From your graph it seems like you are on NFO, the best action to take
would of been getting a network snapshot while the server was being
taken down.
On 3/2/2014 5:12 AM, Mitchell Huang wrote:
Thanks for the suggestions. Although we are more concerned about making
sure everyone including Valve is aware that a new server exploit might be
in the wild.
And besides, every time we have to deal with AKARaccoon he just comes back
with a new dynamic IP. We'd rather just have this exploit patched than have
to deal with him repeatedly.
We are not 100% sure this is an exploit but based on his Reddit account
history he seems to be very good at creating hacks. He is also
apparently the creator of "MVMBot" which is a bot that adds people to an
MVM game and aimbots everything so they win.
He seems to know what he's doing and like every other hacker, comes off as
a narcissistic self righteous asshole. He's probably subscribed to this
mailing list too so AKARaccoon if you're reading this: go fuck yourself :-)
On Sunday, March 2, 2014, ics <[email protected]> wrote:
Drop packets from his ip with iptables. See if he can do any crashing
after that.
-ics
Mitchell Huang kirjoitti:
Late Saturday night (2014-03-02), AKARaccoon (
http://steamcommunity.com/id/AKARaccoon,
http://www.reddit.com/user/AKARacooon, IP 70.192.16.230) joined our
server
on alts and started aimbotting. After we banned a couple of his accounts,
he said, at 01:07:41 EDT:
"Hey faggot, I don't like being kicked. Server goes down for you now. <3"
The server then immediately crashed and was unreachable. Initially, we
assumed it was a DDoS, however the network logs showed nothing out of the
ordinary.
Server network graph (times are in PDT): http://i.imgur.com/Otip5JW.png
Very normal network logs for a TF2 server... no more than 5Mbit traffic
the
entire time.
There is also nothing unusual in the SRCDS logs. No RCON login attempts or
anything out of the ordinary.
After the first crash, he reconnects as "BAN ME NOW FAGGOT"
(STEAM_0:1:84052152) and says:
"CRSAH"
"I crashed the server."
"Faggot admins wanna try and ban me."
"Lol, no."
"I always win."
"Faggots."
We then kicked and banned him again at 01:11:10 EDT, and the server again
crashed within a couple of minutes of his ban. After shutting down all
connections to the server and looking through our logs, we found
suspicious
segfaults coinciding with the server crashes:
Mar 2 01:08:09 ny kernel: [593389.393517] srcds_linux[19195]: segfault at
5b ip 00000000ed2b8b4a sp 00000000ffcb85c0 error 4 in
server_srv.so[eccab000+65c000]
Mar 2 01:09:30 ny kernel: [593470.670819] srcds_linux[20799]: segfault at
3ed ip 00000000ed2e3b4a sp 00000000ff822540 error 4 in
server_srv.so[eccd6000+65c000]
Mar 2 01:12:26 ny kernel: [593646.211683] srcds_linux[20828]: segfault at
60 ip 00000000ed21fb4a sp 00000000ff862270 error 4 in
server_srv.so[ecc12000+65c000]
It looks as if he exploited something in server_srv.so to make the server
crash. We run SRCDS on Linux (Debian stable). We are not sure if windows
servers are also affected.
We also found a similar post related to him on the Lotus Clan forums dated
Feb 18 where players mentioned that he crashed the server after
aimbotting.
However, we doubt it's related to the achievement manager spam the first
poster mentions:
http://forums.gamingterritory.com/topic/28821-ban-request-
akaraccoon-server-crashing-god/
Thoughts?
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives,
please visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
_______________________________________________
To unsubscribe, edit your list preferences, or view the list archives, please
visit:
https://list.valvesoftware.com/cgi-bin/mailman/listinfo/hlds_linux
