Beta23 - Hacked [Old bug]

[xCav8r]

Apologies if this is the wrong forum for this.

My server got hacked this morning, and I've since restored my database and upgraded to beta27. I don't know if this was a result of running an old version with a security hole or if it's some setting that I have wrong (everything is default). Any advice would be appreciated.

The following is a copy of my log.

Code:

2010-06-25 23:22:34.468750|INFO    |ServerLibPriv |   | Server Version: 3.0.0-beta23 [Build: 11239], Windows
2010-06-25 23:22:34.921875|INFO    |DatabaseQuery |   | dbPlugin name:    SQLite3 plugin, Version 2, (c)TeamSpeak Systems GmbH
2010-06-25 23:22:34.921875|INFO    |DatabaseQuery |   | dbPlugin version: 3.6.21
2010-06-25 23:22:35.062500|INFO    |DatabaseQuery |   | checking database integrity (may take a while)
2010-06-25 23:22:35.640625|INFO    |SQL           |   | pruning old database log entries where timestamp is older than 90 days
2010-06-25 23:22:36.125000|WARNING |Accounting    |   | Unable to find valid license key, falling back to limited functionality
2010-06-25 23:22:36.468750|INFO    |FileManager   |   | listening on 0.0.0.0:30033
2010-06-25 23:22:36.640625|WARNING |PermGroupMgr  |  1| cldbid: 2, assigned to unknown gid: 2, ignoring!
2010-06-25 23:22:36.921875|INFO    |VirtualServer |  1| listening on 0.0.0.0:9987
2010-06-25 23:22:37.015625|INFO    |CIDRManager   |   | updated query_ip_whitelist ips: 127.0.0.1, 85.25.120.233, 
2010-06-25 23:22:37.062500|INFO    |Query         |   | listening on 0.0.0.0:10011
2010-07-01 00:22:35.781250|INFO    |VirtualSvrMgr |   | executing monthly interval
2010-07-01 00:22:35.781250|INFO    |VirtualSvrMgr |   | reset client traffic statistics
2010-07-01 00:22:35.781250|INFO    |VirtualSvrMgr |   | reset virtualserver traffic statistics
2010-08-01 00:22:35.781250|INFO    |VirtualSvrMgr |   | executing monthly interval
2010-08-01 00:22:35.781250|INFO    |VirtualSvrMgr |   | reset client traffic statistics
2010-08-01 00:22:35.781250|INFO    |VirtualSvrMgr |   | reset virtualserver traffic statistics
2010-08-13 07:07:44.203125|INFO    |VirtualServer |  1| client (id:46) was added to servergroup 'Admin Server Query'(id:2) by client 'server'(id:0)
2010-08-13 07:07:54.093750|INFO    |VirtualServer |  1| client (id:12) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:29.187500|INFO    |VirtualServer |  1| client (id:16) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:30.968750|INFO    |VirtualServer |  1| client (id:2) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:31.328125|INFO    |VirtualServer |  1| client (id:3) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:31.687500|INFO    |VirtualServer |  1| client (id:4) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:32.031250|INFO    |VirtualServer |  1| client (id:5) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:34.406250|INFO    |VirtualServer |  1| client (id:8) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:35.046875|INFO    |VirtualServer |  1| client (id:6) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:35.687500|INFO    |VirtualServer |  1| client (id:7) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:36.515625|INFO    |VirtualServer |  1| client (id:9) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:37.218750|INFO    |VirtualServer |  1| client (id:11) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:37.812500|INFO    |VirtualServer |  1| client (id:13) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:38.328125|INFO    |VirtualServer |  1| client (id:14) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:38.843750|INFO    |VirtualServer |  1| client (id:35) was removed from servergroup 'Server Admin'(id:6) by client 'framerunner'(id:46)
2010-08-13 07:08:47.875000|INFO    |VirtualServer |  1| servergroup 'Server Admin'(id:6) was deleted by 'framerunner'(id:46)
2010-08-13 07:08:51.921875|INFO    |VirtualServer |  1| servergroup 'Normal'(id:7) was deleted by 'framerunner'(id:46)
2010-08-13 07:08:56.312500|INFO    |VirtualServer |  1| servergroup 'Normal'(id:4) was deleted by 'framerunner'(id:46)

[-{HGH}-GEN.Skylab]

http://forum.teamspeak.com/showthread.php?t=55646

[BuffBot]

edit:

see post above

-----
as far as i know, you should immediatly update to the latest server version.

the devs released a security fix with beta 25. everything below 25 is no more "save" to use.

here you can find the latest server version:

http://www.teamspeak.com/?page=downloads

[Stefan1200]

I don't know if this was a result of running an old version with a security hole

Read this and say what you think:
http://forum.teamspeak.com/showthread.php?t=55655

[xCav8r]

Thank you for the replies. It looks like the hacker exploited that vulnerability. Now that we're on the subject though, does anyone have any recommendations for changing settings that would increase security?

[poisonpanik]

There was no setting you could use to prevent that exploit since it used your voice port to do it. To date there have been no reported "legitimate" hacks of teamspeak from beta 25 and up. Many think they get hacked but it usually turns out to be a permission error on their part.