Teamspeak hacked via MySQL

[[BSS]Hambone]

Grant server admin is disabled from the Teamspeak server, also remove SA is disabled. The only way SA status can be granted or removed is via the web page admin page. So there is no way anybody was granted SA. We are running on a Linux box.

A group of us were gaming and all of a sudden I heard, 'Your server admin status has been revoked'. The other SA that was in the same channel as me ask what was going on. Told him I didn't know, alt tab out of the game I was playing in time to see all my channels in TS being deleted. There were 4 strangers sitting in the lobby. The proceeded to move everyone to the lobby and talk smack about us getting owned. They proceeded to remove all the users from my TS server, place there own, and created 123 channels naming their web page. This was done so fast that there must have been running a tool or hack program to do so.

Needless to say I was very upset. Further investigation showed that they had also hacked my forums. Deleted all the post, altered the config, thus displaying the subsilver in pink, orange, green colors. Posting their website and stating that we got owned. Come to find out that these retards are proud of doing this and have done this to over 330 clans.

Upon further research I have found that they did all this via a MySQL hack. Since we had on old version of phpbb (2.0.6) running, they were able to hack our forums via a security issue with the old phpbb. Well, a simple restore of the MySQL and upgrade of phpbb to the latest version (has improved security) and everything is back to normal on the forums.

Now, what to do with Teamspeak? Researching the forums I've read that there is no know hack for TS. But poor server security setup. Um… oh really. Upon research I've found that Teamspeak has MySQL as well. And what I've read it states that proper security is not set up correctly for the MySQL. No problem with TS just the third party database that is uses and installs. Nice!

Am I reading this correct? And if so, what are my options for locking down the MySQL portion that TS uses?

My problem is that for phpbb forums I have a software program (myphpadmin) that is automatically installed for the domian site. So I'm able to get to it via a web page. TS is installed on the server in the /home/admin/tss/tss2_rc2 folder. No direct IP connection for that location. So, do I now have to download the MySQL to my PC. Alter the database and then upload it back to the server.

Has anybody else experienced this issue? If so, what was the resolution to correct this problem? Is this a MySQL hack at all?

Thanks,
[BSS]Hambone
http://www.blacksheep-squadron.com

[jugo.s3.]

Running TS with the MySql option is just that "an option". It is not the default setting.

So I suggest running it with the default database and make sure you maintain password security on it.

[[BSS]Hambone]

Running TS with the MySql option is just that "an option". It is not the default setting.

So I suggest running it with the default database and make sure you maintain password security on it.

Option? Where is this an option. I didn't select MySQL on the install. May initial assumtion was that they hacked the MySQL for TS as well because that did the same on my forums. There is an sqllite, after further research it seem that this is the default database that TS is using. So if there is an option to choose MySQL, I'm not aware of it.

Now, if your stating to maintain password security on the database, HOW? Is there another package I have to enstall to maintain the security of the MySQL and sqllite that TS installed? If so, let's make an assumption that I don't have a clue as to what or how to security that database that TS installs. I need detail step by step on how to secure the database.

Thanks,
[BSS]Hambone
http://www.blacksheep-squadron.com

[Kess]

To enable MySQL Support for TS authentication you have to paste some code like that:

[DBEXPRESS]
sqldir=mysql_sql
Drivername=mysql
Database=Your_Database_Name_Here
Hostname=The_PC_the_MySQL-Server_is_on
User_name=User_name_on_the_MySQL-Server
Password=Password_to_go_with_above_user_name
GetDriverFunc=getSQLDriverMYSQL
VendorLib=path_pointing_at_your_mysql_vendor_lib
LibraryName=path_to_libsqlmy_libary
Active=1

in your server.ini file.

It's not difficult to enable it but it's not automatic !!!

If you didn't touch the default settings, MySQL support is disabled by default.
As Jugo says.... THIS IS AN OPTION !!!

[Label2021]

Your server was "hacked" due to a poor password on one of your SA accounts. They logged into webadmin with it, re-enabled granting and removing SA through regular client side TS, and did away with your server. A program to mass create channels is not very difficult to make, and a program to spam the server fast enough to that it crashes is also not very hard to do. This is more than likely what happened. Welcome to the club, my server has never actually been hacked like this, but I know of peoples who have.




-LabeL-

[[BSS]Hambone]

Your server was "hacked" due to a poor password on one of your SA accounts. They logged into webadmin with it, re-enabled granting and removing SA through regular client side TS, and did away with your server. A program to mass create channels is not very difficult to make, and a program to spam the server fast enough to that it crashes is also not very hard to do. This is more than likely what happened. Welcome to the club, my server has never actually been hacked like this, but I know of peoples who have.




-LabeL-

No they did not! While they were on my server talking crap I logged onto the webadmin and it still showed (shows!) SA could not be granted or revoked by a SA. They proceeded to remove all my registered User and add there own. Create 123 channels in a matter of seconds! I watched as this happened. It was happening so fast that I just killed Teamspeak running on my server all together.

I am the ONLY one that as the webadmin password. My other 2 SA do not. I seldom go into it so I have it in my palm polit so it's not like the password is out in the open for all to see! I've read several post that blame the person that set it up. Having poor security. That's BS in this case. I followed the guidelines and secured the password, limited granting and revolking of SA status on the server. I watched as some hacker remove all my channels, Users, added his own users and channels (123!) all in a matter of 60 seconds. That's right, 60 seconds. Don't even begin to tell me that this was bad security and this dumbass did all this manually in a matter of 60 seconds! Please!

This freakn software was HACKED an all I'm getting is lame advise about securing my password. Give me a freak'n break!