BattlEye/RCON overide

[Dwarfer]

Hi Guys,

 

I am having some problems with a persistent hacker that keeps managing to get onto the RCon admin slots.

 

17:50:26 BattlEye Server: RCon admin #3 (x.x.x.x:63803) logged in

 

as an example. I have changed the password 3-4 times not both in the BEServer.cfg and config.cfg yet he still manages to get in and then clear the ban list and then get back on.

 

Does anyone know if there is some buffer overrun bug or alike within the 125548 build ??. or can you limit the Rcon admin to specific IP's or change the port just for that ?

 

Thanks

[RC_Robio]

Block his ip from your server if you are running a dedicated box.

https://support.gearhost.com/hc/en-us/articles/200341715-Block-IP-address-with-Windows-Firewall-2008-2012

[Dwarfer]

Thanks @Rc_Robio however he is using one of many of the open VPN's and tunneling IP methods so single IP Block does not work

[RC_Robio]

If you are using BEC, I believe you can whitelist your RCON admins by GUID.

[TNT]

If you are using BEC, I believe you can whitelist your RCON admins by GUID.

i dont think it matters u can log in as admin with out being on the list , im not sure why but you can

[MGT]

Sounds like he's reading memory and getting the admin PW from your config.cfg

[Dwarfer]

@MGT Yeah I think that what he is doing but not sure how. Done a network capture and analyzing at the mo. I hope there isnt some bug that exposes the server passwordAdmin variable. However what i have done is change the RCon password to something diff and this time he hasnt been back **YET**

[cen]

change the name of your config.cfg

[Dwarfer]

@CEN. Thanks I will try that as well... always nice to have multiple things to try :-)