Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Page 1 of 2 12 LastLast
Results 1 to 15 of 23
  1. #1
    Join Date
    May 2017
    Posts
    13

    Server got overtaken twice in a day, Please help

    Good Day

    My server got hacked last night and the guy said that he used a web interface like cpanel to get access, according to him it was an exploit to teamspeak server licence 3.0.13.3 and lower.
    So i upgraded my license to 3.0.13.8 and he attacked and got access again after a few hours.

    My license is an NPL
    Running Centos 6 64bit


    Please help me it is urgent the guy is requesting for money to stop.

    Thanks in advance
    Acordi

  2. #2
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,368
    What happened?
    I don't know anything about web interfaces, I don't use them (for a reason).

  3. #3
    Join Date
    June 2008
    Posts
    18,507
    Not updating software is the result you in now :/
    The mentioned exploit was fixed August 2016 already and has nothing to do with the server license.

    In case that guy used the exploit and doesn't use another way to come into your system:
    The only fix after your server got overtaken is to use a backup where you change password for Query logins or you start from scratch with latest server.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  4. #4
    Join Date
    May 2017
    Posts
    13
    I don't use a web interface or anything but it seems like the guy got access over server admin some how, it might have been an exploit for the teamspeak server version 3.0.13.3 and lower, but i did update license last night to the most recent one, and then i went to sleep and woke up this morning and server was hacked again saying he wants $20 in his steam wallet.

    I am not not sure if he just had access to my server still so then the new license was no use

    -----------merged 2 posts-----------

    Anyone had similar issues, if so please help

    Hi again, I started from scratch i only used a snapshot with yatqa to add the channels and groups
    also i copied the ts3server.sqlitedb that was it and the npl license obviously (licensekey.dat)
    Last edited by dante696; November 6th, 2017 at 01:57 PM. Reason: merged

  5. #5
    Join Date
    June 2008
    Posts
    18,507
    Just updating after something has happened is to late as said above.
    I think he did add himself permissions already on your ts server.

    //Edit after post above appeared
    Using the old ts3server.sqlitedb is nothing i suggest when that user has access.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  6. #6
    Join Date
    May 2017
    Posts
    13
    Okay i will rebuild it what is the best method now, download newest version then i use snapshot for channels and groups, and how to add the npl then?

  7. #7
    Join Date
    June 2008
    Posts
    18,507
    Insert the licensekey.dat in the root of your server folder.
    That file is not related to the ts3server.sqlitedb.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  8. #8
    Join Date
    May 2017
    Posts
    13
    Okay so i setup a new server with in a new directory and just copy the licensekey.dat and then i can use the snapshot afterwards.

    Also i must not copy the sqlitedb?

  9. #9
    Join Date
    June 2008
    Posts
    18,507
    Copy your old ts3server.sqlitedb as a broken* backup.
    But do not insert and use it in your new setup as long nobody in here is sure that he used that exploit or used another way to get into the server machine/operation system.

    P.s. Make sure that all clients or at least admins use client 3.1.6
    And do not use the same Query serveradmin password.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  10. #10
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,368
    People can assign themselves Client Permissions, linked to their UID. Those will be restored when deploying a snapshot. If you deploy a snapshot, use YaTQA's "All Client Permissions" to find Client Permissions. Any permissions with "power" are suspicious here and should be deleted if you do not know the client.

  11. #11
    Join Date
    May 2017
    Posts
    13
    Okay thanks for all the help i have rebuild the server so now we wait and see, i will check the permissions for clients but i doubt it because when i made this snapshot this guy didn't even use my server, He is just a hacker taking down random servers which is possible.

  12. #12
    Join Date
    June 2008
    Posts
    18,507
    He is taking down the server like "ping and packet loss raises and everyone times out" ?
    You missed to mention that detail.

    This may not be a hack when this still happens with server 3.0.13.8. That guy seem to run a DDOS to your machine.
    In that case all steps above will not help here and you can use the old server database.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  13. #13
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,368
    For DDoS, there are two types:
    - Flooding the network capacity. There is nothing you can do. If any, only your ISP can help here. This type of DDoS in no way related to TeamSpeak.
    - Flooding the computational capacity. TeamSpeak should be relatively immune to that by now. Make sure you do not run other public services, e.g. Apache. In some cases, firewall rules can help. This also isn't really a TeamSpeak issue.
    The easiest way to fix all of this is to buy professional hosting from a TeamSpeak hosting company specialized in DDoS protection instead of hosting the server yourself.

  14. #14
    Join Date
    May 2017
    Posts
    13
    Hi i have setup the server as you mentioned and it is running the latest version, but my server just got hacked again the guy is removing us from server admin

    <22:40:13> "Dean" was added to server group "Server Admin" by "Unknown from 41.108.242.213:50309".

    That IP is from algeria it is a vpn though i pinged it and it was offline he keeps using that IP on my server

    But he is from england with the info i got

    No thus is not a DDoS the server do not lagg or anything

    Keeps doing that giving himself rank
    Last edited by dante696; November 6th, 2017 at 11:44 PM. Reason: merged 4 posts

  15. #15
    Join Date
    June 2008
    Posts
    18,507
    So that person has access to your Query password or access to the machine or your permissions are messed up.

    I suggested not to use your old stuff and to change the password for the ServerQuery.
    I only have 1 suggestion left in case you have done that, did update your server and did not start an old version and your admins use client 3.1.6.

    (Following is for the Query interface and not Yatqa!)
    Close port 10011 [TCP] to deny access from outside. So only a local connection can be opened.
    Then change your Query password.
    Run the command permreset to clean all permissions or stop your server and rename the ts3server.sqlitedb.
    Now start your server.

    Please hold in mind that you can edit a post instead of creating new posts while only minutes have passed.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Server was overtaken
    By computerboydude in forum Server Support
    Replies: 1
    Last Post: July 8th, 2017, 08:34 PM
  2. [Resolved] Seems like my Server has been overtaken
    By Klonopoly in forum Server Support
    Replies: 9
    Last Post: December 18th, 2016, 03:14 AM
  3. Server Overtaken
    By Numrollen in forum Permission System
    Replies: 7
    Last Post: July 28th, 2014, 09:14 AM
  4. TeamSpeak Server being overtaken
    By hennogarvie in forum Permission System
    Replies: 7
    Last Post: July 1st, 2014, 04:35 PM
  5. Server overtaken
    By Garreth in forum Server Support
    Replies: 5
    Last Post: August 15th, 2013, 02:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •