give it a go! You guys can join with me on Oblivious server while i try to implement these! Share this post Link to post Share on other sites
pawelkpl 29 Posted April 25, 2013 You know, you probably just banned an innocent player who didn't understand the concept of the virus. It's spread unwillingly by any and all players, not just hackers. PLS. READ my previous posts and you will see why I DO NOT AGREE WITH YOU. Look at screenshot I did, here: http://postimg.org/image/xd914h9af/ and AGAIN PLS READ MY PREVIOUS POSTS. thank you. Share this post Link to post Share on other sites
fred41 42 Posted April 25, 2013 (edited) What exactly does this script do? It has been some time since I wrote my last script, and I dont know much about the new commands. If I unterstand correctly, it adds an eventhandler which gets triggered if the variable "BIS_fnc_MP_packet" is changed. Thats when he sends his script to the client. Then the eventhandler does nothing.It also overwrites the "BIS_fnc_MP" once. ... "addPublicVariableEventHandler" replaces the original eventhandler code for the public variable "BIS_fnc_MP_packet", with no operation code {}. So that remote executing via BIS_fnc_MP is no longer working. Think, there is a global variable "BIS_fnc_MP_packet" on each machine. If a client is filling and publishing this variable, via publicVariable for example, the change of this global variable will trigger the eventhandler on each adressed machine in the MP network. This public variable may contain data to be processed or code to be executed on the remote machines (script commands). This means "BIS_fnc_MP_packet" addPublicVariableEventHandler {}; protects all machines from executing malicious code, published via "BIS_fnc_MP_packet". But it seems our hacking friend has discovered new, additional ways to transfer code to and execute on other machines. ... no good news ... Edited April 25, 2013 by Fred41 Share this post Link to post Share on other sites
pawelkpl 29 Posted April 25, 2013 ... "addPublicVariableEventHandler" replaces the original eventhandler code for the public variable "BIS_fnc_MP_packet", with no operation code {}.So that remote executing via BIS_fnc_MP is no longer working. Think, there is a global variable "BIS_fnc_MP_packet" on each machine. If a client is filling and publishing this variable, via publicVariable for example, the change of this variable will trigger the eventhandler on each machine connected to the server and receiving this network message. This public variable may contain data or code to be executed on the remote machine (script commands). This means "BIS_fnc_MP_packet" addPublicVariableEventHandler {}; protects all machines from executing malicious code, published via "BIS_fnc_MP_packet". But it seems our hacking friend has discovered new ways to transfer code to and execute on other machines. ... no good news ... The good news is I do have his ID. Share this post Link to post Share on other sites
fred41 42 Posted April 25, 2013 ... and it seems you are running one of the rare working DEV server without PW protection ... By the way, your server runs very well, enjoyed it yesterday again, good work, thanks :) Share this post Link to post Share on other sites
pawelkpl 29 Posted April 25, 2013 ... and it seems you are running one of the rare working DEV server without PW protection ...By the way, your server runs very well, enjoyed it yesterday again, good work, thanks :) thx fred, I checked mission we started yesterday and everything is ok. Share this post Link to post Share on other sites
Migebuff 0 Posted April 25, 2013 ... "addPublicVariableEventHandler" replaces the original eventhandler code for the public variable "BIS_fnc_MP_packet", with no operation code {}.So that remote executing via BIS_fnc_MP is no longer working. Ok, thx for explaining, I didnt know there is already an eventhandler in the original game. Maybe the new patch changes something. There is still no changelog, but it seems they changed some things in functions_f.pbo. Share this post Link to post Share on other sites
Richie 330 Posted April 25, 2013 I see light at the end of the tunnel :) Small first of many stages to reduce MP security vulnerabilities: should no longer be needed to restart the whole game to undo the common functions breach. This should also prevent it from spreading (but does not help the current situation on default branch servers of course). More on the topic in the next SITREP. Source > http://forums.bistudio.com/showthread.php?149636-Development-branch-changelog&p=2381686&viewfull=1#post2381686 Share this post Link to post Share on other sites
raggamafia 10 Posted April 25, 2013 Hey Dorph! We know each other, its me paul from playing with ya on HUD. What i wrote is, that it cant be prevented, only passworded servers will help. And with good adminned servers, i meant servers like yours where there is an admin present most of the time, in case something happens! I think thats the only chance for now! Regards mate ---------- Post added at 12:15 ---------- Previous post was at 12:10 ---------- ... "addPublicVariableEventHandler" replaces the original eventhandler code for the public variable "BIS_fnc_MP_packet", with no operation code {}.So that remote executing via BIS_fnc_MP is no longer working. Think, there is a global variable "BIS_fnc_MP_packet" on each machine. If a client is filling and publishing this variable, via publicVariable for example, the change of this global variable will trigger the eventhandler on each adressed machine in the MP network. This public variable may contain data to be processed or code to be executed on the remote machines (script commands). This means "BIS_fnc_MP_packet" addPublicVariableEventHandler {}; protects all machines from executing malicious code, published via "BIS_fnc_MP_packet". But it seems our hacking friend has discovered new, additional ways to transfer code to and execute on other machines. ... no good news ... No... As i wrote before, the AddPublicVariableEventhandler does NOT overwrite BIS_fnc_MP_packet, it just adds another PVEH. There is no way to remove an eventhandler yet. Only overwriting BIS_fnc_MP, BIS_fnc_MPexec functions COULD help for a short time until the kiddy found another attackvector. So lets wait for a fix and lock servers for now. Latersh Share this post Link to post Share on other sites
maddogx 13 Posted April 25, 2013 I see light at the end of the tunnel :)Small first of many stages to reduce MP security vulnerabilities: should no longer be needed to restart the whole game to undo the common functions breach. This should also prevent it from spreading (but does not help the current situation on default branch servers of course). More on the topic in the next SITREP. Source > http://forums.bistudio.com/showthread.php?149636-Development-branch-changelog&p=2381686&viewfull=1#post2381686 It's a pretty loooooong tunnel but yeah, this is a start. ;) If I understand the changelog correctly, innocent dev version users who become "infected" should no longer be transmitting the malicious code to the next server they join. At least that will reduce the amount of dev version servers that are affected. It will be interesting to see how they fix the root of the issue though. Perhaps some kind of "finalize" command to make global variables read-only. Share this post Link to post Share on other sites
Anton933 10 Posted April 25, 2013 Anyone know how i can do a rollback to version 0.5.102571, i can see the most players are there after this hacking issues.. Share this post Link to post Share on other sites
SavageCDN 231 Posted April 25, 2013 Where's that facepalm.jpg when you need it Would you care to elaborate on that, or are you content with adding nothing of value? Sure... FPDR Share this post Link to post Share on other sites
Radioman 6 Posted April 25, 2013 It will be interesting to see how they fix the root of the issue though. Perhaps some kind of "finalize" command to make global variables read-only. ^ this, oh please for the love of all things holy this..... And whilst they're at it, make publicVariable not affect global variables, but only operate via PVEHs..... Share this post Link to post Share on other sites
fred41 42 Posted April 25, 2013 (edited) No... As i wrote before, the AddPublicVariableEventhandler does NOT overwrite BIS_fnc_MP_packet, it just adds another PVEH. There is no way to remove an eventhandler yet. Only overwriting BIS_fnc_MP, BIS_fnc_MPexec functions COULD help for a short time until the kiddy found another attackvector. Latersh ... even if the name addPublicVariableEventhandler suggest something else, you can't have more then one EH on the same PV at the same time, so it replaces the old EH (by overwriting). Just try it out ... Edited April 25, 2013 by Fred41 Share this post Link to post Share on other sites
Revelation78 10 Posted April 25, 2013 The good news is I do have his ID. Then why don't you and BIS provide that information to Valve and have his Steam ID banned. What this individual is doing is in direct violation of Valve's TOS and thus should have his Steam ID banned. This individual would learn a hard lesson when Steam doesn't allow him to log in anymore... Share this post Link to post Share on other sites
