Teamspeak hacked via MySQL

[[BSS]Hambone]

Grant server admin is disabled from the Teamspeak server, also remove SA is disabled. The only way SA status can be granted or removed is via the web page admin page. So there is no way anybody was granted SA. We are running on a Linux box.

A group of us were gaming and all of a sudden I heard, 'Your server admin status has been revoked'. The other SA that was in the same channel as me ask what was going on. Told him I didn't know, alt tab out of the game I was playing in time to see all my channels in TS being deleted. There were 4 strangers sitting in the lobby. The proceeded to move everyone to the lobby and talk smack about us getting owned. They proceeded to remove all the users from my TS server, place there own, and created 123 channels naming their web page. This was done so fast that there must have been running a tool or hack program to do so.

Needless to say I was very upset. Further investigation showed that they had also hacked my forums. Deleted all the post, altered the config, thus displaying the subsilver in pink, orange, green colors. Posting their website and stating that we got owned. Come to find out that these retards are proud of doing this and have done this to over 330 clans.

Upon further research I have found that they did all this via a MySQL hack. Since we had on old version of phpbb (2.0.6) running, they were able to hack our forums via a security issue with the old phpbb. Well, a simple restore of the MySQL and upgrade of phpbb to the latest version (has improved security) and everything is back to normal on the forums.

Now, what to do with Teamspeak? Researching the forums I've read that there is no know hack for TS. But poor server security setup. Um… oh really. Upon research I've found that Teamspeak has MySQL as well. And what I've read it states that proper security is not set up correctly for the MySQL. No problem with TS just the third party database that is uses and installs. Nice!

Am I reading this correct? And if so, what are my options for locking down the MySQL portion that TS uses?

My problem is that for phpbb forums I have a software program (myphpadmin) that is automatically installed for the domian site. So I'm able to get to it via a web page. TS is installed on the server in the /home/admin/tss/tss2_rc2 folder. No direct IP connection for that location. So, do I now have to download the MySQL to my PC. Alter the database and then upload it back to the server.

Has anybody else experienced this issue? If so, what was the resolution to correct this problem? Is this a MySQL hack at all?

Thanks,
[BSS]Hambone
http://www.blacksheep-squadron.com

[jugo.s3.]

Running TS with the MySql option is just that "an option". It is not the default setting.

So I suggest running it with the default database and make sure you maintain password security on it.

[[BSS]Hambone]

Running TS with the MySql option is just that "an option". It is not the default setting.

So I suggest running it with the default database and make sure you maintain password security on it.

Option? Where is this an option. I didn't select MySQL on the install. May initial assumtion was that they hacked the MySQL for TS as well because that did the same on my forums. There is an sqllite, after further research it seem that this is the default database that TS is using. So if there is an option to choose MySQL, I'm not aware of it.

Now, if your stating to maintain password security on the database, HOW? Is there another package I have to enstall to maintain the security of the MySQL and sqllite that TS installed? If so, let's make an assumption that I don't have a clue as to what or how to security that database that TS installs. I need detail step by step on how to secure the database.

Thanks,
[BSS]Hambone
http://www.blacksheep-squadron.com

[Kess]

To enable MySQL Support for TS authentication you have to paste some code like that:

[DBEXPRESS]
sqldir=mysql_sql
Drivername=mysql
Database=Your_Database_Name_Here
Hostname=The_PC_the_MySQL-Server_is_on
User_name=User_name_on_the_MySQL-Server
Password=Password_to_go_with_above_user_name
GetDriverFunc=getSQLDriverMYSQL
VendorLib=path_pointing_at_your_mysql_vendor_lib
LibraryName=path_to_libsqlmy_libary
Active=1

in your server.ini file.

It's not difficult to enable it but it's not automatic !!!

If you didn't touch the default settings, MySQL support is disabled by default.
As Jugo says.... THIS IS AN OPTION !!!

[Label2021]

Your server was "hacked" due to a poor password on one of your SA accounts. They logged into webadmin with it, re-enabled granting and removing SA through regular client side TS, and did away with your server. A program to mass create channels is not very difficult to make, and a program to spam the server fast enough to that it crashes is also not very hard to do. This is more than likely what happened. Welcome to the club, my server has never actually been hacked like this, but I know of peoples who have.




-LabeL-

[[BSS]Hambone]

Your server was "hacked" due to a poor password on one of your SA accounts. They logged into webadmin with it, re-enabled granting and removing SA through regular client side TS, and did away with your server. A program to mass create channels is not very difficult to make, and a program to spam the server fast enough to that it crashes is also not very hard to do. This is more than likely what happened. Welcome to the club, my server has never actually been hacked like this, but I know of peoples who have.




-LabeL-

No they did not! While they were on my server talking crap I logged onto the webadmin and it still showed (shows!) SA could not be granted or revoked by a SA. They proceeded to remove all my registered User and add there own. Create 123 channels in a matter of seconds! I watched as this happened. It was happening so fast that I just killed Teamspeak running on my server all together.

I am the ONLY one that as the webadmin password. My other 2 SA do not. I seldom go into it so I have it in my palm polit so it's not like the password is out in the open for all to see! I've read several post that blame the person that set it up. Having poor security. That's BS in this case. I followed the guidelines and secured the password, limited granting and revolking of SA status on the server. I watched as some hacker remove all my channels, Users, added his own users and channels (123!) all in a matter of 60 seconds. That's right, 60 seconds. Don't even begin to tell me that this was bad security and this dumbass did all this manually in a matter of 60 seconds! Please!

This freakn software was HACKED an all I'm getting is lame advise about securing my password. Give me a freak'n break!

[guldi]

"phpbb"

I'm not a big security guy but what I read this SW has a lot of security problems I won't tell you TS is bug free and I don't know how deep access they gained by this phpbb hack, but as soon as they get read access to the TS server database, they have all TS passwords including the admins. If I remember right, there are tools to create TS channels in a very fast way (require admin access).

To be honest, to me this sounds like not TS has been hacked but your server ?

[desolidirized]

well, I suppose that with the compromizing of the webpage they might simply have injected php code on your site and if the permissions on the TS directory weren't too tight they may have modified files directly. Or even run the startupscript with the passwords argument then used the webinterface...
You can do a hell lot of things even with just the webserver's user account...

[madcat]

what you can do is encrypt the passwords, so when someone has access to your database they can not read your password. but i have to admit when somone had access to the mysql database he can do pritty much anything, also changing passwords, adding/removing/changing users/channels.

try to secure your mysql database by disallowing any other IP then 127.0.0.1. and sepparate your accounts.
for example teamspeak has an own user and database at my system. so when somone got access to my teamspeak user he can only use the database which teamspeak uses, and not other databases (for example phpbb) this way you can improve your server even more.

it always sucks when you got hacked, to bad that an simple leak in phpbb also brings down your teamspeak server.

i wrote a script once, i can not find it on the forum anymore:
for linux: teamspeak_md5.tar.gz
for windows: teamspeak_md5.zip

[Brain]

Upon further research I have found that they did all this via a MySQL hack. Since we had on old version of phpbb (2.0.6) running, they were able to hack our forums via a security issue with the old phpbb. Well, a simple restore of the MySQL and upgrade of phpbb to the latest version (has improved security) and everything is back to normal on the forums.

That is quite correct. As a matter of fact I've been rambling about it occasionally since last December. Reading bugtraq pays off, even if you're not running your own server.

Now, what to do with Teamspeak? Researching the forums I've read that there is no know hack for TS. But poor server security setup. Um… oh really. Upon research I've found that Teamspeak has MySQL as well. And what I've read it states that proper security is not set up correctly for the MySQL. No problem with TS just the third party database that is uses and installs. Nice!

Indeed. By the way, phpmyadmin (popular tool for managing MySQL databases via web interface) had several vulnerabilities in the last two or three months as well, one of them allowing someone with phpmyadmin access to manipulate ALL databases on the server.
Also, some cheapo (web)server providers don't set a MySQL root password by default and leave MySQL open for the public. If the root account is not restricted to localhost everybody with internet access can do with the MySQL server whatever s/he wants. Better disable networking for MySQL altogether, you usually don't need it if all your software runs on the same machine (Unix sockets rock).

My problem is that for phpbb forums I have a software program (myphpadmin) that is automatically installed for the domian site. So I'm able to get to it via a web page. TS is installed on the server in the /home/admin/tss/tss2_rc2 folder. No direct IP connection for that location. So, do I now have to download the MySQL to my PC. Alter the database and then upload it back to the server.

Just use the same MySQL server for website and TS2. What's the problem?

[Bones_taw]

- Given that the attackers compromised your forums via phpBB, maybe they found an admin password that someone posted in a private forum. Or, maybe somewhere else on the server. Or, maybe they used the content of your web site to build a custom dictionary to brute force a password. Or, maybe they used the trick about getting an admin to hit Alt-something to turn them into admins.

- Anyone that has SA access on a server can login to the teamspeak web admin with that account.

- Anyone with SA access can create another account with SA access from the TS client, (self>admin register player w/ server). This can be done even if grant and revoke SA access are disabled. I have reported this before and it was never fixed.

- I recommend enabling logging. At least you could see who connected to what account and from what IP after the fact.