An exploit which kick all players on server

[AndY1]

Tonight some sort of attack has happened against my server.

In a moment a lot of users named Player login. Shortly after that all active players are kicked off the server.

Then I banned those Players' IPs, but it seems that these IPs where IPs of ordinary players.

[titus]

There have been at least two fake player exploits. The first one Epic addressed with a patch (2099?) for UT2003 that added a more complicated client negotiation sequence which required the client to receive and reply to a message from the server before being allowed to join a game. The first exploit was publicly released and widely used.

After the patch another fake player exploit was developed but was not released publicly. It affected all versions of UT2003 including the latest patch level. I have not seen it in UT2004 yet. However, I suspected that it would materialize since Epic never fully addressed the issue with UT2003. The problem with the second exploit is that it requires the client to complete the negotiation with the server to add the fake "Player"s. Consequently, the attacker's real IP address it probably disclosed during the attack. Since this type of activity is technically a felony in the U.S I suspect that the person/people using it are smart enough not to start jamming every server with fake players. Otherwise, the FBI might come knocking on their door.

-titus

[AndY1]

Well, there exists exploit for UT2004, since my server's players were knocked off the server again.

[AndY1]

[code:1:46825798f6]Log: SET PLAYER!
ScriptLog: New Player Wite id=f787303f6bdc305fffe5459fb1357155
NetComeGo: Open myLevel 04/20/04 17:54:57 195.56.227.247:1908
Log: Client netspeed is 10000
ScriptLog: [UTSecure] Wite has been secured
Log: [INVALID PACKAGE] Name : OleeBlood (195.56.227.247:1908)
Log: [INVALID PACKAGE] Ban ID : c5c1d75a2fa60fa7096aec37c2c33ea7
Log: [INVALID PACKAGE] GUID : 6FC6362011D87FEC30000B8CB7637684
Log: [INVALID PACKAGE] MD5 : 514a55137f1e6a0d9318a6f44a3d6d3a
Log: [INVALID PACKAGE] Ver. : 3186
Log: SET PLAYER!
ScriptLog: New Player OleeBlood id=c5c1d75a2fa60fa7096aec37c2c33ea7
NetComeGo: Close TcpipConnection 195.56.227.247:1908 04/20/04 17:55:03
NetComeGo: Open myLevel 04/20/04 17:55:03 195.56.227.247:1908
NetComeGo: Open myLevel 04/20/04 17:55:07 195.56.227.247:16238
Log: Client netspeed is 10000
NetComeGo: Open myLevel 04/20/04 17:55:09 62.65.221.15:3168
Log: SET PLAYER!
ScriptLog: New Player OleeBlood id=c5c1d75a2fa60fa7096aec37c2c33ea7
ScriptLog: [UTSecure] OleeBlood has been secured
NetComeGo: Open myLevel 04/20/04 17:55:44 82.38.75.107:3544
NetComeGo: Close TcpipConnection 82.38.75.107:3544 04/20/04 17:55:44
NetComeGo: Open myLevel 04/20/04 17:56:19 82.73.145.115:34517
Log: Client netspeed is 10000
Log: SET PLAYER!
ScriptLog: New Player Dinjo id=32af618f3ba1ef8264f8deefed08553c
NetComeGo: Close TcpipConnection 212.39.112.7:1244 04/20/04 17:56:30
NetComeGo: Close TcpipConnection 80.142.181.213:3370 04/20/04 17:56:31
NetComeGo: Close TcpipConnection 62.163.225.168:32774 04/20/04 17:56:31
NetComeGo: Close TcpipConnection 80.186.46.123:1100 04/20/04 17:56:31
NetComeGo: Close TcpipConnection 212.238.143.10:34195 04/20/04 17:56:32
NetComeGo: Close TcpipConnection 217.126.44.125:1070 04/20/04 17:56:33
NetComeGo: Close TcpipConnection 217.84.71.199:1184 04/20/04 17:56:34
NetComeGo: Close TcpipConnection 217.44.40.222:4056 04/20/04 17:56:37
NetComeGo: Close TcpipConnection 81.107.220.15:3065 04/20/04 17:56:39
ScriptLog: [UTSecure] Dinjo has been secured
NetComeGo: Close TcpipConnection 62.131.191.205:1232 04/20/04 17:56:43
NetComeGo: Close TcpipConnection 62.65.221.15:3156 04/20/04 17:56:44
NetComeGo: Close TcpipConnection 81.218.248.73:1679 04/20/04 17:56:48
NetComeGo: Close TcpipConnection 62.34.10.124:1388 04/20/04 17:56:49
NetComeGo: Open myLevel 04/20/04 17:57:30 217.84.71.199:1340
NetComeGo: Open myLevel 04/20/04 17:57:30 80.186.46.123:1124
NetComeGo: Open myLevel 04/20/04 17:57:30 80.142.181.213:3387
NetComeGo: Open myLevel 04/20/04 17:57:30 195.56.227.247:27068
NetComeGo: Open myLevel 04/20/04 17:57:30 62.163.225.168:32776
NetComeGo: Open myLevel 04/20/04 17:57:30 62.34.10.124:1390
NetComeGo: Open myLevel 04/20/04 17:57:30 62.131.191.205:1234
NetComeGo: Open myLevel 04/20/04 17:57:30 82.73.145.115:34515
NetComeGo: Open myLevel 04/20/04 17:57:30 212.238.143.10:34171
Log: Client netspeed is 10000
Log: Client netspeed is 10000
Log: Client netspeed is 10000
Log: Client netspeed is 10000
Log: Client netspeed is 10000
Log: Client netspeed is 10000
Log: Client netspeed is 10000
Log: Client netspeed is 10000
Log: Client netspeed is 10000
Log: SET PLAYER!
ScriptLog: New Player Player id=c3ac25f94617df26edf741463069762d
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 82.73.145.115:34515 04/20/04 17:57:36
NetComeGo: Open myLevel 04/20/04 17:57:36 82.73.145.115:34515
Warning: Login failed: Server is already at capacity.
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 212.238.143.10:34171 04/20/04 17:57:36
NetComeGo: Close TcpipConnection 62.163.225.168:32776 04/20/04 17:57:36
NetComeGo: Open myLevel 04/20/04 17:57:36 62.163.225.168:32776
NetComeGo: Open myLevel 04/20/04 17:57:36 212.238.143.10:34171
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 195.56.227.247:27068 04/20/04 17:57:36
NetComeGo: Open myLevel 04/20/04 17:57:37 195.56.227.247:27068
ScriptLog: [UTSecure] Player has been secured
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 80.186.46.123:1124 04/20/04 17:57:38
NetComeGo: Open myLevel 04/20/04 17:57:38 80.186.46.123:1124
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 217.84.71.199:1340 04/20/04 17:57:39
NetComeGo: Open myLevel 04/20/04 17:57:39 217.84.71.199:1340
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 62.131.191.205:1234 04/20/04 17:57:41
NetComeGo: Open myLevel 04/20/04 17:57:41 62.131.191.205:1234
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 62.34.10.124:1390 04/20/04 17:57:45
NetComeGo: Open myLevel 04/20/04 17:57:45 62.34.10.124:1390
NetComeGo: Close TcpipConnection 82.73.145.115:34517 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 195.56.227.247:16238 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 217.84.71.199:1331 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 62.163.225.168:32775 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 80.142.181.213:3375 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 212.238.143.10:34175 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 212.39.112.7:1252 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 62.131.191.205:1233 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 81.218.248.73:1695 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 81.107.220.15:3066 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 62.34.10.124:1389 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 80.186.46.123:1123 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 217.126.44.125:1071 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 217.84.71.199:1313 04/20/04 17:57:56
ScriptLog: Kicking idle player Player
NetComeGo: Close TcpipConnection 80.142.181.213:3387 04/20/04 17:58:17
NetComeGo: Open myLevel 04/20/04 17:58:21 212.39.112.7:1267[/code:1:46825798f6]

The exploit begins when a player named 'Player' is on the server.

[AndY1]

Could OleBlood be the culprit?

If this issue isn't addressed, I'm afraid, many of my regular players (server for 14 players) will be gone.

I also won't be running dedicated server any more if this expoilt is ignored from Epic.

[AndY1]

[code:1:89b2f5ef8c]ScriptLog: New Player Player id=c3ac25f94617df26edf741463069762d
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 82.73.145.115:34515 04/20/04 17:57:36
NetComeGo: Open myLevel 04/20/04 17:57:36 82.73.145.115:34515
Warning: Login failed: Server is already at capacity.
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 212.238.143.10:34171 04/20/04 17:57:36
NetComeGo: Close TcpipConnection 62.163.225.168:32776 04/20/04 17:57:36
NetComeGo: Open myLevel 04/20/04 17:57:36 62.163.225.168:32776
NetComeGo: Open myLevel 04/20/04 17:57:36 212.238.143.10:34171
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 195.56.227.247:27068 04/20/04 17:57:36
NetComeGo: Open myLevel 04/20/04 17:57:37 195.56.227.247:27068
ScriptLog: [UTSecure] Player has been secured
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 80.186.46.123:1124 04/20/04 17:57:38
NetComeGo: Open myLevel 04/20/04 17:57:38 80.186.46.123:1124
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 217.84.71.199:1340 04/20/04 17:57:39
NetComeGo: Open myLevel 04/20/04 17:57:39 217.84.71.199:1340
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 62.131.191.205:1234 04/20/04 17:57:41
NetComeGo: Open myLevel 04/20/04 17:57:41 62.131.191.205:1234
Warning: Login failed: Server is already at capacity.
NetComeGo: Close TcpipConnection 62.34.10.124:1390 04/20/04 17:57:45
NetComeGo: Open myLevel 04/20/04 17:57:45 62.34.10.124:1390
NetComeGo: Close TcpipConnection 82.73.145.115:34517 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 195.56.227.247:16238 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 217.84.71.199:1331 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 62.163.225.168:32775 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 80.142.181.213:3375 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 212.238.143.10:34175 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 212.39.112.7:1252 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 62.131.191.205:1233 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 81.218.248.73:1695 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 81.107.220.15:3066 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 62.34.10.124:1389 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 80.186.46.123:1123 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 217.126.44.125:1071 04/20/04 17:57:49
NetComeGo: Close TcpipConnection 217.84.71.199:1313 04/20/04 17:57:56
ScriptLog: Kicking idle player Player
NetComeGo: Close TcpipConnection 80.142.181.213:3387 04/20/04 17:58:17
NetComeGo: Open myLevel 04/20/04 17:58:21 212.39.112.7:1267[/code:1:89b2f5ef8c]

Could this Player be the one?

He was the only one left on the server after all other were kicked...

[titus]

Hmm, I'm not sure. I'm afraid I dont know how to interpret those logs. Several months ago I reported this same problem here but noone had a useful answer. If you solve the problem I would be very interested to know how this exploit works and who is responsible. My UT2003 servers were frequenty hit with it but thankfully I have not seen it in UT2004 yet.

Good luck, I know this can be frustrating.

-titus

[AndY1]

It is frustrating as it happened again this morning when I was checking the server before I went to work.

But curious thing that struck me was, that player 'Kermit' was again on the server at the time of this exploit being used.

I'll have to do cross check with yesterday's log to see if any other players match with this mornings log that were on the server at the time of this expliot being used.

But by my short term memory Kermit was the only one for me, that was immeditately recognized as a person who was on the server at the time of the attack at both times of the event.

I've banned his a$$ for now to see if this helps.

If it doesn't and I keep getting exploited without any fix from Epic, I'm gonna take my UT2004 server down.
I've put in a lot of time, effort and money into this server and I'm not gonna be harrased on my own server by some culprit and can't do nothing about it.

[AndY1]

Quote:

Originally Posted by titus

Hmm, I'm not sure. I'm afraid I dont know how to interpret those logs. Several months ago I reported this same problem here but noone had a useful answer. If you solve the problem I would be very interested to know how this exploit works and who is responsible. My UT2003 servers were frequenty hit with it but thankfully I have not seen it in UT2004 yet.

Good luck, I know this can be frustrating.

-titus

Well, it looks like I banned the right person.

I cross checked for active players at the time of the events in log files and player Kermit was the only player present in the events. Since I banned Kermit I hadn't had any of the exploit used.

[titus]

Excellent news! Glad to hear you caught the culprit. "Fake player" exploits annoyed me several times last year.

-titus

[slimjack]

Any way to post IP so we can ban as well?

I'm starting a cheater log on my site of booted cheaters (AntiTCC) and exploiters and wouldn't mind keeping him off of my server.

[AndY1]

His IP is 80.142.181.213 and apparently he has static IP

I have ModUTSecure installed to kick/ban cheaters and it works well.

[BadCompany]

Quote:

Originally Posted by AndY1

Could OleBlood be the culprit?

If this issue isn't addressed, I'm afraid, many of my regular players (server for 14 players) will be gone.

I also won't be running dedicated server any more if this expoilt is ignored from Epic.

I've seen this on our server before, the login with the INVALID PACKAGES is prolly your man. AntiTCCLite 1.12 stopped the guy cold before he could set up and do his mischief.

[BadCompany]

Quote:

Originally Posted by AndY1

His IP is 80.142.181.213 and apparently he has static IP

I have ModUTSecure installed to kick/ban cheaters and it works well.

BTW, as some poster in another thread pointed out, breaching security/denial of service (which is what cheats are), and addition and/or deletion of files are felonies in the good ol' USA. I'm not suggesting that admins make federal cases out of cheats on their servers, but a complaint to the cheaters ISP might be a good step to take.