SA-MP Forums

Go Back   SA-MP Forums > SA-MP > Bug Reports

Reply
 
Thread Tools Display Modes
Old 05/11/2016, 09:19 AM   #1
Sgt.TheDarkness
Huge Clucker
 
Sgt.TheDarkness's Avatar
 
Join Date: Jun 2012
Location: Moscow, Russia.
Posts: 249
Reputation: 50
Default SA-MP network thread exploit(?)

Hey!

So, my server has recently fallen victim to a new exploit. To give you a round up of the situation, a player named "Fucknigga" joined our server, and started sending thousands of modified packets with unknown formats & payloads, which then began to lag the sa-mp server, this would occur every time he connects & whilst he was in the server. After firewall banning his entire range, the lag magically stopped. But it doesn't stop there, I have server logs and pcap dumps of the entire situation, which you may refer to below.

Upon further inspection of the pcap files, the used formats are either 0x0 or 0x40, 0x41, 0x42, 0x43, all spammed in random order. If any sa-mp dev would like the full pcap file, shoot me a PM and I'll gladly send it to you.

The interesting thing is that there are many other packets in this pcap file that the sa-mp server is replying to the clients with unknown formats & payload types too, eventhough the packets are legitimate.

I'm not necessarily sure what stands out from these modified ones, I'm not a network analysis lold.

screenshot of pcap log:
http://i.imgur.com/IiQmRAB.png


Code:
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] [join] OscarGerot has joined the server (27:36.76.39.27)
[08:17:27] [callback] OnPlayerConnect(27)
[08:17:27] [query] OnUserDataLoad(27)
[08:17:27] [query] OnUserBanQueryFinish(27)
[08:17:27] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:27] [query] OnAchievementsLoad(27)
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] [connection] 95.110.57.156:56812 requests connection cookie.
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] [connection] incoming connection: 95.110.57.156:56812 id: 12
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 
:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] [callback] OnPlayerDisconnect(1, 0)
[08:17:32] [part] Aryanvitla has left the server (1:0)
[08:17:32] [callback] OnPlayerDisconnect(3, 0)
[08:17:32] [part] FuCKiNgNiGGa has left the server (3:0)
[08:17:32] [callback] OnPlayerDisconnect(4, 0)
[08:17:32] [part] pierre has left the server (4:0)
[08:17:32] [callback] OnPlayerDisconnect(5, 0)
[08:17:32] [part] kristoff_regala has left the server (5:0)
[08:17:32] [callback] OnPlayerDisconnect(6, 0)
[08:17:32] [part] BloodR1ng has left the server (6:0)
[08:17:32] [callback] OnPlayerDisconnect(7, 0)
[08:17:32] [part] Nemanja_Bogdinovic has left the server (7:0)
[08:17:32] [callback] OnPlayerDisconnect(8, 0)
[08:17:32] [part] Banana has left the server (8:0)
[08:17:32] [callback] OnPlayerDisconnect(9, 0)
[08:17:32] [part] sannn_133 has left the server (9:0)
[08:17:32] [callback] OnPlayerDisconnect(10, 0)
[08:17:32] [part] blazefantasyy has left the server (10:0)
[08:17:32] [callback] OnPlayerDisconnect(11, 0)
[08:17:32] [part] adie has left the server (11:0)
[08:17:32] [callback] OnPlayerDisconnect(13, 0)
[08:17:32] [part] angeloquilla has left the server (13:0)
[08:17:32] [callback] OnPlayerDisconnect(14, 0)
[08:17:32] [part] Alisa has left the server (14:0)
[08:17:32] [callback] OnPlayerDisconnect(16, 0)
[08:17:32] [part] armin4 has left the server (16:0)
[08:17:32] [callback] OnPlayerDisconnect(17, 0)
[08:17:32] [part] Blitz has left the server (17:0)
[08:17:32] [callback] OnPlayerDisconnect(18, 0)
[08:17:32] [part] Jerry has left the server (18:0)
[08:17:32] [callback] OnPlayerDisconnect(20, 0)
[08:17:32] [part] RadioActive has left the server (20:0)
[08:17:32] [callback] OnPlayerDisconnect(22, 0)
[08:17:33] [part] Anya.ae has left the server (22:0)
[08:17:33] [callback] OnDialogResponse(27, 2, 1, -1, 085124563897)
[08:17:33] [query] PlayerLogin_BanCheck(27)
[08:17:33] [connection] 180.241.182.225:19363 requests connection cookie.
__________________
Sgt.TheDarkness is offline   Reply With Quote
Old 05/11/2016, 10:47 AM   #2
Sew_Sumi
Godfather
 
Join Date: Jun 2008
Location: Azerbaijan
Posts: 6,152
Reputation: 515
Default Re: SA-MP network thread exploit(?)

Should be careful putting out IPs like that, you should remove all of them but keep an unedited copy of the log handy if asked by devs.
Sew_Sumi is online now   Reply With Quote
Old 05/11/2016, 11:29 AM   #3
Sgt.TheDarkness
Huge Clucker
 
Sgt.TheDarkness's Avatar
 
Join Date: Jun 2012
Location: Moscow, Russia.
Posts: 249
Reputation: 50
Default Re: SA-MP network thread exploit(?)

Quote:
Originally Posted by Sew_Sumi View Post
Should be careful putting out IPs like that, you should remove all of them but keep an unedited copy of the log handy if asked by devs.

If IPs were considered sensitive materials, then the internet would be a walking contradiction. Please save this thread for actual on-topic discussion.


On topic: If others have this problem, using iptables to drop the IP ranges in question will stop this problem altogether.
__________________
Sgt.TheDarkness is offline   Reply With Quote
Old 05/11/2016, 10:20 PM   #4
Sew_Sumi
Godfather
 
Join Date: Jun 2008
Location: Azerbaijan
Posts: 6,152
Reputation: 515
Default Re: SA-MP network thread exploit(?)

Just saying, you've exposed the attackers IPs, and the IPs of those who were currently connecting to your server... That is actually rather irresponsible, and no matter how much you think that it's not relevant to your thread, it's still part of your responsibility to not show those IPs... Some could be static.



As for a "walking contradiction" it's not as if the forums here, advertise your IPs to the rest of the world now is it.

So again, I suggest you remove those IPs.



Just further to this, there was an agreement that you agreed to when you started the server, and one of those agreements is to protect the users passwords, and sensitive information, and this, is sensitive.

Even though these posts may not be what you're looking for, it's still very much on topic as you've posted up IPs without even thinking about this, and how much effect it can have.
__________________
Quote:
Originally Posted by Random View Post
this gamemode is so out of date and it isn't even comparable with todays other servers.
just because brain tricks us thinking that old days gamemodes were better then its just wrong, because funcinality was so poor, building new systems was very time consuming, because scripters didn't understand how to make gamemode to parts and simplify their work.
Jesus, that's a load of crap...

Quote:
Originally Posted by Crystallize
quote my big balls then
You must be looking at life through a microscope then, and not a tunnel as I had previously thought...

Quote:
Originally Posted by AnotherRandom
I've seen threads where you make random brainstorms.
Pointing out larger issues with peoples code, and getting information about what is going on that could be causing issues elsewhere, is a sure way of actually getting the right information. Not just fixing the symptom, that will show up later as they try to expand.
Sew_Sumi is online now   Reply With Quote
Old 05/11/2016, 11:51 PM   #5
Sgt.TheDarkness
Huge Clucker
 
Sgt.TheDarkness's Avatar
 
Join Date: Jun 2012
Location: Moscow, Russia.
Posts: 249
Reputation: 50
Default Re: SA-MP network thread exploit(?)

Has anybody else had these problems? I've been reading around other topics and it appears some of them have similarities to what I've just experienced. But since I've dropped the entire range of said "hacker", the attacks have ceased.
__________________
Sgt.TheDarkness is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Exploit SA-MP? cristi_bubu Romānă/Romanian 8 03/05/2018 04:56 PM
New exploit? No not again please! Pravin Server Support 15 19/12/2014 11:37 AM
Another exploit niCe Server Support 0 30/07/2014 05:38 AM
A possible new exploit... DamonD General 9 14/06/2014 04:13 AM
exploit (need fix) Jon_De Server Support 3 06/07/2013 10:08 PM


All times are GMT. The time now is 05:08 AM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.