Forum

Page 1 of 3 123 LastLast
Results 1 to 15 of 39
  1. #1
    Join Date
    December 2013
    Posts
    14

    Some kind of bot spamming the server

    My server query just got hacked today, they sent message directly from server query:

    "ServerAdmin": Hello, this server will close in a few minutes! Please connect now at new ip address: zonfibra.net"

    AND after that

    They DDoSed my VPS, so it really looked like we are going offline.. I already reported it to "support" becouse i think that was some TS3 "hole"... after i set server back online, and updated it to 3.0.10.2 (it was 3.0.10.1 before attack) i saw very strange thing. GUEST HAD PERMITION TO MANAGE SERVER GROUPS! ...

    Now i completely dissabled 10011 port, backed up everything and will see if it helps..

  2. #2
    Join Date
    December 2013
    Posts
    14
    and i googled them a bit and it looks like some kid "haxors" - read as as*holes - some of them got VAC bans on steam, some posts on "hack" forums with nickname Zonfibra etc..

  3. #3
    Join Date
    May 2010
    Location
    Verona - Italy
    Posts
    122
    Quote Originally Posted by wUFr0 View Post
    My server query just got hacked today, they sent message directly from server query:

    "ServerAdmin": Hello, this server will close in a few minutes! Please connect now at new ip address: zonfibra.net"

    AND after that

    They DDoSed my VPS, so it really looked like we are going offline.. I already reported it to "support" becouse i think that was some TS3 "hole"... after i set server back online, and updated it to 3.0.10.2 (it was 3.0.10.1 before attack) i saw very strange thing. GUEST HAD PERMITION TO MANAGE SERVER GROUPS! ...

    Now i completely dissabled 10011 port, backed up everything and will see if it helps..
    Yesterday I had the same problem and the same message "ServerAdmin: Hello... ". (but no DDoS, we use a phisical firewall to avoid them)
    I'm investigating.
    Last edited by Kaosvf; December 16th, 2013 at 02:26 PM.

  4. #4
    Join Date
    August 2012
    Posts
    45
    I have the same problem and I now about other ts too. We found out that it was propably done by identity of gametracker.com or tsviewer.com under which they scan your server.

  5. #5
    Join Date
    May 2010
    Location
    Verona - Italy
    Posts
    122
    I was able to find the vulnerability and reproduce the violation. I just sent a PM to some staff's member.

  6. #6
    Join Date
    October 2011
    Posts
    33

    Some kind of bot spamming the server

    Hey,

    Recently a bot has been spamming the server.
    A nick "ServerAdmin" sends a message to all clients:

    <ServerAdmin> Hello, this server will close in a few minutes! Please connect now to our new ip address: xxxxx

    I can't find such user in the server. Only thing that appears in the logs is:
    query client disconnected 'ServerAdmin'(id:13338) reason 'reasonmsg=disconnecting'

    ID: 13338 is for different kind of tracking systems - gamestate, gametracker, tsviewer, etc...

    Any ideas?

    Quick edit: Since I wasn't receiving any of the spam as a "Server admin", I gave permissions to a user that had received the message and he banned a strange IP (by clicking on the username and banning it) - 209.15.237.194, despite receiving an error while trying.
    I suppose that was the user/bot spamming. How could such kind of spam be prevented?

  7. #7
    Join Date
    June 2011
    Location
    Germany
    Posts
    4,335
    Just do any of these:

    • Use non-standard query port (see server quickstart file)
    • Remove b_client_server_textmessage_send from Guest
    • Remove b_virtualserver_select from Guest Server Query

    (Your id:13338 is simply for anonymous non-voice query clients.)

  8. #8
    Join Date
    June 2008
    Posts
    17,939
    They do not use b_client_server_textmessage_send for that message.
    It is the i_client_private_textmessage_power and targets i_client_needed_private_textmessage_power

    The problem is, that your Guest Server Query and Guest do not have any value for that permission per default.
    This can not get fixed , when i_client_private_textmessage_power of -1 was set into the guest query.

    The only workarounds are:
    1. Disable or remove b_virtualserver_select for Guest Server Query
    This can be done with the query command:
    Code:
    servergroupaddperm sgid=1 permsid=b_virtualserver_select permvalue=0 permnegated=0 permskip
    or
    2. Or change the port for the server query. (as said before, please read serverDIR\doc\server_quickstart.txt)


    or
    3. Set i_client_needed_private_textmessage_power of 1 to all your Groups.

    or
    4. Go into the Client permissions and now search for ServerQuery
    Now add the permission i_client_private_textmessage_power of -1

    I will send that to our developers, but i dont think this will be changed this year.
    Last edited by dante696; December 19th, 2013 at 04:47 PM. Reason: tnx for that trick
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  9. #9
    Join Date
    April 2013
    Posts
    42
    dante if you enter by YATQA and put the ip of the server then find id 1 (in most cases) you can send poke messages/text to everyone and it does not use the server guest query i already tested and put the normal guest with poke power of -1 and try by YATQA and now it doesn't work the pokes but they still can send text messages to the channel and provate because its guest and i can't take those power of the group..

  10. #10
    Join Date
    May 2010
    Location
    Verona - Italy
    Posts
    122
    Quote Originally Posted by dante696 View Post
    They do not use b_client_server_textmessage_send for that message.
    It is the i_client_private_textmessage_power and targets i_client_needed_private_textmessage_power

    The problem is, that your Guest Server Query and Guest do not have any value for that permission per default.
    This can not get fixed , when i_client_private_textmessage_power of -1 was set into the guest query.

    The only workarounds are:
    1. Disable or remove b_virtualserver_select for Guest Server Query
    This can be done with the query command:
    Code:
    servergroupaddperm sgid=1 permsid=b_virtualserver_select permvalue=0 permnegated=0 permskip
    or
    2. Or change the port for the server query. (as said before, please read serverDIR\doc\server_quickstart.txt)


    or
    3. Set i_client_needed_private_textmessage_power of 1 to all your Groups.

    I will send that to our developers, but i dont think this will be changed this year.
    Regarding i_client_needed_private_textmessage_power = 1 isn't (partially) true:
    if there is a value of i_client_private_textmessage_power >= 1 in Guest group, the Guest Server Query use not his permission but Guest permission too... and set i_client_private_textmessage_power of GSQ = 0 or -1 isn't usefull! (double bug?).

    The points 1 and 2 are better.

  11. #11
    Join Date
    June 2008
    Posts
    17,939
    That user is no "Guest Query" reagarding the permissions related to the virtual server.
    That user will be a normal Guest for that virtual server and does use the permission from the guest groups. This is a normal behavior how it was build.

    He stays a "Guest Query" for the server instance.

    I have no soloution yet for that problem.
    When sending me private messages: Please make sure to include reference link to your forum thread or post.

    TeamSpeak FAQ || What should i report, when i open a client thread?

  12. #12
    Join Date
    April 2013
    Posts
    42
    The only temporarly solution is change the query port wich can easily be found by a port scan making this not a big solution..

  13. #13
    Join Date
    May 2010
    Location
    Verona - Italy
    Posts
    122
    Quote Originally Posted by dante696 View Post
    That user is no "Guest Query" reagarding the permissions related to the virtual server.
    That user will be a normal Guest for that virtual server and does use the permission from the guest groups. This is a normal behavior how it was build.

    He stays a "Guest Query" for the server instance.

    I have no soloution yet for that problem.
    Now I understand the difference, thx.

    Quote Originally Posted by skinhead View Post
    The only temporarly solution is change the query port wich can easily be found by a port scan making this not a big solution..
    Or follow the point 1.

    Inviato dal mio Nexus 5

  14. #14
    Join Date
    April 2011
    Location
    Germany
    Posts
    1,266
    I have quite a simple solution... iptables

    The server query on my server is allowed to be used from "TSViewer" and the server itself, so I do:
    Code:
    ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:10011
    ACCEPT     tcp  --  85.25.120.233        0.0.0.0/0           tcp dpt:10011
    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10011 reject-with icmp-port-unreachable
    So noone unwanted harrasses my server query.

    I started this because some time ago a user registered my teamspeak server on a viewer tool without asking me as owner. I found a great number of query logins and found out that our server was registered on a "viewer website", so I shut down server query for everyone but myself and "tsviewer" as accepted "viewer website".

  15. #15
    Join Date
    April 2013
    Posts
    42
    Quote Originally Posted by Barungar View Post
    I have quite a simple solution... iptables

    The server query on my server is allowed to be used from "TSViewer" and the server itself, so I do:
    Code:
    ACCEPT     tcp  --  127.0.0.1            0.0.0.0/0           tcp dpt:10011
    ACCEPT     tcp  --  85.25.120.233        0.0.0.0/0           tcp dpt:10011
    REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:10011 reject-with icmp-port-unreachable
    So noone unwanted harrasses my server query.

    I started this because some time ago a user registered my teamspeak server on a viewer tool without asking me as owner. I found a great number of query logins and found out that our server was registered on a "viewer website", so I shut down server query for everyone but myself and "tsviewer" as accepted "viewer website".
    That will be difficult for someone that has the server added in 5 or 4 like TSviewer, i think this is a big "bug" and should be patched right away

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Someone spamming me
    By MasterShake in forum Server Support
    Replies: 1
    Last Post: January 16th, 2015, 08:00 AM
  2. Game-State constantly spamming my TS3 server.
    By DreLVMPD in forum Windows
    Replies: 2
    Last Post: April 24th, 2014, 07:47 PM
  3. Replies: 1
    Last Post: June 1st, 2011, 11:33 PM
  4. Please stop spamming...
    By C4BR3R4 in forum Client Support
    Replies: 4
    Last Post: March 12th, 2010, 11:30 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •