Did someone connects with this IP to the server? It seems he has to connect to crash it.
> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.10:0 > UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.5:0 > UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.2:0 > UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.8:0 > UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.6:0 > UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.14:0 > UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.3:0 > UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.9:0 > srcds_amd[17263]: segfault at 00000010 eip 4d7826ea esp bff3dfec error 4 > srcds_amd[18560]: segfault at 0000000e eip 4d7826ea esp bfa3d2ec error 4 > srcds_amd[22341]: segfault at 0000000e eip 4d7826ea esp bfdeee9c error 4 > > > I see tons of this on all of my systems that have CS:S on them, not > always the same IP. I'm resorting to non-default ports since they are > just scanning IP ranges for 27015. > > Ronny Schedel wrote: >> Please don't tell me this is a well known exploit. Sorry, but I don't see >> malformed packets in the syslog related to this. >> >> >> >>> Check the DMESG. You should see a bunch of malformed packets or UDP >>> checksum errors. That's what I see when that stuff happens. It >>> sometimes takes quite a few malformed packets/checksum errors before the >>> server segfaults. >>> >>> Ronny Schedel wrote: >>> >>>> Hello, >>>> >>>> there is a new spam and crash exploit out there, we have seen it today >>>> on >>>> our CS:S server. What happend? A player connected and was able to send >>>> some >>>> spam messages which looked like they came from the server console, the >>>> players name is "h 4 x" in the following log. It seems the messages >>>> where >>>> spammed during the connection, so I suppose he used a proxy to send >>>> malformed packets during connection. After his spam, he connected again >>>> and >>>> crashed the server. >>>> >>>> Here the console spam: >>>> >>>> L 11/15/2009 - 17:22:38: "h 4 x<552><STEAM_ID_PENDING><>" connected, >>>> address >>>> "87.122.42.104:27005" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >>>> dieses Script kaufen?" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >>>> ruhsi643 in Steam" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >>>> dieses Script kaufen?" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >>>> ruhsi643 in Steam" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>> dieses Script kaufen?" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>> ruhsi643 in Steam" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "h 4 x<552><STEAM_0:0:17742854><>" STEAM >>>> USERID >>>> validated >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>> dieses Script kaufen?" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>> ruhsi643 in Steam" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>> dieses Script kaufen?" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>> ruhsi643 in Steam" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>> dieses Script kaufen?" >>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>> ruhsi643 in Steam" >>>> L 11/15/2009 - 17:22:40: "h 4 x<552><STEAM_0:0:17742854><>" >>>> disconnected >>>> (reason "Disconnect by user.") >>>> >>>> The last log line is: >>>> >>>> L 11/15/2009 - 17:27:00: "CRASHED BY ruhsi643 ADDET >>>> ruhsi<557><STEAM_ID_PENDING><>" connected, address >>>> "87.122.42.104:27005" >>>> >>>> After this line, the server crashed. This is the last line, because we >>>> run >>>> our server with logflush. >>>> >>>> Best regards >>>> >>>> Ronny Schedel >>>> >>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>> >>>> >>>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
