Forum

Results 1 to 11 of 11
  1. #1
    Join Date
    June 2014
    Posts
    16

    Wierd Query Login Attempts on my server

    Today i updated both of my servers to the latest version (3.7.0) and after that i get failed query login attempts from the same ip.
    PS: servers are in two different machines with different ip and didn't have this issue before.

    Any idea what is wrong?

    https://i.imgur.com/D06eCDL.jpg

  2. #2
    Join Date
    June 2008
    Posts
    17,700
    Does it only happen on every instance start? -> A script is running on that machine tried to connect.
    Or did it only happen once? -> Check your old logs possibly someone tried to login before.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  3. #3
    Join Date
    June 2014
    Posts
    16
    Quote Originally Posted by dante696 View Post
    Does it only happen on every instance start? -> A script is running on that machine tried to connect.
    Or did it only happen once? -> Check your old logs possibly someone tried to login before.
    As i said after the update to version 3.7.0 this started happened. I have the default query ip ban at 10 minutes so every 10 minutes it tries to login again in both machines. If it makes sence, it tries with different names every 2 failures as i see. The IP that gets banned is unknown to me and has nothing to do with my servers cause none of them own it. A normal geo-location search also shows India, when the servers are hosted in Germany.

    EDIT:
    HMM, what the .... Searched yesterday's log before the update.
    https://i.gyazo.com/a7fc646494b44b79...54b56647f5.png
    So someone is trying to gain access with wierd / random accounts, or trying to flood or what?
    Same stuff on the other server, no point to send the same log again. Just random other login names.

    Everything looks like started yesterday morning. Looks like some bot or something.


    PS: as it's not an error related directly to 3.7.0 could you change the title and remove the "After 3.7.0 Update" part? I am not able to.
    Last edited by Alligatoras; March 20th, 2019 at 08:34 AM.

  4. #4
    Join Date
    June 2008
    Posts
    17,700
    Please add the IP to the blacklist or block it completely in your firewall or change the port for the ServerQuery interface (telnet and SSH).

    Changed the title.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  5. #5
    Join Date
    June 2014
    Posts
    16
    Quote Originally Posted by dante696 View Post
    Please add the IP to the blacklist or block it completely in your firewall or change the port for the ServerQuery interface (telnet and SSH)
    Uhh, as i never managed to make it work with the ini file i guess i will just block the ip both in firewall and the ts3 blacklist.
    Anyway, thank you
    Last edited by Alligatoras; March 20th, 2019 at 08:57 AM.

  6. #6
    Join Date
    June 2008
    Posts
    17,700
    Create server.ini file and fill in what is listed below and there change the port.
    Start he server with parameter inifile=server.ini and the server will use other ports.


    Code:
    query_ip=0.0.0.0,::
    query_port=10011
    query_ssh_ip=0.0.0.0,::
    query_ssh_port=10022
    query_protocols=raw, ssh
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  7. #7
    Join Date
    May 2007
    Location
    Eastern NC
    Posts
    1,779
    @Alligatoras , that maybe an indicator of a bigger problem. If running Linux you should also check your SSHD secure log. Recently, after updating my CentOS server to 7 from 6 to support future (beta1 at the time) server versions, when I logged in as root I got a note about over 1,000 failed login attempts, I have SSH/root login disallowed. After some log reviews and research I decided to start a service that auto bans IPs after a few failed SSH login attempts, it has added over 7,000 IP bans to IPTABLES in the last week. My TS server telnet/SSH query ports are not allowed through my firewall, so I never see such logs in TS.

  8. #8
    Join Date
    June 2014
    Posts
    16
    Quote Originally Posted by dante696 View Post
    Create server.ini file and fill in what is listed below and there change the port.
    Start he server with parameter inifile=server.ini and the server will use other ports.


    Code:
    query_ip=0.0.0.0,::
    query_port=10011
    query_ssh_ip=0.0.0.0,::
    query_ssh_port=10022
    query_protocols=raw, ssh
    and then i just start the server with ./ts3server_startscript.sh start inifile=server.ini or what? Cause a test i made didn't start the server with the file.


    Quote Originally Posted by Screech View Post
    @Alligatoras , that maybe an indicator of a bigger problem. If running Linux you should also check your SSHD secure log. Recently, after updating my CentOS server to 7 from 6 to support future (beta1 at the time) server versions, when I logged in as root I got a note about over 1,000 failed login attempts, I have SSH/root login disallowed. After some log reviews and research I decided to start a service that auto bans IPs after a few failed SSH login attempts, it has added over 7,000 IP bans to IPTABLES in the last week. My TS server telnet/SSH query ports are not allowed through my firewall, so I never see such logs in TS.
    Thanks for the info but about that i am pretty well secured. I have permanently disabled "root" login both sshd and ftp. Using only Public Key Authentication. So the only way to access the server is by having that file on your machine. Unless my computer get hacked, i think i am fine.

  9. #9
    Join Date
    June 2008
    Posts
    17,700
    Quote Originally Posted by Alligatoras View Post
    ./ts3server_startscript.sh start inifile=server.ini or what?
    That's how i start the server every time I test on several Linux ditrub. or freeBSD (and Windows or Mac OS) and it works fine.
    Note: File needs to be in root of server dir.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  10. #10
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,319
    I am being attacked by that IP (118.151.209.119) as well on one of my three machines. The two "big" ones are also being attacked the following IPs which you might want to blacklist as well:
    Code:
    183.247.184.220
    183.91.0.77
    74.112.248.110
    116.196.92.81
    My smallest server has no failed login but a few strange anonymous queries:
    Code:
    2019-02-22 17:59:09.256421|INFO    |Query         |   |query from 23 185.156.177.2:15642 issued: *%ļokie: mstshash=Test
    2019-02-22 17:59:08.993139|INFO    |Query         |   |query from 22 185.156.177.2:15174 issued: *%ļokie: mstshash=Test
    2019-02-17 03:33:42.629778|INFO    |Query         |   |query from 21 5.101.40.34:1494 issued: /*ļokie: mstshash=Administr
    2019-02-12 09:23:41.441598|INFO    |Query         |   |query from 20 185.156.177.2:44550 issued: *%ļokie: mstshash=Test
    2019-02-12 09:23:41.422946|INFO    |Query         |   |query from 19 185.156.177.2:44511 issued: *%ļokie: mstshash=Test
    2019-01-05 16:06:38.204811|INFO    |Query         |   |query from 17 46.161.27.112:49220 issued: +&ļokie: mstshash=hello
    2019-01-05 10:29:43.472973|INFO    |Query         |   |query from 16 5.101.40.34:1895 issued: /*ļokie: mstshash=Administr
    2018-12-25 14:43:59.897512|INFO    |Query         |   |query from 15 185.153.196.21:1385 issued: /*ļokie: mstshash=Administr
    2018-12-06 16:45:00.316317|INFO    |Query         |   |query from 14 193.238.46.63:12546 issued: *%ļokie: mstshash=Test
    2018-12-06 16:45:00.289305|INFO    |Query         |   |query from 13 193.238.46.63:12433 issued: *%ļokie: mstshash=Test
    2018-11-24 09:53:54.205661|INFO    |Query         |   |query from 12 193.238.46.63:14617 issued: *%ļokie: mstshash=Test
    2018-11-24 09:53:54.172737|INFO    |Query         |   |query from 11 193.238.46.63:14283 issued: *%ļokie: mstshash=Test
    2018-10-04 22:17:11.431991|INFO    |Query         |   |query from 8 185.209.0.4:3980 issued: /*ļokie: mstshash=Administr
    2018-09-28 11:12:58.544542|INFO    |Query         |   |query from 7 78.128.112.22:597 issued: /*ļokie: mstshash=Administr
    2018-08-30 07:48:06.773932|INFO    |Query         |   |query from 4 193.238.46.19:1307 issued: /*ļokie: mstshash=Administr
    @dante: It would be cool to know from the log what type of connection is being used, SSH or raw.

  11. #11
    Join Date
    June 2014
    Posts
    16
    Quote Originally Posted by dante696 View Post
    That's how i start the server every time I test on several Linux ditrub. or freeBSD (and Windows or Mac OS) and it works fine.
    Note: File needs to be in root of server dir.
    Uhh..mistake. The file was in ts3 user but assigned to user root.
    Fixed and worked.

    Quote Originally Posted by numma_cway View Post
    I am being attacked by that IP (118.151.209.119) as well on one of my three machines. The two "big" ones are also being attacked the following IPs which you might want to blacklist as well:
    Code:
    183.247.184.220
    183.91.0.77
    74.112.248.110
    116.196.92.81
    My smallest server has no failed login but a few strange anonymous queries:
    Code:
    2019-02-22 17:59:09.256421|INFO    |Query         |   |query from 23 185.156.177.2:15642 issued: *%ļokie: mstshash=Test
    2019-02-22 17:59:08.993139|INFO    |Query         |   |query from 22 185.156.177.2:15174 issued: *%ļokie: mstshash=Test
    2019-02-17 03:33:42.629778|INFO    |Query         |   |query from 21 5.101.40.34:1494 issued: /*ļokie: mstshash=Administr
    2019-02-12 09:23:41.441598|INFO    |Query         |   |query from 20 185.156.177.2:44550 issued: *%ļokie: mstshash=Test
    2019-02-12 09:23:41.422946|INFO    |Query         |   |query from 19 185.156.177.2:44511 issued: *%ļokie: mstshash=Test
    2019-01-05 16:06:38.204811|INFO    |Query         |   |query from 17 46.161.27.112:49220 issued: +&ļokie: mstshash=hello
    2019-01-05 10:29:43.472973|INFO    |Query         |   |query from 16 5.101.40.34:1895 issued: /*ļokie: mstshash=Administr
    2018-12-25 14:43:59.897512|INFO    |Query         |   |query from 15 185.153.196.21:1385 issued: /*ļokie: mstshash=Administr
    2018-12-06 16:45:00.316317|INFO    |Query         |   |query from 14 193.238.46.63:12546 issued: *%ļokie: mstshash=Test
    2018-12-06 16:45:00.289305|INFO    |Query         |   |query from 13 193.238.46.63:12433 issued: *%ļokie: mstshash=Test
    2018-11-24 09:53:54.205661|INFO    |Query         |   |query from 12 193.238.46.63:14617 issued: *%ļokie: mstshash=Test
    2018-11-24 09:53:54.172737|INFO    |Query         |   |query from 11 193.238.46.63:14283 issued: *%ļokie: mstshash=Test
    2018-10-04 22:17:11.431991|INFO    |Query         |   |query from 8 185.209.0.4:3980 issued: /*ļokie: mstshash=Administr
    2018-09-28 11:12:58.544542|INFO    |Query         |   |query from 7 78.128.112.22:597 issued: /*ļokie: mstshash=Administr
    2018-08-30 07:48:06.773932|INFO    |Query         |   |query from 4 193.238.46.19:1307 issued: /*ļokie: mstshash=Administr
    @dante: It would be cool to know from the log what type of connection is being used, SSH or raw.
    Nice. Thanks for the info. IPs got blacklsited too.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Lost Server query Login
    By KeksDipp in forum Linux / FreeBSD
    Replies: 1
    Last Post: June 27th, 2016, 12:46 PM
  2. server query login
    By locuazon5 in forum Server Support
    Replies: 1
    Last Post: June 25th, 2013, 04:33 PM
  3. Can't Login to Server Query
    By behgonn in forum Permission System
    Replies: 2
    Last Post: April 23rd, 2013, 10:43 AM
  4. need help server query login
    By brandon789 in forum Linux / FreeBSD
    Replies: 7
    Last Post: November 29th, 2012, 11:11 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •