2.0.24.1 server hack by Monster*

[SSElite]

Hello everybody,

I found at least one thread about Monster* hack, but its completely in german, which is not my native language. Decided to open a new thread:

Well, in my scope of responsibilities are different things, one is Teamspeak server administration. First started in 2006 on Windows machine, later on my TS was moved to Linux base. Everything was fine until 24.05.2009. One guy, with nickname Monster*, got SA rights and deleted all the channels. He left a link in default channel description. Look at this: http://www.youtube.com/garksmstemm

He says he is 19 years old, german. I'm not familiar with German law, but currently I'm on a business trip in Munich. I'd appreciate if someone can advice on what can be done officially with this issue. I mean involving police, interpol, I don't know if this helps. At least we know his icq#245362824 and IP from log. I believe if escalated in a proper way we can do something.

Now a little bit technical details to developers. Guys, wake up. Look at video, what Monster* does and think what kind of exploit was used. Video shows some kind of a hacking tool, looks like brut force.

My TS is running on Linux, not under root account. version 2.0.24.1, behind router.
Port 8757 is the only one mapped outside, web interface is open for administering purposes, but mapped on the other port then default and has IP restriction applied. TCP query port is not mapped outside, but is available internally.
From the thread: http://forum.teamspeak.com/showthread.php?t=23726 all thing were applied long time ago (before hack).

From the server log I see next:

Hacker connect as user, then as SA, then with nickname Monster and SA but nothing is in LoginName.

24-05-09 22:43:04,ALL,Info,AccessLog, SID: 1 client connected [IP:92.72.116.92, Nick: Guest, LoginName: GIGA, DBID: 2952, Version:2.0.32.60]

24-05-09 22:43:04,ALL,Info,SALog, SID: 1 serveradmin connected [IP:
92.72.116.92, Nick: Guest, LoginName: GIGA]

24-05-09 22:47:15,ALL,Info,SALog, SID: 1 serveradmin connected [IP:
92.72.116.92, Nick: Monster, LoginName: ]


Following the link I posted above: http://www.youtube.com/garksmstemm

There is a video, named owned, so, you will see there my TS, which is already hacked (no channels, Hellbound.ge logo).

I'd ask developers investigate possible ways to fix the issue. Quick patch is highly appreciated. From my side I can provide any additional info required.

Also, if anyone knows, how to deal with police regarding hacking fact, I'd escalate the issue until I'm in Munich (till 30.05.2009).

Look forward to your replies.

Best Regards
SSElite

[maggy]

how strong is your SSA password?

[maxi1990]

it is not possible to "hack" teamspeak unless you post full evidence of what has happened.
you maybe have to considers some other things that caused your teamspeak server to be hacked, for example weak passwords

[SSElite]

how strong is your SSA password?

more than 10 symbols, using uppercase and lowercase, numeric and spec. sybmols

[SSElite]

it is not possible to "hack" teamspeak unless you post full evidence of what has happened.
you maybe have to considers some other things that caused your teamspeak server to be hacked, for example weak passwords

1) Take a look at log entries posted. Is everything OK? No, read the post carefully again.

2) Watch youtube videos , link is there.

3) Password was not weak, see my upper post.

4) Don't say something is not possible. Are you TS coder?

[maxi1990]

http://it.truveo.com/warheit-%C3%BCb.../id/3172467922
Weil das erste YouTube Video in deutscher Sprache war, hab ich mir gedacht, dass ich das mal kurz zeigen wollte; habe ich gefunden auf der Suche nach diesem Programm.
In dem Video wird erklärt, dass es kein solches Programm gibt bzw. nur ein "Fake" gespickt mit Trojanern ist.

[SSElite]

http://it.truveo.com/warheit-%C3%BCb.../id/3172467922
Weil das erste YouTube Video in deutscher Sprache war, hab ich mir gedacht, dass ich das mal kurz zeigen wollte; habe ich gefunden auf der Suche nach diesem Programm.
In dem Video wird erklärt, dass es kein solches Programm gibt bzw. nur ein "Fake" gespickt mit Trojanern ist.

I managed to translate your post, but please remember, we are in English server thread and unfortunately I don't understand German.

Well, man on this video, as you say, speaks about "fake" program.
But Monstrer* got SA rights somehow, right?
He logged on to my TS and deleted all the channels.

Thanks for research you done, maxi1990.

I'm still waiting for TeamSpeak developer team answer.
The way Monster* got SA rights and more than strange server logs should be investigated.

Particularly, I'm interesting in next thing: how come the server log SA login string does not contain login name. (see log message in my first post)

[ZeroTKA]

Also, if anyone knows, how to deal with police regarding hacking fact, I'd escalate the issue until I'm in Munich (till 30.05.2009).

Look forward to your replies.

Best Regards
SSElite

There are 'internet police' people. In the long run you'll have to fork out some money for the court and lawyers and it'll probably be awhile before anything ever comes from it. I'd say it's not worth fighting over for your loss of channels. You can google search for it and i'm sure you'll find more information. It's up to you though.

Usually they are used for 'hacking' against a corporation and causing them money in investigation and prosecution and so forth. In the states, it's a felony but i'm not sure how it works in the cyber world. If he's in america, but 'hacks' something in germany, not sure under which country he's charged under.

In all reality, he's a script kiddie. You can laugh in his face for not actually being able to 'hack' and gloating himself like he can. That would be satisfaction enough for me. Seriously, i doubt it's worth the fight over your channels. Just brush it off and continue on.

[SSElite]

There are 'internet police' people. In the long run you'll have to fork out some money for the court and lawyers and it'll probably be awhile before anything ever comes from it. I'd say it's not worth fighting over for your loss of channels. You can google search for it and i'm sure you'll find more information. It's up to you though.

Usually they are used for 'hacking' against a corporation and causing them money in investigation and prosecution and so forth. In the states, it's a felony but i'm not sure how it works in the cyber world. If he's in america, but 'hacks' something in germany, not sure under which country he's charged under.

In all reality, he's a script kiddie. You can laugh in his face for not actually being able to 'hack' and gloating himself like he can. That would be satisfaction enough for me. Seriously, i doubt it's worth the fight over your channels. Just brush it off and continue on.

Thank you, ZeroTKA. I do agree.

[Tomas]

In all reality, he's a script kiddie. You can laugh in his face for not actually being able to 'hack' and gloating himself like he can. That would be satisfaction enough for me. Seriously, i doubt it's worth the fight over your channels. Just brush it off and continue on.

agreed, some people thing hacking is bigger scope of thinks that in real is.
I mean like someone got teached how to click thru something to get something and thats called hacking, hardly those people dont even know how its done.

[/dev/null/]

unnecessary discussion hydra gives it for a long time and functions…

[BHKai]

There was more than one SA on the server. Is your tcp query port open?