SA-MP Forums

Go Back   SA-MP Forums > SA-MP > Bug Reports

Reply
 
Thread Tools Display Modes
Old 05/11/2016, 09:19 AM   #1
Sgt.TheDarkness
Huge Clucker
 
Sgt.TheDarkness's Avatar
 
Join Date: Jun 2012
Location: Moscow, Russia.
Posts: 217
Reputation: 29
Default SA-MP network thread exploit(?)

Hey!

So, my server has recently fallen victim to a new exploit. To give you a round up of the situation, a player named "Fucknigga" joined our server, and started sending thousands of modified packets with unknown formats & payloads, which then began to lag the sa-mp server, this would occur every time he connects & whilst he was in the server. After firewall banning his entire range, the lag magically stopped. But it doesn't stop there, I have server logs and pcap dumps of the entire situation, which you may refer to below.

Upon further inspection of the pcap files, the used formats are either 0x0 or 0x40, 0x41, 0x42, 0x43, all spammed in random order. If any sa-mp dev would like the full pcap file, shoot me a PM and I'll gladly send it to you.

The interesting thing is that there are many other packets in this pcap file that the sa-mp server is replying to the clients with unknown formats & payload types too, eventhough the packets are legitimate.

I'm not necessarily sure what stands out from these modified ones, I'm not a network analysis lold.

screenshot of pcap log:
http://i.imgur.com/IiQmRAB.png


Code:
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:26] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] [join] OscarGerot has joined the server (27:36.76.39.27)
[08:17:27] [callback] OnPlayerConnect(27)
[08:17:27] [query] OnUserDataLoad(27)
[08:17:27] [query] OnUserBanQueryFinish(27)
[08:17:27] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:27] [query] OnAchievementsLoad(27)
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:27] [connection] 95.110.57.156:56812 requests connection cookie.
[08:17:27] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:28] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] [connection] incoming connection: 95.110.57.156:56812 id: 12
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] [connection] 180.241.182.225:19359 requests connection cookie.
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:29] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:30] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 
:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:31] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] [connection] 180.241.182.225:19363 requests connection cookie.
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] Packet was modified, sent by id: 3, ip: 120.29.107.226:50844
[08:17:32] [callback] OnPlayerDisconnect(1, 0)
[08:17:32] [part] Aryanvitla has left the server (1:0)
[08:17:32] [callback] OnPlayerDisconnect(3, 0)
[08:17:32] [part] FuCKiNgNiGGa has left the server (3:0)
[08:17:32] [callback] OnPlayerDisconnect(4, 0)
[08:17:32] [part] pierre has left the server (4:0)
[08:17:32] [callback] OnPlayerDisconnect(5, 0)
[08:17:32] [part] kristoff_regala has left the server (5:0)
[08:17:32] [callback] OnPlayerDisconnect(6, 0)
[08:17:32] [part] BloodR1ng has left the server (6:0)
[08:17:32] [callback] OnPlayerDisconnect(7, 0)
[08:17:32] [part] Nemanja_Bogdinovic has left the server (7:0)
[08:17:32] [callback] OnPlayerDisconnect(8, 0)
[08:17:32] [part] Banana has left the server (8:0)
[08:17:32] [callback] OnPlayerDisconnect(9, 0)
[08:17:32] [part] sannn_133 has left the server (9:0)
[08:17:32] [callback] OnPlayerDisconnect(10, 0)
[08:17:32] [part] blazefantasyy has left the server (10:0)
[08:17:32] [callback] OnPlayerDisconnect(11, 0)
[08:17:32] [part] adie has left the server (11:0)
[08:17:32] [callback] OnPlayerDisconnect(13, 0)
[08:17:32] [part] angeloquilla has left the server (13:0)
[08:17:32] [callback] OnPlayerDisconnect(14, 0)
[08:17:32] [part] Alisa has left the server (14:0)
[08:17:32] [callback] OnPlayerDisconnect(16, 0)
[08:17:32] [part] armin4 has left the server (16:0)
[08:17:32] [callback] OnPlayerDisconnect(17, 0)
[08:17:32] [part] Blitz has left the server (17:0)
[08:17:32] [callback] OnPlayerDisconnect(18, 0)
[08:17:32] [part] Jerry has left the server (18:0)
[08:17:32] [callback] OnPlayerDisconnect(20, 0)
[08:17:32] [part] RadioActive has left the server (20:0)
[08:17:32] [callback] OnPlayerDisconnect(22, 0)
[08:17:33] [part] Anya.ae has left the server (22:0)
[08:17:33] [callback] OnDialogResponse(27, 2, 1, -1, 085124563897)
[08:17:33] [query] PlayerLogin_BanCheck(27)
[08:17:33] [connection] 180.241.182.225:19363 requests connection cookie.
__________________
Sgt.TheDarkness is offline   Reply With Quote
Old 05/11/2016, 10:47 AM   #2
Sew_Sumi
High-roller
 
Join Date: Jun 2008
Posts: 4,690
Reputation: 323
Default Re: SA-MP network thread exploit(?)

Should be careful putting out IPs like that, you should remove all of them but keep an unedited copy of the log handy if asked by devs.
Sew_Sumi is offline   Reply With Quote
Old 05/11/2016, 11:29 AM   #3
Sgt.TheDarkness
Huge Clucker
 
Sgt.TheDarkness's Avatar
 
Join Date: Jun 2012
Location: Moscow, Russia.
Posts: 217
Reputation: 29
Default Re: SA-MP network thread exploit(?)

Quote:
Originally Posted by Sew_Sumi View Post
Should be careful putting out IPs like that, you should remove all of them but keep an unedited copy of the log handy if asked by devs.

If IPs were considered sensitive materials, then the internet would be a walking contradiction. Please save this thread for actual on-topic discussion.


On topic: If others have this problem, using iptables to drop the IP ranges in question will stop this problem altogether.
__________________
Sgt.TheDarkness is offline   Reply With Quote
Old 05/11/2016, 10:20 PM   #4
Sew_Sumi
High-roller
 
Join Date: Jun 2008
Posts: 4,690
Reputation: 323
Default Re: SA-MP network thread exploit(?)

Just saying, you've exposed the attackers IPs, and the IPs of those who were currently connecting to your server... That is actually rather irresponsible, and no matter how much you think that it's not relevant to your thread, it's still part of your responsibility to not show those IPs... Some could be static.



As for a "walking contradiction" it's not as if the forums here, advertise your IPs to the rest of the world now is it.

So again, I suggest you remove those IPs.



Just further to this, there was an agreement that you agreed to when you started the server, and one of those agreements is to protect the users passwords, and sensitive information, and this, is sensitive.

Even though these posts may not be what you're looking for, it's still very much on topic as you've posted up IPs without even thinking about this, and how much effect it can have.
__________________
** Drops mic **

Quote:
Originally Posted by NoOneInParticular
Thanks, I make a living as a programmer, so I'm fairly certain I know how scripting works. And thanks for the suggestion but it is not going to work, no matter how big a story you post.
Sew_Sumi is offline   Reply With Quote
Old 05/11/2016, 11:51 PM   #5
Sgt.TheDarkness
Huge Clucker
 
Sgt.TheDarkness's Avatar
 
Join Date: Jun 2012
Location: Moscow, Russia.
Posts: 217
Reputation: 29
Default Re: SA-MP network thread exploit(?)

Has anybody else had these problems? I've been reading around other topics and it appears some of them have similarities to what I've just experienced. But since I've dropped the entire range of said "hacker", the attacks have ceased.
__________________
Sgt.TheDarkness is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New exploit? No not again please! Pravin Server Support 15 19/12/2014 11:37 AM
Another exploit niCe Server Support 0 30/07/2014 05:38 AM
A possible new exploit... DamonD General 9 14/06/2014 04:13 AM
Exploit SA-MP? cristi_bubu Romānă/Romanian 7 19/08/2013 08:03 PM
exploit (need fix) Jon_De Server Support 3 06/07/2013 10:08 PM


All times are GMT. The time now is 10:10 PM.


Powered by vBulletin® Version 3.8.6
Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.