1. SA-MP Forums Archive
  2. SA-MP
  3. Bug Reports

Threaded Mode
SA-MP network thread exploit(?)
Sgt.TheDarkness
Banned
Posts: 252
Threads: 16
Joined: Jun 2012
#1

05.11.2016, 09:19
Hey!

So, my server has recently fallen victim to a new exploit. To give you a round up of the situation, a player named "Fucknigga" joined our server, and started sending thousands of modified packets with unknown formats & payloads, which then began to lag the sa-mp server, this would occur every time he connects & whilst he was in the server. After firewall banning his entire range, the lag magically stopped. But it doesn't stop there, I have server logs and pcap dumps of the entire situation, which you may refer to below.

Upon further inspection of the pcap files, the used formats are either 0x0 or 0x40, 0x41, 0x42, 0x43, all spammed in random order. If any sa-mp dev would like the full pcap file, shoot me a PM and I'll gladly send it to you.

The interesting thing is that there are many other packets in this pcap file that the sa-mp server is replying to the clients with unknown formats & payload types too, eventhough the packets are legitimate.

I'm not necessarily sure what stands out from these modified ones, I'm not a network analysis lold.

screenshot of pcap log:
http://i.imgur.com/IiQmRAB.png


Code:
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] [join] OscarGerot has joined the server (27:36.76.39.27)
[08:17:27] [callback] OnPlayerConnect(27)
[08:17:27] [query] OnUserDataLoad(27)
[08:17:27] [query] OnUserBanQueryFinish(27)
[08:17:27] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:27] [query] OnAchievementsLoad(27)
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] [connection] 95.110.57.156:56812 requests connection cookie.
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] [connection] incoming connection: 95.110.57.156:56812 id: 12
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 
:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] [callback] OnPlayerDisconnect(1, 0)
[08:17:32] [part] Aryanvitla has left the server (1:0)
[08:17:32] [callback] OnPlayerDisconnect(3, 0)
[08:17:32] [part] FuCKiNgNiGGa has left the server (3:0)
[08:17:32] [callback] OnPlayerDisconnect(4, 0)
[08:17:32] [part] pierre has left the server (4:0)
[08:17:32] [callback] OnPlayerDisconnect(5, 0)
[08:17:32] [part] kristoff_regala has left the server (5:0)
[08:17:32] [callback] OnPlayerDisconnect(6, 0)
[08:17:32] [part] BloodR1ng has left the server (6:0)
[08:17:32] [callback] OnPlayerDisconnect(7, 0)
[08:17:32] [part] Nemanja_Bogdinovic has left the server (7:0)
[08:17:32] [callback] OnPlayerDisconnect(8, 0)
[08:17:32] [part] Banana has left the server (8:0)
[08:17:32] [callback] OnPlayerDisconnect(9, 0)
[08:17:32] [part] sannn_133 has left the server (9:0)
[08:17:32] [callback] OnPlayerDisconnect(10, 0)
[08:17:32] [part] blazefantasyy has left the server (10:0)
[08:17:32] [callback] OnPlayerDisconnect(11, 0)
[08:17:32] [part] adie has left the server (11:0)
[08:17:32] [callback] OnPlayerDisconnect(13, 0)
[08:17:32] [part] angeloquilla has left the server (13:0)
[08:17:32] [callback] OnPlayerDisconnect(14, 0)
[08:17:32] [part] Alisa has left the server (14:0)
[08:17:32] [callback] OnPlayerDisconnect(16, 0)
[08:17:32] [part] armin4 has left the server (16:0)
[08:17:32] [callback] OnPlayerDisconnect(17, 0)
[08:17:32] [part] Blitz has left the server (17:0)
[08:17:32] [callback] OnPlayerDisconnect(18, 0)
[08:17:32] [part] Jerry has left the server (18:0)
[08:17:32] [callback] OnPlayerDisconnect(20, 0)
[08:17:32] [part] RadioActive has left the server (20:0)
[08:17:32] [callback] OnPlayerDisconnect(22, 0)
[08:17:33] [part] Anya.ae has left the server (22:0)
[08:17:33] [callback] OnDialogResponse(27, 2, 1, -1, 085124563897)
[08:17:33] [query] PlayerLogin_BanCheck(27)
[08:17:33] [connection] 180.241.182.225:19363 requests connection cookie.
Find
Reply
Sew_Sumi
Banned
Posts: 6,242
Threads: 8
Joined: Jun 2008
#2

05.11.2016, 10:47
Should be careful putting out IPs like that, you should remove all of them but keep an unedited copy of the log handy if asked by devs.
Find
Reply
Sgt.TheDarkness
Banned
Posts: 252
Threads: 16
Joined: Jun 2012
#3

05.11.2016, 11:29
Quote:
Originally Posted by Sew_Sumi
View Post
Should be careful putting out IPs like that, you should remove all of them but keep an unedited copy of the log handy if asked by devs.
If IPs were considered sensitive materials, then the internet would be a walking contradiction. Please save this thread for actual on-topic discussion.


On topic: If others have this problem, using iptables to drop the IP ranges in question will stop this problem altogether.
Find
Reply
Sew_Sumi
Banned
Posts: 6,242
Threads: 8
Joined: Jun 2008
#4

05.11.2016, 22:20
Just saying, you've exposed the attackers IPs, and the IPs of those who were currently connecting to your server... That is actually rather irresponsible, and no matter how much you think that it's not relevant to your thread, it's still part of your responsibility to not show those IPs... Some could be static.



As for a "walking contradiction" it's not as if the forums here, advertise your IPs to the rest of the world now is it.

So again, I suggest you remove those IPs.



Just further to this, there was an agreement that you agreed to when you started the server, and one of those agreements is to protect the users passwords, and sensitive information, and this, is sensitive.

Even though these posts may not be what you're looking for, it's still very much on topic as you've posted up IPs without even thinking about this, and how much effect it can have.
Find
Reply
Sgt.TheDarkness
Banned
Posts: 252
Threads: 16
Joined: Jun 2012
#5

05.11.2016, 23:51
Has anybody else had these problems? I've been reading around other topics and it appears some of them have similarities to what I've just experienced. But since I've dropped the entire range of said "hacker", the attacks have ceased.
Find
Reply
« Next Oldest | Next Newest »


Forum Jump:


Users browsing this thread: 1 Guest(s)
  1. SA-MP Forums Archive
  2. SA-MP
  3. Bug Reports