Hacking log

[Jey]

We got several hackers on our server today, each time we found that in our logs:

 

"infiSTAR.de Log: SERVER ALERT! (FUNCTIONS BROKEN -[processInitCommands]- RESTART THE SERVER!) | "
"infiSTAR.de Log: SERVER ALERT! (FUNCTIONS BROKEN -[forceEnd]- RESTART THE SERVER!) | "
"infiSTAR.de Log: SERVER ALERT! (FUNCTIONS BROKEN -[endMission]- RESTART THE SERVER!) | "
"infiSTAR.de Log: SERVER ALERT! (FUNCTIONS BROKEN -[failMission]- RESTART THE SERVER!) | "
"infiSTAR.de Log: SERVER ALERT! (Remote Execution found - Ending Mission! #3) | "

 

They banned all the admins online and started messing around with players and then server crashed or no one was able to rejoin the server.

 

Any idea how to prevent this kind of hack ?

Thanks

[DeanReid]

infiSTAR will probably release a patch soon

[Jey]

There's a new hack out since this morning, Rutler v7... it by pass infistar. Nothing we can do at the moment I think...

[Defent]

I think the default buttons to start Ruslter v7 is F3, Tab and Right shift. Try adding them to banned key list.

[Uro]

I think the default buttons to start Ruslter v7 is F3, Tab and Right shift. Try adding them to banned key list.

 

Southpaws are gonna love you if you blacklist the right shift key :D

[MGT]

OK, a couple of things....

Whitelist all the allowed vehicles in your ahconfig.

Add some popular vehicles to your deletevehicle.txt in your BE files, for example 5 "SUV_" will kick if someone deletes any SUV.

When they use the RE function in Rustler, infiSTAR disconnects the game from the database so no damage is done and you get the restart message on hacklog.

[Jey]

Thanks for the tips MGT, I'm going to try that.

[Externized]

You have to add this to the bottom of your scripts.txt in battleye filters;

5 "(createGroup east)"
5 "_fren  ="
5 "onMapSingleClick \"_setPos = _pos;"
5 "hint \"Ready\""
5 "createUnit" !="BIS_MPF_logic = BIS_MPF_dummygroup createUnit [\"Logic\", [1000,10,0], [], 0, \"NONE\"];" !="_newUnit = _group createUnit [_class,position player,[],0,\"NONE\"];" !="_newUnit = _group createUnit [_class,getMarkerPos \"respawn_west\",[],0,\"NONE\"];" !"\"Sheep\" createUnit [[random 9000,random 9000,0], createGroup EAST,\";"

[itsatrap]

OK, a couple of things....

Whitelist all the allowed vehicles in your ahconfig.

 

sounds like you already have the lidt please share :D

[MGT]

I do, using my phone browser atm, when I'm home I'll upload it, or you can check my pastebin - MGT

[Uro]

http://pastebin.com/QfUec5BG

 

He means this link :D

 

Phone browsing FTL :P

[StiflersM0M]

Maybe someone will buy this hack and bypass the functions in the battleye filters ?

i think about it... but i dont think i will get the menu by itself, so i need to fish the files out of the cache which could be difficult.

[LunatikCH]

I could send you the file, but beware there is a keystealer inside that gets your cd key from the regestry. Pm me if you want to try your luck, i tried but no luck.

About the battleye filters, my friend buyed the hack and we tested every thing on our testserver i have enabled full logging for BE with adding 1 "" to the top of every filter but still no luck... hope infistar will bring a fix soon :)

[StiflersM0M]

I could send you the file, but beware there is a keystealer inside that gets your cd key from the regestry. Pm me if you want to try your luck, i tried but no luck.

About the battleye filters, my friend buyed the hack and we tested every thing on our testserver i have enabled full logging for BE with adding 1 "" to the top of every filter but still no luck... hope infistar will bring a fix soon :)

(I hope i can write on german)

Welches file ? die decrypt ? bin gerade dabei die .dll zu decompilen. mit infistar schreibe ich gerade schon, der ist im urlaub. kommt aber morgen wieder.

[LunatikCH]

(I hope i can write on german)

Welches file ? die decrypt ? bin gerade dabei die .dll zu decompilen. mit infistar schreibe ich gerade schon, der ist im urlaub. kommt aber morgen wieder.

Die .pbo in der die scripts drin sind

[StiflersM0M]

Die .pbo in der die scripts drin sind

schön wärs xD da ist bloß die start datei drinne die das menü staret.... meinst doch ui_addons oder ? soweit ich weiß liegen die direkten scripte in einer .dll im cache.

[LunatikCH]

in den .bin dateien in der pbo ist aber auch so einiges drinn ;)

[StiflersM0M]

in den .bin dateien in der pbo ist aber auch so einiges drinn ;)

did you find anything related ? think they will insert the scripts into the memory.......

[Triage]

Just saw a video on youtube. This isn't good... I hope infistar is aware.

[StiflersM0M]

Just saw a video on youtube. This isn't good... I hope infistar is aware.

Bought it and try to decompile it..... but nothing so far...... only that i know is that a .dll will manage the hack which is placed in temporary files, then if you start arma it load a .pbo where the script executor is in it. and the .dll is written with VS12

[Jey]

Can you tell what is that ? I got almost thousand lines for that guy in my deletevehicle log. Most of the time I found hacker is that log, deleting zombies... but for this one everything is blank. I have no idea what it means.

 

26.08.2014 16:20:23: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:90
26.08.2014 16:20:23: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:96
26.08.2014 16:20:23: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:88
26.08.2014 16:20:23: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:94
26.08.2014 16:20:23: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:92
26.08.2014 16:20:23: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:84
26.08.2014 16:20:23: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:82
26.08.2014 16:20:23: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:86
26.08.2014 16:20:25: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:90
26.08.2014 16:20:25: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:96
26.08.2014 16:20:25: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:88
26.08.2014 16:20:25: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:94
26.08.2014 16:20:25: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:92
26.08.2014 16:20:25: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:84
26.08.2014 16:20:25: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:82
26.08.2014 16:20:25: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:86
26.08.2014 16:20:27: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:90
26.08.2014 16:20:27: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:96
26.08.2014 16:20:27: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:88
26.08.2014 16:20:27: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:94
26.08.2014 16:20:27: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:92
26.08.2014 16:20:27: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:84
26.08.2014 16:20:27: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:82
26.08.2014 16:20:27: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:86
26.08.2014 16:20:29: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:90
26.08.2014 16:20:29: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:96
26.08.2014 16:20:29: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:88
26.08.2014 16:20:29: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:94
26.08.2014 16:20:29: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:92
26.08.2014 16:20:31: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:90
26.08.2014 16:20:31: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:96
26.08.2014 16:20:31: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:88
26.08.2014 16:20:31: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:94
26.08.2014 16:20:31: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:92
26.08.2014 16:20:33: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:90
26.08.2014 16:20:33: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:96
26.08.2014 16:20:33: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:88
26.08.2014 16:20:33: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:94
26.08.2014 16:20:33: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:92
26.08.2014 16:20:35: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:90
26.08.2014 16:20:35: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:96
26.08.2014 16:20:35: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:88
26.08.2014 16:20:35: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:94
26.08.2014 16:20:35: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:92
26.08.2014 16:20:38: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:90
26.08.2014 16:20:38: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:96
26.08.2014 16:20:38: Pall Mall (188.105.140.20:2352) bc468407c07b3dc1b2b2e9062d12e432 - #0 109:88
 

[itsatrap]

Hey

I was on holiday since the day they released it (probably why they released it) till the 28th - the hack is not working anymore ;)

Contact me using email if you need the update and did not get it yet. I don't know why but my server and I are getting ddossed a-lot

Latest update I have is from the 22th