Forum


Notice to all users

We are migrating towards a new forum system located at community.teamspeak.com, as such this forum will become read-only on January 29, 2020

Results 1 to 3 of 3
  1. #1
    Join Date
    April 2006
    Location
    Germany
    Posts
    8

    Exclamation Directory Traversal?!

    Hey guys,

    I came along this in my logfile and for me it doesn't look really nice. Has some directory traversal bug/exploit flavour, but I am not sure, just have a look

    Code:
    2009-12-26 14:12:33.463073|INFO    |ServerLibPriv |   | Server Version: 3.0.0-beta9 [Build: 9527]
    2009-12-26 14:12:33.473768|INFO    |DatabaseQuery |   | dbPlugin name:    SQLite3 plugin, (c)TeamSpeak Systems GmbH
    2009-12-26 14:12:33.473842|INFO    |DatabaseQuery |   | dbPlugin version: 3.6.21
    2009-12-26 14:12:33.629539|INFO    |Accounting    |   | Licensing Information
    2009-12-26 14:12:33.630218|INFO    |Accounting    |   | type              : Non-profit
    2009-12-26 14:12:33.630688|INFO    |Accounting    |   | starting date     : Mon Dec 21 00:00:00 2009
    2009-12-26 14:12:33.631013|INFO    |Accounting    |   | ending date       : Tue Dec 21 00:00:00 2010
    2009-12-26 14:12:33.631330|INFO    |Accounting    |   | max virtualservers: 10
    2009-12-26 14:12:33.631752|INFO    |Accounting    |   | max slots         : 512
    2009-12-26 14:12:33.650990|INFO    |FileManager   |   | listening on 18x.xxx.xxx.xxx:20001
    2009-12-26 14:12:33.703826|INFO    |VirtualServer |  1| listening on 18x.xxx.xxx.xxx:20002
    2009-12-26 14:12:33.704254|INFO    |Query         |   | listening on 18x.xxx.xxx.xxx:20000
    2009-12-26 14:17:30.750039|INFO    |VirtualServer |  1| permission 'b_client_is_priority_speaker'(id:20621) was deleted by 'Frazze'(id:2) for client (id:2) and channel 'Lobby'(id:1)
    2009-12-27 08:36:04.707644|INFO    |Query         |   | query from 94.75.219.97:8 issued: POST /unauthenticated//..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%
    2009-12-27 08:36:04.760438|INFO    |Query         |   | query from 94.75.219.97:8 issued: TE: deflate,gzip;q=0.3
    2009-12-27 08:36:04.760805|INFO    |Query         |   | query from 94.75.219.97:8 issued: Keep-Alive: 300
    2009-12-27 08:36:04.761187|INFO    |Query         |   | query from 94.75.219.97:8 issued: Connection: Keep-Alive, TE
    2009-12-27 08:36:04.761569|INFO    |Query         |   | query from 94.75.219.97:8 issued: Host: 18x.xxx.xxx.xxx:20000
    2009-12-27 08:36:04.761929|INFO    |Query         |   | query from 94.75.219.97:8 issued: User-Agent: Conf
    

    I wanted to ask if some of you guys have found the same in your log files or anyone has an idea...

    This happened with Debian Lenny 64 Bit and Beta 9 (now updating to beta 10).
    Strange thing is, I am not even using a standart port and there are none users who would know of the ports or have the basic knowledge of how to use telnet....


    Edit: I noticed more of these strange strings in earlier logs, issued by diffent IP's, but allways using port 8 as client-port, any ideas?
    Last edited by Frazze; December 29th, 2009 at 01:58 PM.

  2. #2
    Join Date
    December 2009
    Location
    Germany
    Posts
    20
    the most easiest way would be to turn on your IPTABLES firewall to block Port 8.

    But its rly strange. Would be nice if someone of the Dev-Team could answer to this.

    Seems that someone is trying to echoing some things into a file.

    checking my log files now ^^

    /edit:

    hm nothing found , pew ^^
    btw your server IP is still in this log visible (see the red part) if you dont want to publicate it , edit your post

    /edit2:

    ok , this is what i found on google : http://isc.sans.org/diary.html?date=2007-01-17

    seems that someone was trying to exploit some other programm on this port wich is standard for this prog.

    A number of people wrote in with information about recent alerts for activity targeting the DNP protocol or systems running DNP services. DNP is used in SCADA systems in the electric and water utilities industry for process control.
    so i think this isnt any bug with the ts3 server, you just got your query port on the wrong number ^^
    Last edited by Matrixmaster; December 29th, 2009 at 04:55 AM.

  3. #3
    Join Date
    April 2006
    Location
    Germany
    Posts
    8
    Oh, thanks for telling me that I forgot to edit the IP adress -.-^^

    Mhm, came along the same website you posted yesterday... I must be a very "lucky" bastard hitting the exactly right port and than being in the IP scan range too xD tzzz

    Thanks anyway


    If there is no other evidence showing that this still is a Ts3 exploit, the thread can be CLOSED please

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. No such file or directory
    By smartino84 in forum Linux / FreeBSD
    Replies: 3
    Last Post: September 21st, 2012, 10:05 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •