Notice to all users

We are migrating towards a new forum system located at, as such this forum will become read-only on January 29, 2020

Results 1 to 3 of 3
  1. #1
    Join Date
    April 2006

    Exclamation Directory Traversal?!

    Hey guys,

    I came along this in my logfile and for me it doesn't look really nice. Has some directory traversal bug/exploit flavour, but I am not sure, just have a look

    2009-12-26 14:12:33.463073|INFO    |ServerLibPriv |   | Server Version: 3.0.0-beta9 [Build: 9527]
    2009-12-26 14:12:33.473768|INFO    |DatabaseQuery |   | dbPlugin name:    SQLite3 plugin, (c)TeamSpeak Systems GmbH
    2009-12-26 14:12:33.473842|INFO    |DatabaseQuery |   | dbPlugin version: 3.6.21
    2009-12-26 14:12:33.629539|INFO    |Accounting    |   | Licensing Information
    2009-12-26 14:12:33.630218|INFO    |Accounting    |   | type              : Non-profit
    2009-12-26 14:12:33.630688|INFO    |Accounting    |   | starting date     : Mon Dec 21 00:00:00 2009
    2009-12-26 14:12:33.631013|INFO    |Accounting    |   | ending date       : Tue Dec 21 00:00:00 2010
    2009-12-26 14:12:33.631330|INFO    |Accounting    |   | max virtualservers: 10
    2009-12-26 14:12:33.631752|INFO    |Accounting    |   | max slots         : 512
    2009-12-26 14:12:33.650990|INFO    |FileManager   |   | listening on
    2009-12-26 14:12:33.703826|INFO    |VirtualServer |  1| listening on
    2009-12-26 14:12:33.704254|INFO    |Query         |   | listening on
    2009-12-26 14:17:30.750039|INFO    |VirtualServer |  1| permission 'b_client_is_priority_speaker'(id:20621) was deleted by 'Frazze'(id:2) for client (id:2) and channel 'Lobby'(id:1)
    2009-12-27 08:36:04.707644|INFO    |Query         |   | query from issued: POST /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%
    2009-12-27 08:36:04.760438|INFO    |Query         |   | query from issued: TE: deflate,gzip;q=0.3
    2009-12-27 08:36:04.760805|INFO    |Query         |   | query from issued: Keep-Alive: 300
    2009-12-27 08:36:04.761187|INFO    |Query         |   | query from issued: Connection: Keep-Alive, TE
    2009-12-27 08:36:04.761569|INFO    |Query         |   | query from issued: Host:
    2009-12-27 08:36:04.761929|INFO    |Query         |   | query from issued: User-Agent: Conf

    I wanted to ask if some of you guys have found the same in your log files or anyone has an idea...

    This happened with Debian Lenny 64 Bit and Beta 9 (now updating to beta 10).
    Strange thing is, I am not even using a standart port and there are none users who would know of the ports or have the basic knowledge of how to use telnet....

    Edit: I noticed more of these strange strings in earlier logs, issued by diffent IP's, but allways using port 8 as client-port, any ideas?
    Last edited by Frazze; December 29th, 2009 at 01:58 PM.

  2. #2
    Join Date
    December 2009
    the most easiest way would be to turn on your IPTABLES firewall to block Port 8.

    But its rly strange. Would be nice if someone of the Dev-Team could answer to this.

    Seems that someone is trying to echoing some things into a file.

    checking my log files now ^^


    hm nothing found , pew ^^
    btw your server IP is still in this log visible (see the red part) if you dont want to publicate it , edit your post


    ok , this is what i found on google :

    seems that someone was trying to exploit some other programm on this port wich is standard for this prog.

    A number of people wrote in with information about recent alerts for activity targeting the DNP protocol or systems running DNP services. DNP is used in SCADA systems in the electric and water utilities industry for process control.
    so i think this isnt any bug with the ts3 server, you just got your query port on the wrong number ^^
    Last edited by Matrixmaster; December 29th, 2009 at 04:55 AM.

  3. #3
    Join Date
    April 2006
    Oh, thanks for telling me that I forgot to edit the IP adress -.-^^

    Mhm, came along the same website you posted yesterday... I must be a very "lucky" bastard hitting the exactly right port and than being in the IP scan range too xD tzzz

    Thanks anyway

    If there is no other evidence showing that this still is a Ts3 exploit, the thread can be CLOSED please

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. No such file or directory
    By smartino84 in forum Linux / FreeBSD
    Replies: 3
    Last Post: September 21st, 2012, 10:05 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts