05.11.2016, 09:19
Hey!
So, my server has recently fallen victim to a new exploit. To give you a round up of the situation, a player named "Fucknigga" joined our server, and started sending thousands of modified packets with unknown formats & payloads, which then began to lag the sa-mp server, this would occur every time he connects & whilst he was in the server. After firewall banning his entire range, the lag magically stopped. But it doesn't stop there, I have server logs and pcap dumps of the entire situation, which you may refer to below.
Upon further inspection of the pcap files, the used formats are either 0x0 or 0x40, 0x41, 0x42, 0x43, all spammed in random order. If any sa-mp dev would like the full pcap file, shoot me a PM and I'll gladly send it to you.
The interesting thing is that there are many other packets in this pcap file that the sa-mp server is replying to the clients with unknown formats & payload types too, eventhough the packets are legitimate.
I'm not necessarily sure what stands out from these modified ones, I'm not a network analysis lold.
screenshot of pcap log:
http://i.imgur.com/IiQmRAB.png
So, my server has recently fallen victim to a new exploit. To give you a round up of the situation, a player named "Fucknigga" joined our server, and started sending thousands of modified packets with unknown formats & payloads, which then began to lag the sa-mp server, this would occur every time he connects & whilst he was in the server. After firewall banning his entire range, the lag magically stopped. But it doesn't stop there, I have server logs and pcap dumps of the entire situation, which you may refer to below.
Upon further inspection of the pcap files, the used formats are either 0x0 or 0x40, 0x41, 0x42, 0x43, all spammed in random order. If any sa-mp dev would like the full pcap file, shoot me a PM and I'll gladly send it to you.
The interesting thing is that there are many other packets in this pcap file that the sa-mp server is replying to the clients with unknown formats & payload types too, eventhough the packets are legitimate.
I'm not necessarily sure what stands out from these modified ones, I'm not a network analysis lold.
screenshot of pcap log:
http://i.imgur.com/IiQmRAB.png
Code:
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] [join] OscarGerot has joined the server (27:36.76.39.27) [08:17:27] [callback] OnPlayerConnect(27) [08:17:27] [query] OnUserDataLoad(27) [08:17:27] [query] OnUserBanQueryFinish(27) [08:17:27] [connection] 180.241.182.225:19359 requests connection cookie. [08:17:27] [query] OnAchievementsLoad(27) [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:27] [connection] 95.110.57.156:56812 requests connection cookie. [08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] [connection] 180.241.182.225:19359 requests connection cookie. [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] [connection] incoming connection: 95.110.57.156:56812 id: 12 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] [connection] 180.241.182.225:19359 requests connection cookie. [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] [connection] 180.241.182.225:19363 requests connection cookie. [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: :50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] [connection] 180.241.182.225:19363 requests connection cookie. [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:32] [connection] 180.241.182.225:19363 requests connection cookie. [08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844 [08:17:32] [callback] OnPlayerDisconnect(1, 0) [08:17:32] [part] Aryanvitla has left the server (1:0) [08:17:32] [callback] OnPlayerDisconnect(3, 0) [08:17:32] [part] FuCKiNgNiGGa has left the server (3:0) [08:17:32] [callback] OnPlayerDisconnect(4, 0) [08:17:32] [part] pierre has left the server (4:0) [08:17:32] [callback] OnPlayerDisconnect(5, 0) [08:17:32] [part] kristoff_regala has left the server (5:0) [08:17:32] [callback] OnPlayerDisconnect(6, 0) [08:17:32] [part] BloodR1ng has left the server (6:0) [08:17:32] [callback] OnPlayerDisconnect(7, 0) [08:17:32] [part] Nemanja_Bogdinovic has left the server (7:0) [08:17:32] [callback] OnPlayerDisconnect(8, 0) [08:17:32] [part] Banana has left the server (8:0) [08:17:32] [callback] OnPlayerDisconnect(9, 0) [08:17:32] [part] sannn_133 has left the server (9:0) [08:17:32] [callback] OnPlayerDisconnect(10, 0) [08:17:32] [part] blazefantasyy has left the server (10:0) [08:17:32] [callback] OnPlayerDisconnect(11, 0) [08:17:32] [part] adie has left the server (11:0) [08:17:32] [callback] OnPlayerDisconnect(13, 0) [08:17:32] [part] angeloquilla has left the server (13:0) [08:17:32] [callback] OnPlayerDisconnect(14, 0) [08:17:32] [part] Alisa has left the server (14:0) [08:17:32] [callback] OnPlayerDisconnect(16, 0) [08:17:32] [part] armin4 has left the server (16:0) [08:17:32] [callback] OnPlayerDisconnect(17, 0) [08:17:32] [part] Blitz has left the server (17:0) [08:17:32] [callback] OnPlayerDisconnect(18, 0) [08:17:32] [part] Jerry has left the server (18:0) [08:17:32] [callback] OnPlayerDisconnect(20, 0) [08:17:32] [part] RadioActive has left the server (20:0) [08:17:32] [callback] OnPlayerDisconnect(22, 0) [08:17:33] [part] Anya.ae has left the server (22:0) [08:17:33] [callback] OnDialogResponse(27, 2, 1, -1, 085124563897) [08:17:33] [query] PlayerLogin_BanCheck(27) [08:17:33] [connection] 180.241.182.225:19363 requests connection cookie.