Forum

Results 1 to 15 of 15
  1. #1
    Join Date
    May 2011
    Posts
    4

    Exclamation Server accident, admin banned and TS3 client bookmarks deleted..

    Hello TeamSpeak forums,

    I'm just reporting that my server (public, no password) just got hacked or exploited in some manner. I'm the only person with server admin powers yet someone logged in and ran a script instantly which gave him full privileges, then banned me and changed the maximum server client count to 0 if I'm not mistaken. Some how, my TeamSpeak 3-RC1 (build 14345) client also got messed with too. All my bookmarks were deleted.

    Now I've fully reset my server by switching it to running TS2, then back to TS3, created a new admin privileged key, password protected the server and logged back in. Now I have to start from scratch, permissions, channels and all the bells and whistle extras. Annoying.

    Since there is some serious security hole in the software (It's highly doubtful my computer was what was compromised for this to happen, it's very secure) I suggest removing your server from the Web-list if it's not password protected for the time being as a precaution, or just add a server password until this hack has been patched.

    The hacker who is responsible left a little breadcrumb behind in the server settings: "HaCkEd\sBy\sWhite_HaCkEr" His name appeared as Dashi in the Server Chat log.

    I'm actually getting a randomer (possibly the, or some, hacker) trying to enter every couple minutes connecting and disconnecting at the same moment. Not sure what that's about but it looks suspicious. I did just tick to "Show ServerQuery clients" before these random connects started to happen, is that what the "suspicious" connects are about? It was the same IP several times, just with different ports.
    Code:
    <23:04:11>"Unknown from 85.236.96.30:37051" connected
    <23:04:11>"Unknown from 85.236.96.30:37051" disconnected (disconnecting)
    It would be great if there was some way to do manual backups through TeamSpeak of the server (forgive me if there is a way already, I haven't looked) so hacking incidents wouldn't be such a great setback! Is this even possible to implement?

    If anyone's got any comments, let me know (:

    ~ Orkhayiq
    Last edited by Orkhayiq; May 26th, 2011 at 01:27 PM.

  2. #2
    Join Date
    December 2009
    Location
    New Jersey USA
    Posts
    77
    It's always a good idea to back up your database before performing any new updates. This way you can just install a new server and just upload the old database.

  3. #3
    Join Date
    May 2011
    Posts
    4
    Quote Originally Posted by BaDaSS View Post
    It's always a good idea to back up your database before performing any new updates. This way you can just install a new server and just upload the old database.
    I assume this is done through the web control panel from your VoIP host? From what I was told by Multiplay.co.uk (ClanForge) you can't manually create one. If this is the case, any suggestion for a decent European provider which can, also preferably the ability to actually download and store the backups? I'd rather this not happen again..

    ~ Orkhayiq

  4. #4
    Join Date
    December 2009
    Location
    New Jersey USA
    Posts
    77
    Quote Originally Posted by Orkhayiq View Post
    I assume this is done through the web control panel from your VoIP host? From what I was told by Multiplay.co.uk (ClanForge) you can't manually create one. If this is the case, any suggestion for a decent European provider which can, also preferably the ability to actually download and store the backups? I'd rather this not happen again..

    ~ Orkhayiq
    I actually rent a Linux dedicated server that I have full control over. I think it's against policy here to advertise private companies but if you visit my website I can try to put you in the right direction.
    Last edited by florian_fr40; October 28th, 2011 at 10:47 AM.

  5. #5
    Join Date
    February 2006
    Location
    Texas, USA
    Posts
    4,143
    What does your server log show? This is almost always a permission issue and not actually a hack or exploit. That's not to say that it couldn't be one but the chances are low that it is. The user you show as a less than 1 second connection is probably a service like Gametracker or TSViewer.

  6. #6
    Join Date
    July 2002
    Location
    Germany
    Posts
    2,192
    Quote Originally Posted by Orkhayiq View Post
    my server (public, no password) just got hacked or exploited in some manner. I'm the only person with server admin powers yet someone logged in and ran a script instantly which gave him full privileges, then banned me and changed the maximum server client count to 0 if I'm not mistaken. Some how, my TeamSpeak 3-RC1 (build 14345) client also got messed with too. All my bookmarks were deleted.
    Hey,

    that last sentence makes me certain somebody had control of your PC. There is no way to delete a clients bookmarks from the server side, you have to use the client to do so. Somebody must have gained access to your PC

  7. #7
    Join Date
    May 2011
    Posts
    4
    Quote Originally Posted by poisonpanik View Post
    What does your server log show? This is almost always a permission issue and not actually a hack or exploit. That's not to say that it couldn't be one but the chances are low that it is.
    I'm not as experienced in server administration as most of you, neither was the Live Chat at Multiplay by the looks of it as they were not concerned with informing me to check the server logs through their FTP, they just told me to format everything (by switching from using TS3 to TS2 and back again). That deleted the server's logs too. I would of checked the log beforehand but didn't know about the FTP log, the ClanForge's API has a limited log and I didn't see anything there before I formatted. When I'm looking at the server FTP now, it doesn't even contain any files, only folders.

    Okay, I found Server Chat logs on my PC:

    Code:
    <19:59:32>	Welcome to a Multiplay Clan Teamspeak server
    <21:41:23>	"dashi" connected
    <21:41:28>	"dashi" was added to server group "Server Administrator (6035)" by "dashi".
    <21:41:30>	"dashi" was added to server group "Admin (6048)" by "dashi".
    <21:41:31>	"dashi" was added to server group "Male (8231)" by "dashi".
    <21:41:31>	The icon for client "dashi" (216363) was not found.
    <21:41:31>	"dashi" was added to server group "Female (8232)" by "dashi".
    <21:41:31>	The icon for client "dashi" (216363) was not found.
    <21:41:32>	"dashi" was removed from server group "Female (8232)" by "dashi".
    <21:41:36>	"dashi" was added to server group "Server Owner (11754)" by "dashi".
    <21:41:40>	"Orkhayiq" was removed from server group "Server Administrator (6035)" by "dashi".
    <21:41:42>	You were banned permanently from the server by "dashi"
    Hacked in seconds. I logged into clanforge immediately after that, restarted the server and added a server password.



    Quote Originally Posted by poisonpanik View Post
    The user you show as a less than 1 second connection is probably a service like Gametracker or TSViewer.
    I'm constantly connected to my server most days and haven't heard any services pinging it before. I just WhoIs'd the same IP (as it just tried to enter) and it looks as though it's clanforge.multiplay.co.uk - Not sure why it's doing this, never done it before.



    Quote Originally Posted by Peter View Post
    Hey,

    that last sentence makes me certain somebody had control of your PC. There is no way to delete a clients bookmarks from the server side, you have to use the client to do so. Somebody must have gained access to your PC
    It could be the case, but I have the gut feeling it isn't. No other suspicious activity has been seen. I've edited encrypted password storage files, logged into cPanel, banked etc yet this hacker decided to reveal his presence through deleting my VoIP server? I doesn't make sense to me. I understand some hackers do things for fun without trying to be too malicious. Also, it doesn't fit that I saw him log in as he joined the server, then get admin privileges, demote me then ban me! This looked very much like an external attack. This was not a dodgey plugin as I only have AppScanner and ClientQuery enabled, the others are the default TS3 ones. I've scanned my PC with ESET NOD32 Antivirus with no results (Also protected real-time) and I have a hardware firewall and all my ports are stealthed. How could have he made the maximum client count 0 (I was receiving a warning max user count has been reached so I couldn't join (Is that the default message you get when a banned user tries to reconnect?)), even though when I try Edit Virtual Server, the option to edit max client count is greyed out as a Server Admin rank. If this guy messes with my VoIP server (and if I am infected) why hasn't he had more fun opening and closing my CD tray or deleting other stuff? I'm pretty set on the opinion this guy exploited something externally, still it could of been me being incompetent at permissions setup! The bookmarks being deleted though, no idea.


    There's no way to catch this guy I know, but an explanation of what likely happened would be great (:

    ~ Orkhayiq
    Last edited by Orkhayiq; May 26th, 2011 at 01:31 PM.

  8. #8
    Join Date
    February 2006
    Location
    Texas, USA
    Posts
    4,143
    There's really no way for us to explain this without actually seeing your permission settings at the time this happened. Below is a link to a spreadsheet that contains the permissions I use on my server. We are a small clan so they are not fancy but they are secure.

    https://spreadsheets.google.com/spre...hl=en_US#gid=0

    Ensure that no server group or channel group has a i_group_member_add_power higher than the server admin group's i_group_needed_member_add_power. By default that group has a i_group_needed_member_add_power of 75 so ensure that all groups do not go above 74.

  9. #9
    Join Date
    May 2011
    Posts
    4
    Quote Originally Posted by poisonpanik View Post
    There's really no way for us to explain this without actually seeing your permission settings at the time this happened. Below is a link to a spreadsheet that contains the permissions I use on my server. We are a small clan so they are not fancy but they are secure.

    https://spreadsheets.google.com/spre...hl=en_US#gid=0

    Ensure that no server group or channel group has a i_group_member_add_power higher than the server admin group's i_group_needed_member_add_power. By default that group has a i_group_needed_member_add_power of 75 so ensure that all groups do not go above 74.
    I'll definitely take a look at that spreadsheet, thanks, permissions setting up can be kinda tricky but I do understand the basics. I only had a few server groups, I had modded the Server Admin group, and would not of given Guest (default for new user) the power to demote or become Server Admins. I don't think Server Admin can even demote another Server Admin unless given that permission and I wouldn't of enabled that intentionally. As you can see from the Server Chat logs in my previous post, he connected and became joined the Server Admin group straight away. I don't recall modding the Guest server group ever.

    ~ Orkhayiq

  10. #10
    Join Date
    December 2009
    Location
    florida
    Posts
    263
    heres a little text i made to try to get my server admin to understand permissions.

    I say the biggest part of the permission system is the basic understanding the "permission power"
    against it "needed permission power".

    here i have permission > group > modify

    i use group permissions here for the fact a lot of new admins say they get hacked from a user and it
    turns out to be bad group settings

    depending if you have "show name" or "show description"
    below are the same set of permissions.

    i_group_modify_power
    i_group_needed_modify_power
    i_group_member_add_power
    i_group_needed_member_add_power
    i_group_member_remove_power
    i_group_needed_member_remove_power
    i_permission_modify_power

    Group Modify Power
    Needed Group Modify Power
    Group Member Add Power
    Needed Group Member Add Power
    Group Member Remove Power
    Needed Group Member Remove Power
    Permission Modify Power

    here is a basic setup where i have a sub admin group called "Group Admin"
    to help with clients but do not have permissions to server settings.
    i made my "group admin" from a copy of the normal group thus they do not
    have any permissions to change server settings.



    Server Admin
    Group Modify Power 75 -
    Needed Group Modify Power 75 - power = needed .. can modify group
    Group Member Add Power 75 - can add clients in all groups
    Needed Group Member Add Power 75 - power = needed .. can add client to this group
    Group Member Remove Power 75 - can remove clients in all groups
    Needed Group Member Remove Power 75 - power = needed .. can remove client from this group
    Permission Modify Power 75 -

    Group Admin(sub admin/all access server settings removed)
    Group Modify Power 65 -
    Needed Group Modify Power 75 - power < needed .. can not modify this group
    Group Member Add Power 65 - can only add clients to groups with needed add power 65 or less
    Needed Group Member Add Power 75 - power < needed .. can not add to this group. can add to lower groups
    Group Member Remove Power 65 - can only remove clients from groups with needed remove power 65 or less
    Needed Group Member Remove Power 75 - power < needed .. can not remove from this group.
    Permission Modify Power 65 -

    Group Member
    Group Modify Power 50
    Needed Group Modify Power 75
    Group Member Add Power 50
    Needed Group Member Add Power 65
    Group Member Remove Power 50
    Needed Group Member Remove Power 65
    Permission Modify Power 50

  11. #11
    Join Date
    February 2006
    Location
    Texas, USA
    Posts
    4,143
    @hellbound

    That's some good info. Maybe you should write up a post in the PERMISSIONS area and ask one of the devs to make it sticky I say this for two reasons...

    1) so we can point people to it when I feel it'll help
    2) so others have an easy way to find it

    Helps centralize the topic and you could put links to the tutorials for more help and you'd be more than welcome to use the link to my spreadsheet. I do my best to keep it current although Alcazar would say I don't do enough... lol

  12. #12
    Join Date
    December 2009
    Location
    florida
    Posts
    263
    thanks, feel free to copy any part you want.
    this was just something basic i kinda threw together to help admins
    understand power vs needed power.
    like the sub admin
    all thier powers = 65, but all the needed powers for the group = 75
    so a sub admin can only add or remove users from lower groups, but CAN NOT add, remove users, or modify
    sub admin or admin group.
    also all permissions for server settings get removed from sub admin.

    once someone can understand the basic concept of power vs needed power for group modify permissions,
    it becomes easier for them set the all permissions for all their groups.

  13. #13
    Join Date
    December 2009
    Location
    florida
    Posts
    263
    oops forgot this..
    best way to test permissions is to go to identities in your client and make a 2nd identity, use that identity
    to connect to server "in a new tab" so you have both your identities on server a same time.
    use your serveradmin identity to put your 2nd identity user in the group you want to test.
    this way you can see for yourself what a user in a group can and cannot do

  14. #14
    Join Date
    September 2009
    Location
    somwhere
    Posts
    92
    If he is giving himself admin rights this means YOU DID NOT TAKE THE TIME TO CONFIG YOUR SERVER PROPERLY!! also i have said this many many times on many different threads. IF YOU BROADCAST TO THE WEB SERVER LIST EXPECT TO BE HACKED OR HAVE TROUBLE MAKERS COME IN. please please people before you host ANYTHING do the leg work and learn how to protect yourself. And learn how to config your server RIGHT! there is a million of these I GOT HACKED threads and they all have the same problem. They throw a server up in 5 mins and think thats it!

    It some times takes weeks of work to find and close all the holes in your server you simply CAN NOT just throw a server up and expect everything to be all good. And take your server off the WEB SERVER LIST and your problems with loser ts3 trouble makers will GO AWAY! so please listen and if you do listen you wont have these issues. My server is going on 6 years old!! and never once!! has this happend to me and it never will simply because i did the work,reading and asking questions then and ONLY then did i host a server SAFE!! If i was a trouble maker all i need do is find a random server and what better way to do that then just pick one from the web server list (see my point?) hopfully you do.

  15. #15
    Join Date
    May 2009
    Location
    canada
    Posts
    20

    SERVER admin signed on.. who is it and how did they get the info needed?

    Yester day i had 3 people i did not know sign on to my TS 3 server. all of a sudden i had a server admin added to all groups of SA. and gave them permissions i can not take away from them. how do i fix this ?

    --
    from the start: I deleted the old server and re-ran the new version of TS 3. I then used the token it gave me when i installed it. I then turned off the option to use token rings. ( about a week or so ago.)

    it was only yester day that 3 people signed on.. I am #2 on the list and he was #1 i have some 30 players on the server. how did this happen and why? How do i stop him from changing my settings?

    Kcomet

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 1
    Last Post: November 9th, 2015, 10:34 AM
  2. Bookmarks get deleted
    By homme2204 in forum Windows
    Replies: 1
    Last Post: July 10th, 2012, 02:13 PM
  3. Server Accident with Admin And Took Over
    By Jeff Beauplan in forum Server Support
    Replies: 31
    Last Post: May 9th, 2012, 05:27 AM
  4. ts3client bookmarks deleted
    By Tomas in forum Linux
    Replies: 1
    Last Post: July 26th, 2011, 02:16 AM
  5. Replies: 1
    Last Post: March 21st, 2011, 10:26 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •