Alright, this may or may not be a half baked idea, but it's something I thought of. If you're not interested in reading the account of why I suggested this, scroll down to the bold where it states "Now, my idea is this:" in bold.

Recently, my clan's teamspeak was "hacked" by 2 members (One being "Toko Rudy" and "......Blacky.......", sometimes slightly varying) who came in instantly as (R SA) without a split second of being (U) or even (R) alone. We are not sure how they were able to, our log files on the server are not allowed to be accessed by us, so we cannot retrieve their IPs or information that way.

I assure you, no one right clicked on them and hit E, I was there and witnessed them come in as (R SA). The admin password is (according to the admin) one that would be hard to break (I'm guessing being combinations of letters and numbers, but anyway) They came in both with RichEdit line errors, disallowing the admins to (if they had the time to) revoke their SA or more likely, ban them. After 20 seconds or so of what I guess was them listening to our ingame conversations, Toko Rudy said "Do you guys know how ****ed you are?" and within a moment revoked all of our server admins of power, kicked us all, renamed our channels and banned our members. At least 3 of us were able to get in for seconds before we were immediately kicked and banned. They had more members unknown to our members when I came in, heard a laugh from all of them, and was kicked. Another one of our members got in for a moment and heard one of them exclaim "Man, we so owned their teams-" and was kicked (obviously, he was saying teamspeak). We knocked our server off and retrieved it, all of our registrations were gone as were our channels and settings.

I have searched to find both of these "hackers" on places like google, to see if they had any possible affiliation with the "*****" or another group, and no such luck.

Now, my idea is this: What if there was an option to somehow "approve" a person to be added to a list of "approved SAs", maybe to be done by an SSA. When a new player joins, I would guess some script set up would run, that would look at their (U/R/SA/CA) tags and if they have SA, registered or not, would look at the "approved" list, and if it does not match with the nickname/username/IP listed then it would revoke their server admin and kick them, and store their name and IP, perhaps? If their name or IP reoccurs with SA, then ban them and maybe even send a message to the SSA(s) of a server that they have been banned, and if they would like to keep this person banned, showing their IP as well. This would end some problems and I do realize that not all of them would be solved this way (I am not sure how the SSA panel works, I'm assuming you could log into it as well and operate from there) but perhaps it could deter more of these "hackers" from our servers?


It's a thought, tell me what you think of it or what to improve on. I have no clue of the scripting mechanics of TS, but I figure the best way to get something done is to contact people who know better than I.

I hope this can some way be done, it would make the many of us who have been hacked (even if it may be a small number of accounts) a bit happier and overall more secure.

-Celestial1

seems like they got a hold of your server's SSA password and then were able to register and elevate themselves through either tcp or webpanel. if your host refuses to help you with this then really you should find another host.

What version is your hosting company using?

You know, I have a flawless password. It cant be guessed, it cant be cracked by a PW cracker that uses a library or dictonairys. My admin password isn't a word at all. Yes it has numbers.

Now thats said and done. Here is my story. Random dude logs into teamspeak. You cant register unless I allow you to. Only two admins on my server and both of us were online. Guy is "R SA CA" as he's logged in. Remember now theres only two registered people on my server. I right click, and before I can blink I get an error message "RichEdit line error" similar problem to Celestial1's explination there. Then the guy starts playing music at his peek output Im sure. So I shoved him in other channels everytime he came back to our channel, and eventually he gave up. I put a password on the server for connection and I havent seen him since then.

I have done my research and I know there are skript kiddie toys out there that make you invisable, toys that log you in with admin rights, and toys that spam your server with bots who make channels and make all sorts of problems for my users.

What I think needs to be done is a little research into these toys, see how they work and then make changes where needed. It just takes time to get in with the right crowd to get the toys.

Guy is "R SA CA" as he's logged in.
No, he's not. This is simply flag faking. These flags are part of the nickname. You can't see the real user flags as they have been removed with a special control character. This has been fixed with one of the recent BETA server releases. Please update your server.
I have done my research and I know there are skript kiddie toys out there that make you invisable,...
This has also been fixed with one of the BETA server releases. Please update your server.
...toys that log you in with admin rights,...
If you find a "toy" which does this without authenticating with valid login data, please send it to us immediately. Nobody has ever managed to prove that such a toy really exists. What we have seen so far is brute-forcing, flag faking and ServerAdmins who click buttons without thinking. All of this has been fixed in the client and server BETA releases. Please update your software.
...and toys that spam your server with bots who make channels and make all sorts of problems for my users.
Fixing the flooding problem in the software itself would require some bigger changes to the TeamSpeak 2 code. It's not the same like fixing some bugs. The developers have chosen to focus on TeamSpeak 3 instead as some people already came up with their own flood protection for TeamSpeak 2.

You can find various flood protection tools in the official Third Party Resources (http://www.goteamspeak.com/index.php?page=3rdparty) area.

What I think needs to be done is a little research into these toys, see how they work and then make changes where needed. It just takes time to get in with the right crowd to get the toys.

As I already mentioned, this has already been done. Update your software and if you are still having these issues, please provide us with log files and any information that might help us in investigating the problem.

seems like they got a hold of your server's SSA password and then were able to register and elevate themselves through either tcp or webpanel. if your host refuses to help you with this then really you should find another host.
That's what we had thought, but we found no reason of how, the server admin password is a "sure-fire" password. We have this host for a reason, they just do not want to allow server access, we can request certain things done but there's no guarantee to it.

what version is your hosting company using?
I would assume the latest, because they host multiple servers.

Guy is "R SA CA" as he's logged in.No, he's not. This is simply flag faking. These flags are part of the nickname. You can't see the real user flags as they have been removed with a special control character. This has been fixed with one of the recent BETA server releases. Please update your server.
So then why would he have admin characteristics? Ban, kick, channels, unregister, etc. Flag faking is not in question, as far as I can see.

Our SSA stuff does not seem to have suffered any changes, but I've had the RichEdit line error on another server, from the research I've done, it seems editting particular richedit .dll's makes you almost untouchable client-side. No clue of SSA. And when that R.E. error is on, you cannot kick, ban, or check their info most of the time. On the first encounter with one of these, I had eventually been able to target them after clicking channels then back on the player.

Again, don't really care of how it's done seeing as no one really seems to have an answer, I've seen threads as such on the forum, that's not the point of this thread. If anyone has an idea how to implement this script it would make it so much easier for random people coming in as SA without another granting it to them, making it foolproof to anyone who comes in as SA without editting that file; I'm sure that they would eventually find a way around it, but only with server-side editting, no?

I could be wrong, but it seems a brilliant and hopefully not-to-hard to implement device, seeing as there is no current alternative. I don't want to hear the support and team badger users about their security problems, because I offered a suggestion would be a viable solution, as long as it can somehow be put in. If there is no possible way to put this idea into use, then say so and let it be done with, it was simply an idea to get rid of some frustration.

I have been looking for these "toys" as well and have gotten small leads only to be dropped off by a dead-end of information. Even if they are brute-forcing their way in, why not add a 3-5 time try before it disables allowing you in temporarily? Pardon, if this has already been fixed, I have not seen it.

-Celestial

When you log in it will show which version you are using. A lot of people including companies use the binary version for ease and it is not the most updated.

I will have to check with our provider and try to get them to update if they are not.

Anyway, still looking for anyone who knows of a way to do this.

-Celest

That's what we had thought, but we found no reason of how, the server admin password is a "sure-fire" password. We have this host for a reason, they just do not want to allow server access, we can request certain things done but there's no guarantee to it.


I would assume the latest, because they host multiple servers.


So then why would he have admin characteristics? Ban, kick, channels, unregister, etc. Flag faking is not in question, as far as I can see.

Our SSA stuff does not seem to have suffered any changes, but I've had the RichEdit line error on another server, from the research I've done, it seems editting particular richedit .dll's makes you almost untouchable client-side. No clue of SSA. And when that R.E. error is on, you cannot kick, ban, or check their info most of the time. On the first encounter with one of these, I had eventually been able to target them after clicking channels then back on the player.

Again, don't really care of how it's done seeing as no one really seems to have an answer, I've seen threads as such on the forum, that's not the point of this thread. If anyone has an idea how to implement this script it would make it so much easier for random people coming in as SA without another granting it to them, making it foolproof to anyone who comes in as SA without editting that file; I'm sure that they would eventually find a way around it, but only with server-side editting, no?

I could be wrong, but it seems a brilliant and hopefully not-to-hard to implement device, seeing as there is no current alternative. I don't want to hear the support and team badger users about their security problems, because I offered a suggestion would be a viable solution, as long as it can somehow be put in. If there is no possible way to put this idea into use, then say so and let it be done with, it was simply an idea to get rid of some frustration.

I have been looking for these "toys" as well and have gotten small leads only to be dropped off by a dead-end of information. Even if they are brute-forcing their way in, why not add a 3-5 time try before it disables allowing you in temporarily? Pardon, if this has already been fixed, I have not seen it.

-Celestial
The had SA cuase you gave it to them. When you tried to revoke their SA that wasn't real it actually gave them SA, that is why they waited quiet at first, waiting for a ignorant SA to try and revoke it, then once the attempt was made they made their comment and siezed control.
Your provider needs to update as the prior post said. I saw this rich edit error many times before they put out the update and I applied it.

Hacks like this are exactly why my SA's can't *grant* SA privileges on my server. I turned off that permission completely.

They can remove it (and sometimes they seem to have "quick-draw" contests to see who can revoke the other fastest. . . *sigh* so I have to reapply it via the adminpanel) but they can't grant anyone SA.

With that in place, it doesn't matter what kind of decoy, social engineering, or rich edit hack they use. If someone right-clicks on a fase (SA) they don't get the option to grant them SA - period.

The had SA cuase you gave it to them. When you tried to revoke their SA that wasn't real it actually gave them SA, that is why they waited quiet at first, waiting for a ignorant SA to try and revoke it, then once the attempt was made they made their comment and siezed control.
Your provider needs to update as the prior post said. I saw this rich edit error many times before they put out the update and I applied it.

I quote myself.

...coming in as SA without another granting it to them...

I'm not an idiot, I know how that works. They came IN with the tags (R SA), not like "Blahblah R SA (U)". No, they BOTH came in as "Toko Rudy (R SA)" and ".......Blacky...... (R SA)", not "Toko Rudy R SA (U)".

Note, not only did they come in as SA, they came in as R as well, and I guarantee no one had even clicked on their name.

Next time read the post you quote, studeggle.

Hacks like this are exactly why my SA's can't *grant* SA privileges on my server. I turned off that permission completely.

They can remove it (and sometimes they seem to have "quick-draw" contests to see who can revoke the other fastest. . . *sigh* so I have to reapply it via the adminpanel) but they can't grant anyone SA.

With that in place, it doesn't matter what kind of decoy, social engineering, or rich edit hack they use. If someone right-clicks on a fase (SA) they don't get the option to grant them SA - period.

Yes, but that requires a person with an admin panel to be ready to give admin, which if it was my problem I would deal with it, but it's a bit harder to deal with it when all of the server is on a full-screen game playing with TS in the background. And it also means that someone who does come in with this SA, however it is done, can revoke your admin's rights and screw with your server. Luckily, they've seem to have subsided but we had one incident after they had first taken it over, Toko Rudy came in as (R SA) again, and when we asked the person with the closest thing to direct access to the server to get his IP, he rushed right out.

Who knows.

I quote myself.



I'm not an idiot, I know how that works. They came IN with the tags (R SA), not like "Blahblah R SA (U)". No, they BOTH came in as "Toko Rudy (R SA)" and ".......Blacky...... (R SA)", not "Toko Rudy R SA (U)".

Note, not only did they come in as SA, they came in as R as well, and I guarantee no one had even clicked on their name.

Next time read the post you quote, studeggle.

they come in as (R SA) WITHOUT HAVING the rights due to the rich text editor.... the blank out the original (U) with special characaters. all you can do is simply disable the possibility to grant SA, so you are forced to do it true webadmin. as you dont give somebody SA on a daily basis, i suppose this shouldnt be so bad. i do it on my own server, i have seen the jokes to often, if some crazy guy comes in with SA or anything, i ban him nothing else and if that is not possible the server goes down and up again with pass to enter. dont be temped to think he has SA and remove it.

oke the really good hackers can break in your server with brute force. nothing to do against it. but they dont see what its worth, so the chance that happens is about 1%.

then you got all the scammers they like to fuck your server, they never have your adminpassword if its decent. also they never have admin rights. altho they try look it so as good as they can. and if you have a good scammer you really think he comes in as SA because that is exactly what you see. if you play a game you should know the ^ charactar, witch with a number color's your name, in your score this filters out and showing up normal again, but if you make it ^^ and the number double your name does appear in color in the score, this is the same kind of thing they did only better, they remove the (U) with some charactar and plant (SA) with some other special char's so the ( doesnt get restricted. so your eye's are not deciving you, they are deciving your client so it shows that they have server admin. i say again dont be fooled, dont be temped to "remove" there rights. just ban them.

as said before, the newest beta releases will fix all the things you are saying that should be fixed.

yes i have also seen them come in my server with (R SA CA) without (U), it happens to everyone just be warned next time.

Thanks for a valid explanation, however, none of the admins were at the teamspeak screen at the time, as we were in the middle of the game. I have a g15 keyboard and saw them come in on my LCD screen, alt-tabbed out after I was safe and saw them there, and before I could contact one of the admins, the two began to proceed as I had described. How it happened I have no clue, but your explanation gives justice to WolfStar's "fix", but I'm not quite sure how it worked that they gained access, and there was no evidence of bruteforcing, so it's kind of at a loss for explanation.

Thanks anyway, Killer.

-Celest

The problem with the ip thing, is that peoples ip changes all the time. Like mine, it changes once a day (more if I want to reset my modem), so I would not with the route of the ip.

The problem with the ip thing, is that peoples ip changes all the time. Like mine, it changes once a day (more if I want to reset my modem), so I would not with the route of the ip.
No, only dynamic IPs. Any ISP that provides a dynamic IP will allow that to happen, but if you have an IP like I do, (static IP) it won't change unless you use a masking program. Depends on your ISP.


ANYWAY:

Well, got em back today! Found out a little more.

Turns out, the fake (SA) seems to be right, some way or another. There were no admins at the original time to grant it, as far as we know, so today they come in as (U), set as "away" or "muted" settings and gain the tag, and whoopdedoo, I got some connection info. Unfortunately, I'm not an admin and therefore cannot view their IPs. Shame. Here are 2 screenshots I have gotten, note the client platforms.

Screeny 1) Some guy using "RangerFTSH" which I'm guessing is a hack that allows him to create multiple versions of himself (note the "bobX has left" in the text box).

Screeny 2) Using "FrEe-hAcK" as their platform. They began to flood new users soon after that screen, and once I obtained server admin I found the IP of the bots, which banning ended their ability to come in. The IP was 216.144.93.86 with varying ports, which I'm assuming would have come from a server running for that purpose only, and therefore banning that IP ended their flood.

I will look into our provider getting an update if possible, maybe even the flood daemon. One step closer, I think.

Read a little more. Their player privileges is none. IT does not read server admin or even registered.

Yet again back to the same thing as always what version software is the server using?