Wierd Query Login Attempts on my server

[Alligatoras]

Today i updated both of my servers to the latest version (3.7.0) and after that i get failed query login attempts from the same ip.
PS: servers are in two different machines with different ip and didn't have this issue before.

Any idea what is wrong?

https://i.imgur.com/D06eCDL.jpg

[dante696]

Does it only happen on every instance start? -> A script is running on that machine tried to connect.
Or did it only happen once? -> Check your old logs possibly someone tried to login before.

[Alligatoras]

Does it only happen on every instance start? -> A script is running on that machine tried to connect.
Or did it only happen once? -> Check your old logs possibly someone tried to login before.

As i said after the update to version 3.7.0 this started happened. I have the default query ip ban at 10 minutes so every 10 minutes it tries to login again in both machines. If it makes sence, it tries with different names every 2 failures as i see. The IP that gets banned is unknown to me and has nothing to do with my servers cause none of them own it. A normal geo-location search also shows India, when the servers are hosted in Germany.

EDIT:
HMM, what the .... Searched yesterday's log before the update.
https://i.gyazo.com/a7fc646494b44b79...54b56647f5.png
So someone is trying to gain access with wierd / random accounts, or trying to flood or what?
Same stuff on the other server, no point to send the same log again. Just random other login names.

Everything looks like started yesterday morning. Looks like some bot or something.


PS: as it's not an error related directly to 3.7.0 could you change the title and remove the "After 3.7.0 Update" part? I am not able to.

[dante696]

Please add the IP to the blacklist or block it completely in your firewall or change the port for the ServerQuery interface (telnet and SSH).

Changed the title.

[Alligatoras]

Please add the IP to the blacklist or block it completely in your firewall or change the port for the ServerQuery interface (telnet and SSH)

Uhh, as i never managed to make it work with the ini file i guess i will just block the ip both in firewall and the ts3 blacklist.
Anyway, thank you

[dante696]

Create server.ini file and fill in what is listed below and there change the port.
Start he server with parameter inifile=server.ini and the server will use other ports.

Code:

query_ip=0.0.0.0,::
query_port=10011
query_ssh_ip=0.0.0.0,::
query_ssh_port=10022
query_protocols=raw, ssh

[Screech]

@Alligatoras , that maybe an indicator of a bigger problem. If running Linux you should also check your SSHD secure log. Recently, after updating my CentOS server to 7 from 6 to support future (beta1 at the time) server versions, when I logged in as root I got a note about over 1,000 failed login attempts, I have SSH/root login disallowed. After some log reviews and research I decided to start a service that auto bans IPs after a few failed SSH login attempts, it has added over 7,000 IP bans to IPTABLES in the last week. My TS server telnet/SSH query ports are not allowed through my firewall, so I never see such logs in TS.

[Alligatoras]

Create server.ini file and fill in what is listed below and there change the port.
Start he server with parameter inifile=server.ini and the server will use other ports.

Code:

query_ip=0.0.0.0,::
query_port=10011
query_ssh_ip=0.0.0.0,::
query_ssh_port=10022
query_protocols=raw, ssh

and then i just start the server with ./ts3server_startscript.sh start inifile=server.ini or what? Cause a test i made didn't start the server with the file.

@Alligatoras , that maybe an indicator of a bigger problem. If running Linux you should also check your SSHD secure log. Recently, after updating my CentOS server to 7 from 6 to support future (beta1 at the time) server versions, when I logged in as root I got a note about over 1,000 failed login attempts, I have SSH/root login disallowed. After some log reviews and research I decided to start a service that auto bans IPs after a few failed SSH login attempts, it has added over 7,000 IP bans to IPTABLES in the last week. My TS server telnet/SSH query ports are not allowed through my firewall, so I never see such logs in TS.

Thanks for the info but about that i am pretty well secured. I have permanently disabled "root" login both sshd and ftp. Using only Public Key Authentication. So the only way to access the server is by having that file on your machine. Unless my computer get hacked, i think i am fine.

[dante696]

./ts3server_startscript.sh start inifile=server.ini or what?

That's how i start the server every time I test on several Linux ditrub. or freeBSD (and Windows or Mac OS) and it works fine.
Note: File needs to be in root of server dir.

[numma_cway]

I am being attacked by that IP (118.151.209.119) as well on one of my three machines. The two "big" ones are also being attacked the following IPs which you might want to blacklist as well:

Code:

183.247.184.220
183.91.0.77
74.112.248.110
116.196.92.81

My smallest server has no failed login but a few strange anonymous queries:

Code:

2019-02-22 17:59:09.256421|INFO    |Query         |   |query from 23 185.156.177.2:15642 issued: *%ïokie: mstshash=Test
2019-02-22 17:59:08.993139|INFO    |Query         |   |query from 22 185.156.177.2:15174 issued: *%ïokie: mstshash=Test
2019-02-17 03:33:42.629778|INFO    |Query         |   |query from 21 5.101.40.34:1494 issued: /*ïokie: mstshash=Administr
2019-02-12 09:23:41.441598|INFO    |Query         |   |query from 20 185.156.177.2:44550 issued: *%ïokie: mstshash=Test
2019-02-12 09:23:41.422946|INFO    |Query         |   |query from 19 185.156.177.2:44511 issued: *%ïokie: mstshash=Test
2019-01-05 16:06:38.204811|INFO    |Query         |   |query from 17 46.161.27.112:49220 issued: +&ïokie: mstshash=hello
2019-01-05 10:29:43.472973|INFO    |Query         |   |query from 16 5.101.40.34:1895 issued: /*ïokie: mstshash=Administr
2018-12-25 14:43:59.897512|INFO    |Query         |   |query from 15 185.153.196.21:1385 issued: /*ïokie: mstshash=Administr
2018-12-06 16:45:00.316317|INFO    |Query         |   |query from 14 193.238.46.63:12546 issued: *%ïokie: mstshash=Test
2018-12-06 16:45:00.289305|INFO    |Query         |   |query from 13 193.238.46.63:12433 issued: *%ïokie: mstshash=Test
2018-11-24 09:53:54.205661|INFO    |Query         |   |query from 12 193.238.46.63:14617 issued: *%ïokie: mstshash=Test
2018-11-24 09:53:54.172737|INFO    |Query         |   |query from 11 193.238.46.63:14283 issued: *%ïokie: mstshash=Test
2018-10-04 22:17:11.431991|INFO    |Query         |   |query from 8 185.209.0.4:3980 issued: /*ïokie: mstshash=Administr
2018-09-28 11:12:58.544542|INFO    |Query         |   |query from 7 78.128.112.22:597 issued: /*ïokie: mstshash=Administr
2018-08-30 07:48:06.773932|INFO    |Query         |   |query from 4 193.238.46.19:1307 issued: /*ïokie: mstshash=Administr

@dante: It would be cool to know from the log what type of connection is being used, SSH or raw.

[Alligatoras]

That's how i start the server every time I test on several Linux ditrub. or freeBSD (and Windows or Mac OS) and it works fine.
Note: File needs to be in root of server dir.

Uhh..mistake. The file was in ts3 user but assigned to user root.
Fixed and worked.

I am being attacked by that IP (118.151.209.119) as well on one of my three machines. The two "big" ones are also being attacked the following IPs which you might want to blacklist as well:

Code:

183.247.184.220
183.91.0.77
74.112.248.110
116.196.92.81

My smallest server has no failed login but a few strange anonymous queries:

Code:

2019-02-22 17:59:09.256421|INFO    |Query         |   |query from 23 185.156.177.2:15642 issued: *%ïokie: mstshash=Test
2019-02-22 17:59:08.993139|INFO    |Query         |   |query from 22 185.156.177.2:15174 issued: *%ïokie: mstshash=Test
2019-02-17 03:33:42.629778|INFO    |Query         |   |query from 21 5.101.40.34:1494 issued: /*ïokie: mstshash=Administr
2019-02-12 09:23:41.441598|INFO    |Query         |   |query from 20 185.156.177.2:44550 issued: *%ïokie: mstshash=Test
2019-02-12 09:23:41.422946|INFO    |Query         |   |query from 19 185.156.177.2:44511 issued: *%ïokie: mstshash=Test
2019-01-05 16:06:38.204811|INFO    |Query         |   |query from 17 46.161.27.112:49220 issued: +&ïokie: mstshash=hello
2019-01-05 10:29:43.472973|INFO    |Query         |   |query from 16 5.101.40.34:1895 issued: /*ïokie: mstshash=Administr
2018-12-25 14:43:59.897512|INFO    |Query         |   |query from 15 185.153.196.21:1385 issued: /*ïokie: mstshash=Administr
2018-12-06 16:45:00.316317|INFO    |Query         |   |query from 14 193.238.46.63:12546 issued: *%ïokie: mstshash=Test
2018-12-06 16:45:00.289305|INFO    |Query         |   |query from 13 193.238.46.63:12433 issued: *%ïokie: mstshash=Test
2018-11-24 09:53:54.205661|INFO    |Query         |   |query from 12 193.238.46.63:14617 issued: *%ïokie: mstshash=Test
2018-11-24 09:53:54.172737|INFO    |Query         |   |query from 11 193.238.46.63:14283 issued: *%ïokie: mstshash=Test
2018-10-04 22:17:11.431991|INFO    |Query         |   |query from 8 185.209.0.4:3980 issued: /*ïokie: mstshash=Administr
2018-09-28 11:12:58.544542|INFO    |Query         |   |query from 7 78.128.112.22:597 issued: /*ïokie: mstshash=Administr
2018-08-30 07:48:06.773932|INFO    |Query         |   |query from 4 193.238.46.19:1307 issued: /*ïokie: mstshash=Administr

@dante: It would be cool to know from the log what type of connection is being used, SSH or raw.

Nice. Thanks for the info. IPs got blacklsited too.