New cheat/hack

[Relentless]

Today, on one of our servers (Bunker1), one of our admins caught a cheater using an advanced aimbot/namescript. The aimbot was well, an aimbot.

 

The name script, however, was very advanced. It would change the players name to exactly match another players name, colors and all, except for one letter. For instance:

|>B<|Suck@fool was |>B<|Svck@fool,

Mantex was Mentex, etc...

 

It was very hard to catch, as normally when you see a players name you won't notice one letter which is miss-spelled. Even if you do notice it, you normally assume that they made a mistake changing something, or if its a regular player you were wrong about their name.

 

I am wondering, who should I pm the GUID of this player to? One of our admins manually went through out server log (680 MBs) and, and found the guy and gave him a server ban. However, we don't think that this will be nearly enough, and that PB should be aware of it to take steps to catch and stop this type of cheat.

 

Also, now that I'm here and on the subject... A couple weeks ago, we noticed what we thought was an attempt to hack into our severs. We would see one player connect, and then immediatly afterwords we would start seeing random names (all white) such as: Ah37dk1, or sh7jjf8 connect en masse. When we would kick one of these names, another would immediatly connect. We figured that if you kick the first player who connect, every one of the random names would get disconnected as well. For exmple:

 

ETPlayer connects.

Immediatly after he is fully connected, random names start connecting rapidly. If you kick one of the random names, another just connects. When you kick ETPlayer, every random name is disconnected. Its like the original connecter (in this case ETPlayer) is generating bots or something, and when he is booted all of the bots are as well.

 

Just one more heads up to other server admins.

Edited May 16, 2007 by Relentless

[RoadWarrior]

I would tell who-ever your server admin are to get streaming, first of all. At least suggest it. The streaming configs that pbbans puts up are very thorough, and while new cheats come out everyday, so do new ways to catch them.

 

PM one of the site-admin here with the GUID, and also recommend to your server-admin to find the IP of the player and to a pb-ban-mask on the player. GUID's are easy enough to replace, but putting a ban on his actual IP with a range is a bit more successful. An example ban 69.65.31.* using * as a wild-card to take the place of any number. The last octet of an IP is usually the one that gets replaced when a player tries to change their IP address. This doesn't always hold true, but generally it's a successful way to ban someone.

[Relentless]

I would tell who-ever your server admin are to get streaming, first of all. At least suggest it. The streaming configs that pbbans puts up are very thorough, and while new cheats come out everyday, so do new ways to catch them.

 

PM one of the site-admin here with the GUID, and also recommend to your server-admin to find the IP of the player and to a pb-ban-mask on the player. GUID's are easy enough to replace, but putting a ban on his actual IP with a range is a bit more successful. An example ban 69.65.31.* using * as a wild-card to take the place of any number. The last octet of an IP is usually the one that gets replaced when a player tries to change their IP address. This doesn't always hold true, but generally it's a successful way to ban someone.

Every Bunker Server is streaming. The server this took place on, Bunker1, is streaming via Rep and Hub. 64.34.161.15:27960. I think we have a couple hundred hub catches by now (all servers combined), but am not positive. We have the GUID and the IP as well, as found in server logs.

 

Edit: I just tried, and then remembered. I cannot pm an admin/mod here -_-

 

Edit: Should I just post the GUID/IP here, and then you copy them and edit them out?

Edited May 16, 2007 by Relentless

[RoadWarrior]

If your servers are streaming, get your Admin to pm the info to the appropriate people here. I would also suggest a demo of this individual would be of use, as it may shed some light on what he's really doing. If possible, also get your admin to send some screen-shots of the individual as well.

[Relentless]

There would be some screenshots/demos, however he manually disconnected. Our campaign writer manually shifted through 680MBs or logs in order to find the player, his GUID, and his IP and then manually added him to the shrubbot banlist. On the server, it was just at that stage where you know something fishy is up, and therefore am about to start demo'ing him. The admin who caught it is not an rcon admin, hence PBSS were out of the question.

 

As for our streaming admins... A couple months ago the two guys who were the streaming admins left, and there has really been no notice of who the new ones are (and with at last count 187 members, its not the easiest thing to find quickly)

[RoadWarrior]

You guys must have your own forums, and I would think this to be a matter of importance. Perhaps posting the question there would help? Find out who IS in charge, and get them on this matter. Bunker servers have been around for as long as I can remember, and while I haven't visited lately, they were always a great place to frag. It would be a shame to see hackers getting away with things on them.

 

Alternately, I would more than be willing to help, you can pm me the info, and I will gladly forward it to pbbans admin, with a link to this thread. How-ever, more evidence is usually required than just a suggestion, so it may be of little use to them.

 

If the admin that manually added the ban to shrubbot can do so, one would think he'd have access to rcon, as sifting through server logs means he has ftp access, therefore has access to the server.cfg file, which contains the rcon pass. He should be able to pb-ban this individual, as well as grab screen-shots, etc.

[Relentless]

Guess I wasnt clear enough. The admin who caught it is a different admin than the one who searched the logs to ban him.

 

Anyway, I just added you to xfire. Out PB S.A. I found, but he is only active once a week or so on weekends right now.

[gobbo]

Yep we have come across this style of name changing recently but not frequently YET ... Not got anything worth a ban off the name changers as they have left quickly once admin/ref go spec ... Local ban or kick till we get something worth seeing . We shall keep a big eye open though .

[Relentless]

Yep we have come across this style of name changing recently but not frequently YET ... Not got anything worth a ban off the name changers as they have left quickly once admin/ref go spec ... Local ban or kick till we get something worth seeing . We shall keep a big eye open though .

Exactly, when an admin goes spec they leave. They might also have a spec alert as well, which would really be tough to get legit demos of...

 

Hopefully someone who sees this will be able to get a nice long demo and some screenies of it and some bans can be added to the PB index :rolleyes:

[RoadWarrior]

To catch a spec-alert, it's better to spec the person via free-look. The way I have my servers set, the player-names show above their heads in free-look mode, so you can literally find them on the map and just follow them, without actually spectating them directly. Demo them this way, then have someone spec that individual, and see how they react. That's really about the only possible way to catch them if they have a spec-alert, and to be able to prove it. Worth grabbing about 5 minutes or so of demo, if possible, though.

[kcinc0gnito]

I know what program causes this its not so much a cheat its more of an exploit if im thinking of the right program..

on 2.60 this exploit can cause servers to crash 2.60b is not affected by the 'crash' part afaik.

 

Not sure we can do anything about this however all i can suggest right now is to IP / Subnet ban him and to have the SGA of your server contact us.

[H3ll3n1c]

Hey funny i should come across this post, i used to play on your server many many many years ago.. but ive seen that name change before, i think it was >B< No 2 server...its something me and another buddy notice when we were playing. But to be honest i thought it was some1 just playing around with name changing but later on i found out its some script. Something similar exists by using certain characters in name which will allow you to spam without getting kicked, or something like that.

 

:smooth:

[RoadWarrior]

Oddly enough, someone with this particular type of "hack" has been coming around WT servers as of late, too.

 

Thus far, subnet banning is not working. He just goes ahead and grabs a new IP and GUID and comes back and all literally in a less time than it takes to ban him.

 

The hack is advanced, as far as being able to get past any known detections, yet it's easy enough to spot.

 

I'm working on gathering more information on the individual. Getting a decent demo is tough because he/she seems to know when someone is spectating directly or not. Free-look works, but it's more difficult to maintain a good view of the player.

 

Thus far, all I've been able to do successfully is temporarily ban him.