UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.10:0 UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.5:0 UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.2:0 UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.8:0 UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.6:0 UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.14:0 UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.3:0 UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.9:0 srcds_amd[17263]: segfault at 00000010 eip 4d7826ea esp bff3dfec error 4 srcds_amd[18560]: segfault at 0000000e eip 4d7826ea esp bfa3d2ec error 4 srcds_amd[22341]: segfault at 0000000e eip 4d7826ea esp bfdeee9c error 4
I see tons of this on all of my systems that have CS:S on them, not always the same IP. I'm resorting to non-default ports since they are just scanning IP ranges for 27015. Ronny Schedel wrote: > Please don't tell me this is a well known exploit. Sorry, but I don't see > malformed packets in the syslog related to this. > > > >> Check the DMESG. You should see a bunch of malformed packets or UDP >> checksum errors. That's what I see when that stuff happens. It >> sometimes takes quite a few malformed packets/checksum errors before the >> server segfaults. >> >> Ronny Schedel wrote: >> >>> Hello, >>> >>> there is a new spam and crash exploit out there, we have seen it today on >>> our CS:S server. What happend? A player connected and was able to send >>> some >>> spam messages which looked like they came from the server console, the >>> players name is "h 4 x" in the following log. It seems the messages where >>> spammed during the connection, so I suppose he used a proxy to send >>> malformed packets during connection. After his spam, he connected again >>> and >>> crashed the server. >>> >>> Here the console spam: >>> >>> L 11/15/2009 - 17:22:38: "h 4 x<552><STEAM_ID_PENDING><>" connected, >>> address >>> "87.122.42.104:27005" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >>> dieses Script kaufen?" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >>> ruhsi643 in Steam" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >>> dieses Script kaufen?" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >>> ruhsi643 in Steam" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>> dieses Script kaufen?" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>> ruhsi643 in Steam" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "h 4 x<552><STEAM_0:0:17742854><>" STEAM USERID >>> validated >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>> dieses Script kaufen?" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>> ruhsi643 in Steam" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>> dieses Script kaufen?" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>> ruhsi643 in Steam" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>> dieses Script kaufen?" >>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>> ruhsi643 in Steam" >>> L 11/15/2009 - 17:22:40: "h 4 x<552><STEAM_0:0:17742854><>" disconnected >>> (reason "Disconnect by user.") >>> >>> The last log line is: >>> >>> L 11/15/2009 - 17:27:00: "CRASHED BY ruhsi643 ADDET >>> ruhsi<557><STEAM_ID_PENDING><>" connected, address "87.122.42.104:27005" >>> >>> After this line, the server crashed. This is the last line, because we >>> run >>> our server with logflush. >>> >>> Best regards >>> >>> Ronny Schedel >>> >>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >>> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
