Bad RCON attempts - servers getting 'attacked' by the same IP - Printable Version

+- SA-MP Forums Archive (https://sampforum.blast.hk)
+-- Forum: SA-MP Server (https://sampforum.blast.hk/forumdisplay.php?fid=6)
+--- Forum: Server Support (https://sampforum.blast.hk/forumdisplay.php?fid=19)
+--- Thread: Bad RCON attempts - servers getting 'attacked' by the same IP (/showthread.php?tid=437237)

---

Bad RCON attempts - servers getting 'attacked' by the same IP - Jstylezzz - 14.05.2013

Hi all

I noticed 2 people, including a friend of mines, are getting the bad RCON attempt message all the time, and it seems to be coming from 1 IP. Now, all I found out is that it's coming from Moscow > Russia, but I can't say wether it's a individual or a network used by people to do these things. I was wondering, are any of you guys experiencing the same? I'm curious because the 2 persons in question are not related to eachother, but the IP and method used by the RCON 'hackers', if you will, are exactly the same.

Check

The first post

And the second one

The server of the second person, is hosted on his own computer, so it's not the case the 'hackers' are bruteforcing on a company or something, I guess..
Now, am I thinking too much and is this just coincidence and shouldn't we pay attention to it, or are more people experiencing this? I haven't seen it myself yet.

(I know this can be solved by turning off the RCON in the server.cfg, but like I said, I just want to check if there are more people facing this.)

(If this post is too irrelevant, moderators, please remove it. Thank you )

EDIT: So now there are four persons in total, confirmed, who are attacked by this IP. Check the post a little further and a post on the second page.

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - punklord - 14.05.2013

Yeah,Im curious too..Epic Weirdness..Im still getting that BAD RCON LOGIN Msgs... *_*

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - Kitten - 14.05.2013

Russians. (Ip traced it )

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - [L]azy[H]aze - 14.05.2013

Yeh happens to me allot

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - punklord - 14.05.2013

Same I.P?

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - kaisersouse - 14.05.2013

BLOCK THE IP RANGE AT THE FIREWALL AND BE DONE WITH IT

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - [L]azy[H]aze - 14.05.2013

yes the same.

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - punklord - 14.05.2013

How peculiar indeed?

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - Astralis - 14.05.2013

2 IP's doin' it all day.

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - kaisersouse - 14.05.2013

All CIDR ranges for that entire ISP:
Block those and they'll have to get a new ISP to continue getting to your server

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - [L]azy[H]aze - 14.05.2013

Im just going to disable the rcon i don't really use it

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - Frede - 14.05.2013

I just added rcon 0 to the server config file and it stopped.

---

Re : Bad RCON attempts - servers getting 'attacked' by the same IP - Rayan_black - 14.05.2013

Or just to be more sure, ban everyone who tries to do /rcon login (pass) and writes the wrong pass.

---

Re: Re : Bad RCON attempts - servers getting 'attacked' by the same IP - Kwarde - 14.05.2013

1- What if you are permitted to use it but you make a typo? It happens to me sometimes that I fail one time.. which would mean I immediately get banned.
2- Also, the rcon login tried are checked by ip; so if there are two players on a server with on IP, who tried to login?

3- Forgot to mention almost; if you have read the post a bit, this is some kind of attack from someone who is NOT in the server (so console login), that's why they are talking about this 'rcon' in server.cfg (and as far as I know, banning a player doesn't ban him (or her :P) from the console)

@kaisersouse: Is it just me or is everyone ignoring you?
Where'd you get the CIDR/ISP info from by the way? Perhaps it might be usefull one day.

---

Re : Bad RCON attempts - servers getting 'attacked' by the same IP - Rayan_black - 14.05.2013

Well, I've been using this on my server and it always worked out for our community (COD5).. we never had a problem with tose fucktards.

---

Re: Re : Bad RCON attempts - servers getting 'attacked' by the same IP - kaisersouse - 14.05.2013

Hey its fine, its info they can choose to use or not. Heres my method:

****** the IP with "myip.ms" (example: "192.168.0.1 myip.ms" )

On the myip.ms site you'll find things like "All owner IP ranges" etc. Those will give you the IP ranges owned by that ISP (in 162.168.0.1 - 192.168.255.255 format)

Use this site to convert IP ranges to CIDR: http://ip2cidr.com/

Block the CIDR ranges.

Notes:
Sometimes myip.ms gives you the CIDR ranges already
Sometimes you have to click on the ISP entry in myip.ms to find all the ranges
Mileage may vary. You may end up not getting all the ranges, some of the ranges might be from another IP, sometimes the ranges are wrong

BIG NOTE: BLOCKING ENTIRE RANGES/GEOIP LOCATIONS IS LAST RESORT. Understand that if you block entire entities, that will prevent GOOD players using the same ISP from connecting to your server.

---

Re: Re : Bad RCON attempts - servers getting 'attacked' by the same IP - JanZ - 15.05.2013

Double-post lmao.

---

Re: Bad RCON attempts - servers getting 'attacked' by the same IP - Anak - 15.05.2013

the same ip attacks me too..

---

Re: Re : Bad RCON attempts - servers getting 'attacked' by the same IP - Kwarde - 15.05.2013

Thank you very much!

---