Jump to content

Photo
- - - - -

Hacked by a player with no ID


  • Please log in to reply
539 replies to this topic

#1 Richie

Richie

    Staff Sergeant

  • Members
  • 401 posts

Posted 23 April 2013 - 17:12

Hello,

My server has been hacked by some little knob with no player ID and he somehow managed to inject a .vdf file inside of my A3 directory.

One of our regular players reported that a new message was displayed on joining the server, The message reads

Thank you BIS for making my hacking life so much easier. This BIS_fnc_MP command is just what i need to screw people up. Why don't you go bitch on the forums about it? Hmmm ... it's not exactly hacking anymore, now that it's a feature ...

Screen shot of the message > http://i36.tinypic.com/1z4bspi.png

There was also another error message that i hadn't seen before

Cannot open object a3\air_f\gbu12fly.p3d


After checking my A3 installation i noticed a file had been injected in my A3 directory, The file name was installscript.vdf
I still have the file but i won't post it's contents publically, If a moderator or someone from BE wants it i'll send it :)

The player had no game ID, I can't ban someone with no ID :confused:
All i have is
16:10:43 STSu*EroMusha uses modified data file
16:10:43 Player STSu*EroMusha connecting.
16:10:44 Player STSu*EroMusha kicked off - too big custom file 'face.jpg' (83659 B > 10 B).
16:10:44 Player STSu*EroMusha disconnected.
It had to be him/her as nobody else was online and the previous player i can vouch for.

I have VerifySignatures = 2; in my server.cfg so what else can i do ?
No doubt the little knob will be waiting for this post to get their lulz

Any help would be great to stop this or detect it :)

Edited by Dwarden, 24 April 2013 - 04:03.
there is no file injected ... installscript.vdf is part of install

Posted ImagePosted Image
Clans and solo players always welcome
http://uk-gaming-zone.co.uk/


#2 Dwarden

Dwarden

    BI Developer

  • BI Developer
  • 9617 posts
  • LocationBrno, Czech Republic

Posted 23 April 2013 - 17:26

nothing unexpected
the BIS_fnc_MP https://community.bi...wiki/BIS_fnc_MP
is evolution of TOH's replacement https://community.bi..._On_Helicopters)
of A2/OA old MPF (multiplayer framework) https://community.bi...layer_framework

as Alpha has no security yet, cheating or exploiting ingame scripting and functions is bound to happen

RealTimeChat ~ARMA2 in Your browser (w/o Java), RealTimeChat ~ARMA3 in Your browser (w/o Java),
irc.GameSurge.net/ARMA2 (external IRC clients) irc.GameSurge.net/ARMA3 (external IRC clients)
ARMA 3 Feedback Tracker: http://feedback.arma...y_view_page.php
~100k fans @STEAM ARMA 2 + ARMA 2: OA + ARMA 3: + ~2k @XFIRE A2:OA
Follow my Twitter: http://twitter.com/FoltynD or my Facebook http://facebook.com/FoltynD


#3 Richie

Richie

    Staff Sergeant

  • Members
  • 401 posts

Posted 23 April 2013 - 17:41

* Removed after being informed installscript.vdf is a valid file *

Edited by Richie, 23 April 2013 - 18:24.

Posted ImagePosted Image
Clans and solo players always welcome
http://uk-gaming-zone.co.uk/


#4 MadDogX

MadDogX

    Mindless F@nb0!

  • Moderators
  • 9049 posts

Posted 23 April 2013 - 17:59

Are you sure that this "installscript.vdf" file was put there by a hacker / wasn't there before? According to Google, it seems to be a pretty standard Steam file that can be created in a Steam game's directory.

EDIT: I just checked my test server (which has only been used by me so far) and it also has an installscript.vdf file in the Arma3 directory. Not sure when that got there, but it certainly wasn't put there by a hacker. False alarm, I dare say.

Gigabyte Z97-HD3 Motherboard | Intel Core i5 4690k @ 4.5GHz | NVidia GTX 970
16GB G-Skill Ripjaws 2133MHz RAM | Kingston HyperX SSD | be Quiet! 750W PSU

#5 Richie

Richie

    Staff Sergeant

  • Members
  • 401 posts

Posted 23 April 2013 - 18:06

I don't know if it was there or not before the hack but it had been modified today, all other files and folders had an older date on but the installscript.vdf was the only recently modified file.
Removing it hasn't changed anything and my server is running again.

Can you send me a copy of your installscropt.vdf and i'll compare it to the one i have ?

*EDIT*
I got one from someone else, It is a normal file but it was modified today and the time was around the same as the hack.

Posted ImagePosted Image
Clans and solo players always welcome
http://uk-gaming-zone.co.uk/


#6 MadDogX

MadDogX

    Mindless F@nb0!

  • Moderators
  • 9049 posts

Posted 23 April 2013 - 18:11

Sent. Btw. mine wasn't the newest file in the directory, but only a day older than the newest one.

Gigabyte Z97-HD3 Motherboard | Intel Core i5 4690k @ 4.5GHz | NVidia GTX 970
16GB G-Skill Ripjaws 2133MHz RAM | Kingston HyperX SSD | be Quiet! 750W PSU

#7 headswe

headswe

    Sergeant

  • Members
  • 115 posts

Posted 23 April 2013 - 18:14

installscript oddly holds the install script.

Aka the steps that you must complete before starting the game..


DirectX,registry stuff.

Nothing wrong with it.
One of the authors of FA_stance
Author of FA_gps
Author of A3/A2 launcher
Contributor to F2/F3

#8 Richie

Richie

    Staff Sergeant

  • Members
  • 401 posts

Posted 23 April 2013 - 18:22

Thanks for the help so far :)

So i now know VerifySignatures = 2; is pointless, It also causes lots of random lag.
Scripters can't be banned because they can join without a player ID, anyone know a way to kick/block a player without an ID ?

Posted ImagePosted Image
Clans and solo players always welcome
http://uk-gaming-zone.co.uk/


#9 Mariodu62

Mariodu62

    Staff Sergeant

  • Members
  • 372 posts

Posted 23 April 2013 - 18:28

hi, Richie
Same issue with our servers can you send me private message, we have 2 servers, using console.log and we had the same user connected to the servers.
it was the last one and each time, the hack was deployed.
So i would like to compare if this could be the same guy.
Thanks

#10 MadDogX

MadDogX

    Mindless F@nb0!

  • Moderators
  • 9049 posts

Posted 23 April 2013 - 18:28

I don't think there's much we can do in that regard until the actual security measures are implemented. As Dwarden keeps repeating, security (including ID checks AFAIK) is currently nonexistent.

Hopefully, the situation will improve once the dedi server is out. (Some time next week, if the latest SITREP is to be believed.)

Gigabyte Z97-HD3 Motherboard | Intel Core i5 4690k @ 4.5GHz | NVidia GTX 970
16GB G-Skill Ripjaws 2133MHz RAM | Kingston HyperX SSD | be Quiet! 750W PSU

#11 Profecy

Profecy

    Private First Class

  • Members
  • 12 posts

Posted 23 April 2013 - 18:34

This happened to me a few minutes ago.

Somebody joins my Server that had 40 ppl on it, slowly moves everybody into the sky and kills them one by one over and over and over. Also he starts playing sounds (I wonder how that works O.o) and keeps flashing the message

"I wont stop these attacks until the BIS_fnc_MP command or the BIS scripting library in general are discussed on the forums. No seriously. Go report it. Things will get worse otherwise."

I have my signature verification on 2, so I guess every precaution is in place, but still this person (which I cant identify 100%, I think he's the one thats producing errors in my .rpt about some face texture not being found) manages to get on my Server and execute scripting commands as he pleases ?

If this gets around I might have to close down! Please tell me, is this going to be hotfixed ??
And how can I idetify people who are running (or at least trying to run) script commands on my server?

Edited by Profecy, 23 April 2013 - 18:39.


#12 Dwarden

Dwarden

    BI Developer

  • BI Developer
  • 9617 posts
  • LocationBrno, Czech Republic

Posted 23 April 2013 - 19:00

ignore him, just attention jerk, cause it's nothing new, just replace of old functionality with newer , more optimized and powerful
various MP frameworks were part of engine since Arma 1 thru A2 and OA ... even while not perfect it's was under BattlEye watchful eye
MPF was then replaced by BIS_fnc_MP in Take On Helicopters and Arma 3 has advanced version of it

so once again I repeat , there is no security in Alpha so this and that script command, function or else can be exploited and abused

and yes, security related 'stuff' will come ...

RealTimeChat ~ARMA2 in Your browser (w/o Java), RealTimeChat ~ARMA3 in Your browser (w/o Java),
irc.GameSurge.net/ARMA2 (external IRC clients) irc.GameSurge.net/ARMA3 (external IRC clients)
ARMA 3 Feedback Tracker: http://feedback.arma...y_view_page.php
~100k fans @STEAM ARMA 2 + ARMA 2: OA + ARMA 3: + ~2k @XFIRE A2:OA
Follow my Twitter: http://twitter.com/FoltynD or my Facebook http://facebook.com/FoltynD


#13 white

white

    Banned

  • Banned
  • 322 posts

Posted 23 April 2013 - 19:11

is there any possibility of file injecting/server scripting compromise the OS in the current alpha state?
Frames Per Second comparison: http://frames-per-second.appspot.com/

GA-990XA-UD3//AMD X6 @3,75GHZ//WC Antec 620//Mushkin 2x8GB DDR3 1600//Gigabyte 660ti OC//OCZ Agility 4 256GB//Creative XFI Titanium//OCZ Fatality 550w 80 Plus//Zalman Z7 Plus + 4 ADA 85cfm fans.

#14 Profecy

Profecy

    Private First Class

  • Members
  • 12 posts

Posted 23 April 2013 - 20:05

What i would like to know is how to identify somebody who is running unauthorized scripting commands. Is there some kind of Log feature or anything ?

I realize Arma 3 is still just an Alpha verison and there are bound to be bugs, but if this goes public an becomes widespread it would really disrupt the gameplay of an otherwise awesome game.

So please tell me how can I identify and ban those people?

#15 Darkpriest667

Darkpriest667

    Rookie

  • Members
  • 5 posts

Posted 23 April 2013 - 21:10

Apparently some jerk who has a hard on to make lives miserable for everyone else is attacking every server and will not stop until someone mentions the 819 or BIS (cant tell because of the in game font) scripting library.



Jackass... a thread has been made.. knock it off.. some of us have limited time to actually play the game. Why don't you email or start a thread yourself instead of griefing the entire community?

#16 Eriksendrul

Eriksendrul

    Private First Class

  • Members
  • 13 posts

Posted 23 April 2013 - 21:10

What is going on ? everyone is dying,everything is exploding and some text appears on the middle of the screen saying the developers have to fix some shit ?

What is this ?

Look at the picture, Wtf

http://i37.tinypic.com/2hquycm.png (321 kB)

Edited by Eriksendrul, 23 April 2013 - 21:15.


#17 DavidLasher

DavidLasher

    Private First Class

  • Members
  • 31 posts

Posted 23 April 2013 - 21:11

What i would like to know is how to identify somebody who is running unauthorized scripting commands. Is there some kind of Log feature or anything ?

I realize Arma 3 is still just an Alpha verison and there are bound to be bugs, but if this goes public an becomes widespread it would really disrupt the gameplay of an otherwise awesome game.

So please tell me how can I identify and ban those people?


This issue is killing MP, almost all of the servers have experienced this issue. It would be a shame if we were forced to require passwords and some archaic process for users to acquire these passwords. I don't want lost functionality, but at the same time, we need a hotfix for servers, even in addon format.

#18 Charlie1210

Charlie1210

    Private First Class

  • Members
  • 23 posts

Posted 23 April 2013 - 21:12

especially seeing as its on all the servers. ugh. Apparently the forums have been hacked as well

#19 Eriksendrul

Eriksendrul

    Private First Class

  • Members
  • 13 posts

Posted 23 April 2013 - 21:16

Well if they cant keep a couple of hackers out why the hell do they sell games ?

#20 Charlie1210

Charlie1210

    Private First Class

  • Members
  • 23 posts

Posted 23 April 2013 - 21:17

Well you have to remember it is still in Alpha they probably haven't got much against this sort of stuff

Yeah all the servers were attacked I checked 5 different ones and everyone reported the same mishap

Edited by Charlie1210, 23 April 2013 - 21:23.