sv_allowdownload -1 reply

  • 1
  • 2

Please wait...

Tricky2Ufellow

[B'Y'B]Clan Leader

50 XP

9th July 2006

0 Uploads

67 Posts

0 Threads

#11 12 years ago

Commando I got HIjacked this YEAR & 3 days later another Clan got the same treatment. By a Hacker Clan that got in from us leaving AutoDownload ON. They even uploaded files to my Base folder with 0KB example mp.pk3 should be 30,979kb was ZERO kb screwed me all up. Had to reinstall all server files everything. I couldn't chance they planted some spy file on me. Do it at your own risk is all I will say further on it. HRBEK it must exist somewhere. Did you look both folders BASE & Rocmod?




HRBEK

I'm Too Cool To Post!

50 XP

20th December 2005

0 Uploads

98 Posts

0 Threads

#12 12 years ago

Maybe it's a fault with my RocMod because no such file exists. What version of RocMod do you use to enable bots Tricky? Do you use a 'Noble' one? Thanks, HRBEK.




Goody. Advanced Member

Former Network Admin and Former Forum Admin

98,491 XP

25th July 2005

4 Uploads

8,392 Posts

3 Threads

#13 12 years ago

2.1c has bot support but you need the fixs by RevTed. All of these can be found on soffiles.




HRBEK

I'm Too Cool To Post!

50 XP

20th December 2005

0 Uploads

98 Posts

0 Threads

#14 12 years ago

I think I may have identified the problem. I haven't seen anyone on my server having trouble with that rocmod.pk3 for a little while now. I'll post here again if the problem arises again, haha. Thanks for trying to help out guys! Thanks, HRBEK.




Tricky2Ufellow

[B'Y'B]Clan Leader

50 XP

9th July 2006

0 Uploads

67 Posts

0 Threads

#15 12 years ago

I rent from Noble but nice thing is he will load any public mod. I run Rocmod 2.1c w/bots on all five of my servers.




Commando.DK

Alliance of Veterans

50 XP

21st September 2008

0 Uploads

113 Posts

0 Threads

#16 12 years ago
Tricky2Ufellow;4675268Commando I got HIjacked this YEAR & 3 days later another Clan got the same treatment. By a Hacker Clan that got in from us leaving AutoDownload ON. They even uploaded files to my Base folder with 0KB example mp.pk3 should be 30,979kb was ZERO kb screwed me all up.

I think you are actually more right than you know. Not only did the hackers manage to 'hijack' your server. In a sense, they did also hijack YOU. - More specifically, they hijacked your beliefs. Actually that would not be so bad, if it did not cause you to aid the hackers unwillingly by spreading the misguided information to other users on a community forum like a virus. In this case the harm of that virus is that other uninsightful admins will switch off auto-download unnecessarily, which hinders mods from reaching the players, which in turn hinders the game from developing, which is direly needed for a game of this age to stay alive.

The weakness lets hackers *download* arbitrary files from the server. The hacker must however guess the relative location and filename in order to request a given file for download. It does however *not* provide a way for clients to upload files to the server, because guess what? - It's a d-o-w-n-l-o-a-d facility. If somebody uploaded files to your server Lisa, then they did not do it with the auto-download facility.

But you are right that admins should not have auto-download enabled, IF they cant help archiving their rconPassword to sof2mp.cfg because they don't know the difference between set and seta, and/or IF they cant help saving it in their own config-files, WHICH they cant for some reason give a name that the hackers cant easily guess, and especially IF they then insist on having the same password on their site administration or FTP access so that the hackers can access those once they have downloaded the rconPassword in a cfg-file. - Yeah, those admins should probably not have auto-downloads enabled.

For the real admins out there (you probably already know this, but just for the heck of it);

Do not have the same password on rcon that you use anywhere else (because you can not expect a gameserver password to be treated with the same security as say, a password for FTP or a subscription account).

Do not store your rconPassword in any file that hackers will (likely) try to download with this exploit. Set it from the command-line or manually in the console.

NEVER set your rconPassword with seta. Seta marks a cvar for archiving to sof2mp.cfg, which will set it with seta after each server restart, which will mark it for archiving, and so forth until you delete it from that file.




HRBEK

I'm Too Cool To Post!

50 XP

20th December 2005

0 Uploads

98 Posts

0 Threads

#17 12 years ago

Ah I see... I should have figured that Noble wasn't a Mod variation (seeing as you use Noble Computing for your site). The server has seen a bit more traffic recently. I am aware about the hackers and yes I have heard about such things happeneing before. I will leave 'sv_allowdownload' on for a little while. But I won't do it for long. Just for those who do not have RocMod and whatever else. Thanks for your help everyone! Thanks, HRBEK.




Dark Saint

How many dogs are Pb'd?Maybe 2

50 XP

30th April 2004

0 Uploads

8,040 Posts

0 Threads

#18 12 years ago

Commando.DK;4678827I think you are actually more right than you know. Not only did the hackers manage to 'hijack' your server. In a sense, they did also hijack YOU. - More specifically, they hijacked your beliefs. Actually that would not be so bad, if it did not cause you to aid the hackers unwillingly by spreading the misguided information to other users on a community forum like a virus. In this case the harm of that virus is that other uninsightful admins will switch off auto-download unnecessarily, which hinders mods from reaching the players, which in turn hinders the game from developing, which is direly needed for a game of this age to stay alive.

The weakness lets hackers *download* arbitrary files from the server. The hacker must however guess the relative location and filename in order to request a given file for download. It does however *not* provide a way for clients to upload files to the server, because guess what? - It's a d-o-w-n-l-o-a-d facility. If somebody uploaded files to your server Lisa, then they did not do it with the auto-download facility. [/quote] Not exactly true. Clients have to upload information back up to the server to be calculated. So for all intents and purposes, there may only be a "d-o-w-n-l-o-a-d facility", there is also a method in which upload is being done.

About the game development and mod development, that is what SITES are for. SOFFILES being one of them ( many others out there as well). The servers don't do it.

If it is soo impossible for hackers to get into the servers, then how did they do it>? If tricky says she found files in there, I would bet on it. So how did they get in?

[quote=HRBEK;4678851]Ah I see... I should have figured that Noble wasn't a Mod variation (seeing as you use Noble Computing for your site). The server has seen a bit more traffic recently. I am aware about the hackers and yes I have heard about such things happeneing before. I will leave 'sv_allowdownload' on for a little while. But I won't do it for long. Just for those who do not have RocMod and whatever else. Thanks for your help everyone! Thanks, HRBEK.

" NOBLE" ( shivers ) isn't just hosting ( cough), he also has two mods that were developed for him, that he uses. Rocmod Noble ( Done by Roc Arnorr ) and Noble Pro ( Done by someone who doesn't need to be mentioned).

The rumor is that the noble pro has a backdoor pass to it that "Mr unmentionable " can use to crash your servers if he doesn't like you or you tick him off. Many people have come forward attesting to this, but "He " still says it isn't true. As " Slippery" as he is, I would bet it is possible, perhaps plausible.

As to rocmod noble. Nothing has come forth as to any issues other than the rumor of buggy coding never fixed on arnorr's part do to the fact that he has released his source and moved on.




Commando.DK

Alliance of Veterans

50 XP

21st September 2008

0 Uploads

113 Posts

0 Threads

#19 12 years ago

~Merrick;4679233Not exactly true. Clients have to upload information back up to the server to be calculated. So for all intents and purposes, there may only be a "d-o-w-n-l-o-a-d facility", there is also a method in which upload is being done.[/QUOTE] The fact that clients can send data to the server does not mean they can send it for all intents and purposes. E.g. there is no facility for clients to save files on the game-server.

~Merrick;4679233About the game development and mod development, that is what SITES are for. SOFFILES being one of them ( many others out there as well). The servers don't do it.

Autodownload is an easier way to download and install mods and add-ons correctly. Therefore switching it off does hinder the mods from reaching the players.

[QUOTE=~Merrick;4679233]If it is soo impossible for hackers to get into the servers, then how did they do it>? If tricky says she found files in there, I would bet on it. So how did they get in?

This has already been explained sufficiently in the post you are responding to.




  • 1
  • 2