Actually, Ronny, this is a pretty well known exploit. Some commands, including "say", will treat commands coming from players with no entity as having come from the console. The reference to a players entity is null until he or she has "joined the game" (the step after connecting, when the client has loaded everything. There should be a log line or console message when it happens).
This affected TF2 and there were commands that would crash the server since the command expected a valid entity but the entity was null. The solution for me was to write a plugin that blocks all commands coming from players who are not yet in the game except for a known few like vban and vmodenable. There was a script floating around a while back on either this list or the hlds one that showed exactly how to do this exploit. I don't know the command the guy is using to crash your server, but for TF2, I think it was physics_select. There should be a Sourcemod plugin that can show you every command players are running which will give you an idea as to what the exploiter is doing. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ronny Schedel Sent: Sunday, November 15, 2009 9:23 AM To: Half-Life dedicated Linux server mailing list Subject: Re: [hlds_linux] Serious new CSS crash exploit, possible other games affected? Please don't tell me this is a well known exploit. Sorry, but I don't see malformed packets in the syslog related to this. > Check the DMESG. You should see a bunch of malformed packets or UDP > checksum errors. That's what I see when that stuff happens. It > sometimes takes quite a few malformed packets/checksum errors before the > server segfaults. > > Ronny Schedel wrote: >> Hello, >> >> there is a new spam and crash exploit out there, we have seen it today on >> our CS:S server. What happend? A player connected and was able to send >> some >> spam messages which looked like they came from the server console, the >> players name is "h 4 x" in the following log. It seems the messages where >> spammed during the connection, so I suppose he used a proxy to send >> malformed packets during connection. After his spam, he connected again >> and >> crashed the server. >> >> Here the console spam: >> >> L 11/15/2009 - 17:22:38: "h 4 x<552><STEAM_ID_PENDING><>" connected, >> address >> "87.122.42.104:27005" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >> dieses Script kaufen?" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >> ruhsi643 in Steam" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "OWNED" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Wollt ihr >> dieses Script kaufen?" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "Dann added >> ruhsi643 in Steam" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "HACKED" >> L 11/15/2009 - 17:22:38: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >> dieses Script kaufen?" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >> ruhsi643 in Steam" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "h 4 x<552><STEAM_0:0:17742854><>" STEAM USERID >> validated >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >> dieses Script kaufen?" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >> ruhsi643 in Steam" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >> dieses Script kaufen?" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >> ruhsi643 in Steam" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "HACKED" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "OWNED" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "SPAM" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Wollt ihr >> dieses Script kaufen?" >> L 11/15/2009 - 17:22:39: "Console<0><Console><Console>" say "Dann added >> ruhsi643 in Steam" >> L 11/15/2009 - 17:22:40: "h 4 x<552><STEAM_0:0:17742854><>" disconnected >> (reason "Disconnect by user.") >> >> The last log line is: >> >> L 11/15/2009 - 17:27:00: "CRASHED BY ruhsi643 ADDET >> ruhsi<557><STEAM_ID_PENDING><>" connected, address "87.122.42.104:27005" >> >> After this line, the server crashed. This is the last line, because we >> run >> our server with logflush. >> >> Best regards >> >> Ronny Schedel >> >> >> _______________________________________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> http://list.valvesoftware.com/mailman/listinfo/hlds_linux >> >> > > _______________________________________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > http://list.valvesoftware.com/mailman/listinfo/hlds_linux > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: http://list.valvesoftware.com/mailman/listinfo/hlds_linux
