Hi, I was just on my clans teamspeak server. When 3 guys logged on, as unregistered super-admins. At witch point they banned all the users on the server, and crashed the server its self. =/ IS there some sort of hack you guys know about? Or is this something new? Also, is there some kind of log we can look at with in our server files to see what they did. Or to get ahold of their IP's?

Help,

posts of this kind are taking over hand... Maybe there is something behind it. :/

We had the same problem yesteday!
Unfortunately the IP-logging option was disabled by default in server.ini.
One of the guys was called Iceland.
Can you remember the names of these guys or perhapse have noticed their IPs?
pwk.linuxfan (TS2 Supporter) wants to know on which hoster your TS2-Server is running.

Stoner was one of them...
FU something was another...
And the 3ed guy just looked like he pounded on his keybored...

We where running the newest server/client combo that came out last week =P

Yupp - there is an exploit out to get ServerAdmin rights on connect. Well have to wait for someone finding the source so that the TS2-Developer can fix this hole.
I guess your server isnt hostet by a german provider?

omg the EXACT same thing just happend to our server tonight

They banned me from my own channel and IM A FREGGIN SUPERADMIN. I couldn't even unban myself cause i had to be inside of teamspeak.

Here's one of the guy's name and ip address:
Stoner
12.252.189.178

This guy doesn't even know what he has coming to him.

Anyways this needs to be fixed.

No, Our server is hosted in the USA.

These guys, we think, where on our server before. At witch point they starting causing all kinds of problems. For witch, we banned them of course ^^. We are not totally sure if these are the same guys, but if they where. It'd explain why they came back, and if they aren't. They are just a few little 16 year old (They sounded Younger from what I hear...) brats. That need to be thought a lesson. One of these days, they are going to log onto the wrong server. Where the admin knows who, and WHAT to do with those IP's =P There days of TS joy riding would come to a halt is their ISP pulled their plug wouldn't they.

Anyway, Devs, please try to patch this ASAP. In the mean time, password your teamspeak servers folks. Its no longer safe to run a pubic server =(

12.252.189.178 <- seems to be a hacked proxy

has anybody IPs of the attackers?
perhapse so we can get source of the the used exploit ;)

I was on the server with FuzzyMath. I mainly am posting this to bump the subject.

We have seen lately users logging on to our TS server as an "unregistered" user with "SA" status. The user in question, (stoner) logged on unregistered with SA status. He then removed our users who had SA status from the TS Server and banned them. Then proceeded to speak to our users, mainly taunting them.

So, I can see from this thread that others have had the same problem. I think this should be looked into As soon as possible. Like FuzzyMath said, its not safe to run a public server anymore until this problem is fixed.

Shr1ke

we got attacked and our was private

we havent our server in the TS2-public serverlist anymore-so that attackers cant use TS2-Searcheengine to find Servers.

Make an update of your TS2-database to reinstall it after an attack! The other option is to shut down your TS2-Server untill an update will be released! :(
Perhapse someone will find this fucking exploit an send it to the TS2-Developers!

Apparently this has been happening on our server as well. A user emailed us to complain about one of our admins. Which of course this guy was not.

Well,

I would like to have information (please not from *anybody* that think he got hacked, but Id like that data from Cyberchriss, Fuzzymath and pimpdad82):

a) what mode is (or was at the time of attack) your server set to (clan mode or public mode [can you see players not in your channel or not])
b) The IP of this server
c) Where this is server from (hosted by xyz, or hosted by yourself on own server (server from whom), or hosted on a *normal* desktop machine (what ISP)).
d) any detail you might know about the attack (did they join with SA immediatly, or did they get it somehow after connected).
e) any links/webresources you might have found somewhere on the web about a ts2 exploit.

also, I wouldnt mind talking to you guys in a teamspeak session. If you have irc, you can always find me on quakenet in #teamspeak - hope to see you there.

Thanks in advance
pwk.linuxfan

This sounds very serious. We are looking into it. What we need is a lot of info on the circumstances when this happens. Server debug logs, client debug logs are appreciated, and detailed accounts on what happend.

ill contact you on IRC to give u the informations!
giving the IP is too dangerous at the moment :)

Cyberchriss & pimpdad82 - How did the attack happen to you exactly? 3 players entered as well?

Also, Your servers were unpassworded right?

sensitive info can also be mailed to niels@teamspeak.org . Please post a note where saying you mailed it, so i know where its from.

pls check your mail!

I'm going to show this post to 'shr1ke' again. He is the one running the teamspeak server. I just made the starter post on the behalf of our clan. If all works out well, he should have that info for you shortly.

not sure if this has anything to do with whats happen with you but we can connect to server but name doesnt show up in list.
Happens to all our members. connects but no nick name in server .
not sure whats going on.

pwk.linuxfan,

Im the Admin of the TeamSpeak Server that FuzzyMath was referring to. (FuzzyMath, you might want to let them know so that they will take the following information from me seriously)

Here is the information you requested. I will not give out the IP for security reasons, but if you want to reach me privately, please feel free to "Private Message" me on this forum.

a) The mode was "Clan Server"

b) IP of server left out for security reasons

c) Server was hosted by our company and on a Windows 2000 Server. The hardware was a Dell PowerEdge 2650

d) They joined with SA imediatly and they WHERE not registered. I have a screen shot if necessary of what it looked like. The account looked like this : Stoner (U SA CA)
Again they joined with FULL SA status and proceededto kick and BAN the SA's of our server first and then taunted the other users.

e)No, I have not seen any TS2 Exploits..

Shr1ke

Ya, shr1ke is legit =P

Sorry to post this late. I know your job is tough and it's easy for us to just say "fix it". I'll be glad give any info nessesary. Hope this post answers clearifies things some.


a) what mode is (or was at the time of attack) your server set to (clan mode or public mode [can you see players not in your channel or not])

It was set to Clan Mode at the time of the attack and was unpassworded.

b) The IP of this server

Would also rather not give the ip of the server, i'm sure you understand but would be glad to give it from PM, email, etc..

c) Where this is server from (hosted by xyz, or hosted by yourself on own server (server from whom), or hosted on a *normal* desktop machine (what ISP)).

Server was settup by me on our clan server and runs Linux Slackware. The name of our ISP is EMJI (not known as Blast). It sits in a datacenter on an OC-3 connection in NC.

d) any detail you might know about the attack (did they join with SA immediatly, or did they get it somehow after connected).

Yes, i believe they joined SA immediatly and started saying that we had purchased Teamspeak illegally and they were the FBI or something. It was obvious it was a scam. There were three of them and they changed all the channels to "Canadian Ownage" or something of that sort. I bet they are laughing reading this post as we speak.

e) any links/webresources you might have found somewhere on the web about a ts2 exploit.

Nope, unfortuniatly not but i'll be sure to keep my eyes open.

I don't have any debug logs either. I'll also like to request that you add a BANNED IPS section to the web interface or prevent superadmins from getting banned or something like that. Maybe even listing banned ip's in a seperate config files. Because the banned ip's were hardcoded in the database i was unable unban myself from my own server. I even download sqlite and tryed to configure the data from there but all i knew how to do was a .dump. The only way I was able to get around it was to get a registered person that didn't get banned (was hard to find) and give him SA from the web interface so he could unban me. Anyways, I wish the best of luck to you guys and thank you for your quick response. Besides this exploit you guys make an awsome Voice over IP program. You guys really blew Roger Wilco away.

Originally posted by Hunter_xTx
not sure if this has anything to do with whats happen with you but we can connect to server but name doesnt show up in list.
Happens to all our members. connects but no nick name in server .
not sure whats going on.

Hunter_xTx: I think this thread is dealing with another problem. I'd like to have information about your server-version (exact version-number please). After that please make sure that there's a default channel (just edit a channel and hit the default flag).

To the others: Did you experience a similar problem? If Hunter's post will be moved out of this thread to keep it clean. (so a small feedback would help)

cu
SatanClaus

Ok so far:

1: All were clan servers without a password.
2: Linux + windows servers.
3: servers were hosted on different networks.
4:The attack seems to be that somehow users entered as SA (CA too?) but unregisterred (which should not be possible).
The people who attack do it with atleast 2 people at the same time. (if they do it for the entertainment or because they need it for the hack is not clear)

If anyone disagrees with me, let us know :)


IMPORTANT:
If anyone has serverlogs off the attack, we would like to study them.

Ok this might be a silly question but i have to ask:

Do unregisterred players have right to grant SA ? (connect to server, info->show permissions, check anonymous and look under "player privileges"

nope - they had not any player privileges (as default config)
i guess that there has to be a possibilty for a modiefied client to overcom the TS2-Servers right-system.

i just logged into pimpdad's server with a modified client, which does not care about permissions.

I tried to give myself and ralf SA in several ways, but the server would not allow it.

There is an other possibility. The attackers could have stolen/guessed an SA login, and used tcpquery, to grant themselves SA.

That would mean a meare server password would not stop them. Reset accounts would stop them as long as they cant get the new data

We have since put a password on our server. So far we have not had strangers popping on to our server. We also removed our server from the Public List so you cant simply joy ride over to the server and hop on. I was curious though, has anyone else had a person logon using an unregistered account with SA status? This topic is very quiet now and since it happened to several people it should not be ignored. There is obviously an exploit in the code to allow someone to logon and SA himself. I have given my email out to some of the developers on this forum and so far I have not been contacted. I hope that there is some interest in finding out what happened on that night. Especially since 3-4 other people in the forums stated that it happened to them as well. Thanks for any information into what you guys are finding out.

Also, I would encourage any other TeamSpeak SA's to speak out in the forums if you servers where attacked in this fashion. This will greatly help the developers come up with a fix for this exploit. I know that they would love for TeamSpeak to go to a "final" status. Right now, with this exploit hovering over their heads, I doubt they will be able to do this.

Shr1ke

We have been looking over all the logincode and status changing stuff from the server. We found nothing we thought that could be exploited.

That does not mean there is no exploit, but it also makes us wonder what could be wrong..

I suggest someone run a public server that looks like one those guys would want to mess with, and leave a packet sniffer running so we can figure out exactly what they are doing. It could be something as simple as a buffer overflow in the name, which gives them the perms of the first user in the db (superadmin).

What is the status on this issue? It's quite serious... seems to be a lot of people who know how to do it, too...

Thanks, Christine

Originally posted by Crimson
seems to be a lot of people who know how to do it, too...
How do you conclude that?

Anyway.. status is unchanged. We havent gotten any new information. And our codereview still has not turned up any exploitable vunerabilities.

My former clan's server was attacked last night in this fashion. Unfortunately, I was not there to see anything, but immediately afterwards the attacker joined their IRC channel and started taunting everyone and causing trouble. I was not in the channel when this happened. The guy joined the channel as "Bob" and after he was banned from the channel, he used a different proxy and got back in.

That clan's TeamSpeak server (which is not in clan mode as far as I know) is not publically listed. I'm guessing a lot of people know about it, only because I didn't expect this exploit to reach any of the TeamSpeak servers I run until it started making the rounds around script kiddies.

The only anomaly to what you guys are finding is that one witness said the attacker was NOT an SA. He was just a plain channel member who managed to ban a bunch of people and kick others.

I'd like to see someone attack my server at poosay.com

We had this EXACT same thing happen.

And at the time we were just going to write this up to some rivals of our clan who are some punk bitches, but miraculously, on our IRC channel, at the time of the attack, this kid(whose IP has been logged numerous times), asked us inquisitively "Having fun getting on your TS server?"

I think theres a chance we might actually know these people, and they were dumb enough to show their faces...

I won't ask outright for the ip, but is it something.tampabay.rr.com ??

Mine? Or the attackers? I am on tampabay.rr.com, but I don't know about the attacker?

I am part of the same clan as JackelPDW. To answer pwk.linuxfan's questions:

A) Clan mode. Was announced on public server list, as is the default.
B) Would prefer not to give it out in public. If necessary, will gladly provide it through a PM or e-mail.
C) Hosted by ILan (http://www.ilangame.com/) on a Windows box.
D) From what I understand, there were several attackers, each of whom was listed as an Unregistered user with server admin privileges immediately upon connecting to the server. They removed most of our channels, dumped all users into one channel, and banned a number of users. Edit: they also created a "Canadian ownage" channel, so it seems like it may be the same set of people who attacked pimpdad82's server.
E) None found yet. Checked Bugtraq in particular.

We think the most logical possibility is that the attackers are using Teamspeak's server browser to find servers to attack. Once they find a server with a decent number of people in it, they go in and cause as much havoc as possible. Until the Teamspeak developers get this sorted out, it might be prudent to remove yourself from the global list of Teamspeak servers. If I'm not mistaken, this is done by editing the ListPublic setting in server.ini.

What irc network are you guys on?
And were you running an unpassworded or passworded server?

Originally posted by Crimson
My former clan's server was attacked last night in this fashion. Unfortunately, I was not there to see anything, but immediately afterwards the attacker joined their IRC channel and started taunting everyone and causing trouble. I was not in the channel when this happened. The guy joined the channel as "Bob" and after he was banned from the channel, he used a different proxy and got back in.

That clan's TeamSpeak server (which is not in clan mode as far as I know) is not publically listed. I'm guessing a lot of people know about it, only because I didn't expect this exploit to reach any of the TeamSpeak servers I run until it started making the rounds around script kiddies.

The only anomaly to what you guys are finding is that one witness said the attacker was NOT an SA. He was just a plain channel member who managed to ban a bunch of people and kick others.

just some special questions for you... because all the others report that they joined as (U SA) and you report that the didn't even have (SA) flag...
Most important: which server-version are you running (whole version-number string please).
second: if they got banned from an irc channel and he used another proxy afterwards... do you have logs with their ips / hostmarks?


jackelpdw:
how much information about their ips can you get?

thx
SatanClaus

Just to put some at ease, it is possible to use a nickname like:

JohnDoe (U SA CA)

and it would show up as :

JohnDoe (U SA CA) (U)

This could account for some tricksters, but would not explain the capability that some of these "attackers" may have.

Originally posted by N. Werensteijn
What irc network are you guys on?
And were you running an unpassworded or passworded server?

Our IRC channel is on GamesNET. Our TS server is unpassworded.

I am pretty sure that this will not help, but it will give you all visual verification of what the unknown user accounts looked like in TS.

There are four users listed that are not known to us. Dgsdg, FAKAYOU, yoyo, and stoner. As you can see, yoyo came in with a registered account with full admin rights and stoner is an unregistered user with super admin.

One question I have is this : are any of the other hacked TS servers linked to a forum using a specialized script?

This is the server the night it was "hacked" (http://www.themofoclan.com/mofo_folder/mofo_stuff/topo/tsscreen.jpg)

as you can see on the picture neither Yoyo nor Stoner are ServerAdmins, they just use fakenicks.

"yoyo (R SA CA)" is his complete nick (notice the (U) behind that string)

the same is going on with "Stoner (U SA)" (U).


The only serveradmins on that picture are Crab, EvilBert, ScarTissue and Shr1ke.


so I hope that this wasn't the "server-overtake" you mentioned, but it still doesn't explain why those persons were able to ban you from the server.

cu
SatanClaus

In the final release we will make those server rights visibly different from the nicknames. Altough, that does ofcourse not help with this webscript :P

Are any of you using "Webpost2", or "ssWebpost2" or a similar program to show the status of your TeamSpeak server on your website? If you are, is the file "config_inc.php" or "config.php" properly secured?

This has happened to our server now as well. It had only been a single guy but now there are two. He mistakenly gave somebody else admin while taunting others and then got himself banned 3 weeks ago. Today he was back. Some of our users found me, I went in and banned the ip of both the guys with the exploit, to include their subnet.

The one came back in and banned a bunch of my users to include myself and one other admin at the time.

Here are the server facts:

Pubilc
Un-passworded
Windows 2000 Server
Latest TS server version
Using Webpost2 to report channels, also latest version
ip: 66.250.30.20:9010


I can't remember exactly what his server tags looked like but he DID connect directly with SA, I remember that much. He also grabbed the ip of 2 of my users and threatened them. I advised them to both install software firewalls and they both started recieving numerous hits to their systems.

Whatever this exploit is, there's not much hope of charging people if we can't protect their servers. He has not hit our other public server yet, nor a password protected clan one. So we shall see what happens. I would recommend in the future though that the TS server have better logs, and ways to admin bans from the web admin.

Well at least my problem might have been my own fault. I checked yet again my permissions, and noticed Player Registration under registered user permissions.

I went to the webadmin and checked and lo and behold it was listed as 'PrivilegeAdminPlayerRegister'

Whether it was my mistake or somehow a hack of the webamin I don't know yet. I went through ALL my users and found approx 15 that had admin and shouldn't have. Took their admin away, fixed the permissions, and restarted the server. Only time will tell and I'll let you know if the problem happens again.

Originally posted by [SOB]Grunt
Using Webpost2 to report channels, also latest version


I was waiting for someone to post verifying that they were using Webpost2 so that I could check their security...but I see you took it offline. Was the config.php file secure before you took it offline?

It should have been.. i'm going to throw webpost2 back up. Our server is set to parse all php pages, and you cannot browse that directory.

Yes, we are running webpost. I'll check with the sysop and see what the configs are, brb.

Yet again I'm wrong. At some point after I posted last night, the same guy came back again with admin, deleted all the channels, kicked users, changed the name of the default room, and took off all the ip bans.

Of note is that I had NOT put webpost back up yet and I also had changed the port of the webadmin. So it's either a client-side hack these guys are using, or they are doing some type of port sniffing, etc... to somehow capture others' logins, etc.

This really DOES need to be addressed somehow. It not only hurts the people that are using the servers and the server admins, but it gives TS a bad name.

I'm willing to work with the team in any way to help.

Is mine secure?

http://marineforcerecon.net/webpost/listing.php

To try and combat this I've deleted all of my user accounts except for my admins and disabled user registration except by admin. So far there have been no sightings nor complaints of this individual. We'll see if it continues.

like said before, turn on logging of "logins". This should help seeing what happens.

Everyone who is able to hack team speak, i give you permission to hack my team speak service

you can access it on IP 130.89.166.55:8767 it's online 24/7


edit:
Oh as reward i can give you almost any program/movie/game you want.

hehe, we can offer the teamspeak publics, the most used ts servers out there...

voice.teamspeak.org:8767, webadmin and tcpquery are on the standard ports (and open). If you need any more information contact me =)

I have twice witnessed takeovers on two seperate servers. Both times several things occured that were the same. Once,initially, the people who did this showed up on the passworded server as unregistered users. Common to both situations was the ability to talk and be heard in channels they are not in.

They then somehow convince or ask a SA to move them to another channel to "ask them a question" or "talk privately to an admin for a min"

As SOON as they get moved into the channel with the admin they got ALL the rights immediatly to do anything on the server or in a chanel. Every possible ability showed after their names. CA SA VA etc etc. All on an unregistered user. They IMMEDIATLY start kicking SA right after granting ALL rights to someone who is with them. While one is kicking/banning they get into the control panel and start removing registered admins from the server list immediatly. Server Powned.

The second time a couple guys have been in and out of the server for a couple days. Moving in and out of privately passworded channels but mostly keeping to themselves. (nothing but (U) showed after their names) When one of them started talking in a passworded channel from their channel I asked them to leave instead of banning them. Bad mistake. ( I had not noticed till that moment that a couple of the channels they were freely moving to and from were created and passworded by known people)I am instantly booted to find out I can not log back in, Panel rights are gone, and Other Super admins can no longer log in.

I suspect at some point in the days prior to this they were moved into a channel with an admin, or an admin moved into their channel and simply did not do anything till their actions were starting to be questioned.

I do not run the hardware for the second server, the first was one of your own. I basically watched the first time in amazement. This time when I smelled a rat, it was too late.

Perhaps I am on glue. but, Packet sniffing software? Perhaps the server asks the client whether it has SA rights or not and the info can be captured, including password? Perhaps a script that grants as many rights as possible automatically if it caps the info? I'm just a laymen, don't know crap about this softare beyond "it goes when I poke it like this.."

Waking up a two year old thread there, Kickingbird. What is done is covered in the FAQ, your description sounds like the press rightclick + E on my nick trick, which they would ask the serveradmin in their private talk. THEN they do whatever they want, since they have serveradmin. Switching themselves into channels (even ones with password) via tcpquery is also possible then, so everything else you post is followup to the one problem that was: SA gave one of the jerks SA rights. They just use them (via tcpquery if you don't see the SA tag behind their name).

Had a different post here a few mins ago, I contacted the the involved Sys admin, and yes it was a right click e boo boo. *sigh* Thats what I get for posting tired before getting more facts BEFORE I post. Apologies :/

This has happened to us heres what they did...

They logged on and (im not computer savy but a know a few tricks) so im a little niave. They told me to right click their name and type net just plain old net (you can even try it out on your own server with 2 ppl you need one SA and one U or R just right click their name and type net. and WALLA insta SA)


So now we have A teamspeak server, it used to be ours but these A$$ Holes came on (group of three named biff, phantom, and jer) and basicly stole it from us ;) so this is a warning to you all so that it doesnt happen to you.

Wow, so they don't say "right-click and press E" anymore, but "right-click and type N E T".

To regain power over your own server open your Windows Explorer, press Ctrl+A and then Shift+Del.





NO! DON'T! You will delete all your personal files in the My Files folder.

Hi, I was just on my clans teamspeak server. When 3 guys logged on, as unregistered super-admins. At witch point they banned all the users on the server, and crashed the server its self. =/ IS there some sort of hack you guys know about? Or is this something new? Also, is there some kind of log we can look at with in our server files to see what they did. Or to get ahold of their IP's?

Hey Fuzzymath i am the steam assistent manager,

I have heard this problem before and id like to help you
I know where these hackers live and i have kicked there ips for ever from ever making an account on steam

If they come back on im going to get the cops to go to his house his real name is:
John Hayne Stone... Thats why his name is stone on it.

Thanks for your complaint i will tell the steam owner about this problem and he should update this in alittle while if he takes longer its because his really busy working on 39 computers and its going tobe 40 soon

Sincerly,
Miceal Smith - Steam Assistant Manager