iptables -I INPUT -p udp -m string --algo bm --string 'physics_select' -j DROPRequires: ipt_string firewall module.
Thats the IPTables command that fully blocks this attack. Feel free to use it on your own servers. The attack was generating from a clan called "MIA" they run a Jailbreak server. They also seem to be attacking anyone who runs a map with "MIA" in the name from what I can gather. Hopefully this will help you guys out. Also feel free to block more commands with that as well. For our Windows counter parts I have no idea what your going to use. If this has helped even one person, please show your support by simply visiting our community, joinuv.com. On Wed, Aug 5, 2009 at 3:10 AM, Kenny Loggins <[email protected]>wrote: > I think I just was hit by the same thing that hit you. Everyone of my > server > just lagged out big-time and I had to restart everything. I was watching > the > person do it server by server.. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Tony Paloma > Sent: Tuesday, August 04, 2009 9:05 PM > To: 'Half-Life dedicated Win32 server mailing list' > Subject: Re: [hlds] ClipRayToVPhysics crash and other related crash > > Several of my servers just lagged severely. I don't know many details, but > it was on at least three srcds instances roughly the same time on two > different machines on two different networks. Smells like exploit. > > -----Original Message----- > From: [email protected] > [mailto:[email protected]] On Behalf Of Kenny Loggins > Sent: Tuesday, August 04, 2009 6:53 PM > To: Half-Life dedicated Win32 server mailing list > Subject: Re: [hlds] ClipRayToVPhysics crash and other related crash > > Whatever it is I'm getting hit hardcore right after this email went > out. I hope someone can figure something out. > > > On Aug 4, 2009, at 6:30 PM, Ian <[email protected]> wrote: > > > Found something that may be of information to those being having their > > servers crashed before being able to get their IP. > > > > > > http://aluigi.freeforums.org/source-engine-seg-fault-crash-exploit-t993.html > > > > Newly discovered exploit. And there is a supposed fix for it for > > Sourcemod users: > http://forums.alliedmods.net/showthread.php?t=93934&page=5 > > > > Post 43 is where you want to look. The rcon_lock plugin updated just > > days after the exploit was discovered. > > > > Hope this helps. > > > > - Ian > > > > > > > > > > Tony Paloma wrote: > >> Interesting. After it crashes, it makes the same trace? Could be two > >> unrelated crashes. > >> > >> -----Original Message----- > >> From: [email protected] > >> [mailto:[email protected]] On Behalf Of Kyle > >> Sanderson > >> Sent: Tuesday, August 04, 2009 2:01 AM > >> To: Half-Life dedicated Win32 server mailing list > >> Subject: Re: [hlds] ClipRayToVPhysics crash and other related crash > >> > >> Tony, as far as I can tell this is the case. > >> > >> One of my admins who was looking in HLSW found this a second before > >> the > >> server crashed. > >> 00:09:09 L 08/02/2009 - 17:43:43: "Add serverdown to friends to > >> bu<286><STEAM_ID_PENDING><>" connected, address "75.39.129.249:27005" > >> > >> Anyways, Yes. This is most definitely related. > >> Kyle. > >> > >> On Sun, Aug 2, 2009 at 2:58 PM, Steven Crothers > >> <[email protected]>wrote: > >> > >> > >>> I'm not sure what the command is, but I'm 99% positive it was the > >>> last > >>> person for my servers... one of the community members egged him on > >>> and > >>> there > >>> are some xfire logs to substantiate the accusations. > >>> Something else I noticed, when his steam ID finally resolves, its > >>> been > >>> resolving with really low ID's - and not always the same. Like 42, > >>> 31, 29 > >>> ect. > >>> > >>> On Sat, Aug 1, 2009 at 7:40 PM, Tony Paloma > >>> <[email protected]> > >>> wrote: > >>> > >>> > >>>> I'm not so sure it's the fault of the last person to connect. You > >>>> think > >>>> it's > >>>> because of a command? Do you know what the commands is? > >>>> > >>>> -----Original Message----- > >>>> From: [email protected] > >>>> [mailto:[email protected]] On Behalf Of Steven > >>>> > >>> Crothers > >>> > >>>> Sent: Saturday, August 01, 2009 4:02 PM > >>>> To: Half-Life dedicated Win32 server mailing list > >>>> Subject: Re: [hlds] ClipRayToVPhysics crash and other related crash > >>>> > >>>> I've gotten the same crash on my servers today. I've been > >>>> harvesting his > >>>> IP's (I cant confirm they are all him, but I've been banning the > >>>> last > >>>> connector before each crash) and blocking him via iptables. > >>>> I'm getting one of my modders to work on an SM mod to attempt to > >>>> block > >>>> > >>> the > >>> > >>>> console commands he's running. However is there any word from > >>>> Valve on > >>>> > >>> the > >>> > >>>> subject? > >>>> > >>>> On Thu, Jul 30, 2009 at 12:26 PM, Kenny Loggins > >>>> <[email protected]>wrote: > >>>> > >>>> > >>>>> No I didn't check that and no crashes since yesterday. Turns out > >>>>> it > >>>>> > >> was > >> > >>> a > >>> > >>>>> strange crash from a new plugin (No errors were kicked out at all) > >>>>> > >>> since > >>> > >>>> no > >>>> > >>>>> errors were ever kicked out I just assumed that it was something > >>>>> or > >>>>> > >>>> someone > >>>> > >>>>> external. That's what I get for assuming I guess :| > >>>>> > >>>>> -----Original Message----- > >>>>> From: [email protected] > >>>>> [mailto:[email protected]] On Behalf Of Tony > >>>>> Paloma > >>>>> Sent: Thursday, July 30, 2009 10:10 AM > >>>>> To: 'Half-Life dedicated Win32 server mailing list' > >>>>> Subject: Re: [hlds] ClipRayToVPhysics crash and other related > >>>>> crash > >>>>> > >>>>> Have you even checked the stack trace? > >>>>> > >>>>> -----Original Message----- > >>>>> From: [email protected] > >>>>> [mailto:[email protected]] On Behalf Of Kenny > >>>>> > >>> Loggins > >>> > >>>>> Sent: Thursday, July 30, 2009 1:30 AM > >>>>> To: 'Half-Life dedicated Win32 server mailing list' > >>>>> Subject: Re: [hlds] ClipRayToVPhysics crash and other related > >>>>> crash > >>>>> > >>>>> Ok I'm going to recant this because I need to look more into it. > >>>>> I'm > >>>>> > >>> not > >>> > >>>>> 100% sure it related to anything external right now. > >>>>> > >>>>> > >>>>> -----Original Message----- > >>>>> From: [email protected] > >>>>> [mailto:[email protected]] On Behalf Of Kenny > >>>>> > >>> Loggins > >>> > >>>>> Sent: Thursday, July 30, 2009 12:57 AM > >>>>> To: 'Half-Life dedicated Win32 server mailing list' > >>>>> Subject: Re: [hlds] ClipRayToVPhysics crash and other related > >>>>> crash > >>>>> > >>>>> Any headway on this? Some douchebag has been crashing my servers > >>>>> for > >>>>> > >>> the > >>> > >>>>> past 2 days now and today was really bad (20+ crashes) > >>>>> > >>>>> -----Original Message----- > >>>>> From: [email protected] > >>>>> [mailto:[email protected]] On Behalf Of Tony > >>>>> Paloma > >>>>> Sent: Sunday, July 19, 2009 8:33 PM > >>>>> To: 'Half-Life dedicated Win32 server mailing list' > >>>>> Cc: 'Eric Smith' > >>>>> Subject: [hlds] ClipRayToVPhysics crash and other related crash > >>>>> > >>>>> Lately, I've been getting crashes in the ClipRayToVPhysics > >>>>> function > >>>>> > >> and > >> > >>>>> other physics related functions. It's been occurring on more > >>>>> than one > >>>>> server > >>>>> and seems to happen more often recently. The increasing frequency > >>>>> > >> leads > >> > >>>> me > >>>> > >>>>> to believe that it could be some kind of exploit. I do not run > >>>>> > >>> SourceMod. > >>> > >>>>> Here are some sample stack traces. > >>>>> > >>>>> #0 0xf771310c in CEngineTrace::ClipRayToVPhysics () > >>>>> from /home/srcds/tf2server/orangebox/bin/engine_i486.so > >>>>> #1 0xf77148f3 in CEngineTrace::ClipRayToCollideable () > >>>>> from /home/srcds/tf2server/orangebox/bin/engine_i486.so > >>>>> #2 0xf7715005 in CEngineTrace::TraceRay () > >>>>> from /home/srcds/tf2server/orangebox/bin/engine_i486.so > >>>>> #3 0xf5b67c04 in CTFSniperRifle::UpdateSniperDot () > >>>>> from /home/srcds/tf2server/orangebox/tf/bin/server_i486.so > >>>>> #4 0xf5b6a8a2 in CTFSniperRifle::ItemPostFrame () > >>>>> from /home/srcds/tf2server/orangebox/tf/bin/server_i486.so > >>>>> #5 0xf55735ce in CBasePlayer::ItemPostFrame () > >>>>> from /home/srcds/tf2server/orangebox/tf/bin/server_i486.so > >>>>> #6 0xf5af971c in CTFPlayer::ItemPostFrame () > >>>>> from /home/srcds/tf2server/orangebox/tf/bin/server_i486.so > >>>>> #7 0xf57aeef8 in CBasePlayer::PostThink () > >>>>> from /home/srcds/tf2server/orangebox/tf/bin/server_i486.so > >>>>> #8 0xf5ae1dba in CTFPlayer::PostThink () > >>>>> from /home/srcds/tf2server/orangebox/tf/bin/server_i486.so > >>>>> #9 0xf57c6872 in CPlayerMove::RunPostThink () > >>>>> from /home/srcds/tf2server/orangebox/tf/bin/server_i486.so > >>>>> #10 0xf57c83ba in CPlayerMove::RunCommand () > >>>>> from /home/srcds/tf2server/orangebox/tf/bin/server_i486.so > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> To unsubscribe, edit your list preferences, or view the list > >>>>> archives, > >>>>> please visit: > >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> To unsubscribe, edit your list preferences, or view the list > >>>>> archives, > >>>>> please visit: > >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>> _______________________________________________ > >>>>> To unsubscribe, edit your list preferences, or view the list > >>>>> archives, > >>>>> please visit: > >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>> > >>>>> > >>>>> > >>>>> _______________________________________________ > >>>>> To unsubscribe, edit your list preferences, or view the list > >>>>> archives, > >>>>> please visit: > >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>>> > >>>>> > >>>> _______________________________________________ > >>>> To unsubscribe, edit your list preferences, or view the list > >>>> archives, > >>>> please visit: > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>> _______________________________________________ > >>>> To unsubscribe, edit your list preferences, or view the list > >>>> archives, > >>>> please visit: > >>>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>>> > >>>> > >>> _______________________________________________ > >>> To unsubscribe, edit your list preferences, or view the list > >>> archives, > >>> please visit: > >>> http://list.valvesoftware.com/mailman/listinfo/hlds > >>> > >>> > >> _______________________________________________ > >> To unsubscribe, edit your list preferences, or view the list > >> archives, > >> please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds > >> _______________________________________________ > >> To unsubscribe, edit your list preferences, or view the list > >> archives, please visit: > >> http://list.valvesoftware.com/mailman/listinfo/hlds > >> > >> > > > > > > _______________________________________________ > > To unsubscribe, edit your list preferences, or view the list > > archives, please visit: > > http://list.valvesoftware.com/mailman/listinfo/hlds > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds
