No, they don't connect. Those are all private servers, btw (passworded). They are scanning rcon ports and sending strings of junk at them to flood them out. The rcon ports must listen to all queries whether they are authenticated or not...resulting in them being DOS'd after enough queries.
Ronny Schedel wrote: > Did someone connects with this IP to the server? It seems he has to connect > to crash it. > > > >> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.10:0 >> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.5:0 >> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.2:0 >> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.8:0 >> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.6:0 >> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.14:0 >> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.3:0 >> UDP: short packet: From 72.209.158.170:0 0/105 to 69.65.53.9:0 >> srcds_amd[17263]: segfault at 00000010 eip 4d7826ea esp bff3dfec error 4 >> srcds_amd[18560]: segfault at 0000000e eip 4d7826ea esp bfa3d2ec error 4 >> srcds_amd[22341]: segfault at 0000000e eip 4d7826ea esp bfdeee9c error 4 >> >> >> I see tons of this on all of my systems that have CS:S on them, not >> always the same IP. I'm resorting to non-default ports since they are >> just scanning IP ranges for 27015. >> >> Ronny Schedel wrote: >> >>> Please don't tell me this is a well known exploit. Sorry, but I don't see >>> malformed packets in the syslog related to this. >>> >>> >>> >>> >>>> Check the DMESG. You should see a bunch of malformed packets or UDP >>>> checksum errors. That's what I see when that stuff happens. It >>>> sometimes takes quite a few malformed packets/checksum errors before the >>>> server segfaults. >>>> >>>> Ronny Schedel wrote: >>>> >>>> >>>>> Hello, >>>>> >>>>> there is a new spam and crash exploit out there, we have seen it today >>>>> on >>>>> our CS:S server. What happend? A player connected and was able to send >>>>> some >>>>> spam messages which looked like they came from the server console, the >>>>> players name is "h 4 x" in the following log. It seems the messages >>>>> where >>>>> spammed during the connection, so I suppose he used a proxy to send >>>>> malformed packets during connection. After his spam, he connected again >>>>> and >>>>> crashed the server. >>>>> >>>>> Here the console spam: >>>>> >>>>> L 11/15/2009 - 17:22:38: "h 4 x<552><STEAM_ID_PENDING><>" connected, >>>>> address >>>>> "87.122.42.104:27005" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >>>>> dieses Script kaufen?" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >>>>> ruhsi643 in Steam" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >>>>> dieses Script kaufen?" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >>>>> ruhsi643 in Steam" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >>>>> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>>> dieses Script kaufen?" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>>> ruhsi643 in Steam" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "h 4 x<552><STEAM_0:0:17742854><>" STEAM >>>>> USERID >>>>> validated >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>>> dieses Script kaufen?" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>>> ruhsi643 in Steam" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>>> dieses Script kaufen?" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>>> ruhsi643 in Steam" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >>>>> dieses Script kaufen?" >>>>> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >>>>> ruhsi643 in Steam" >>>>> L 11/15/2009 - 17:22:40: "h 4 x<552><STEAM_0:0:17742854><>" >>>>> disconnected >>>>> (reason "Disconnect by user.") >>>>> >>>>> The last log line is: >>>>> >>>>> L 11/15/2009 - 17:27:00: "CRASHED BY ruhsi643 ADDET >>>>> ruhsi<557><STEAM_ID_PENDING><>" connected, address >>>>> "87.122.42.104:27005" >>>>> >>>>> After this line, the server crashed. This is the last line, because we >>>>> run >>>>> our server with logflush. >>>>> >>>>> Best regards >>>>> >>>>> Ronny Schedel >>>>> >>>>> >>>>> _______________________________________________ >>>>> To unsubscribe, edit your list preferences, or view the list archives, >>>>> please visit: >>>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>>> >>>>> >>>>> >>>>> >>>> _______________________________________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>>> >>>> >>>> >>> _______________________________________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >>> >>> >>> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, please > visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
