account faking, taking over admin in xaseco

Discuss everything about Xymph's Aseco flavoured server control scripts for TM Forever / classic TMN and for TM² Canyon.

Moderators: Xymph, TM-Patrol

kevlarsoft
cyclist
cyclist
Posts: 33
Joined: 01 Nov 2006 12:25

account faking, taking over admin in xaseco

Post by kevlarsoft » 21 Jul 2008 23:24

Hello All,

don't know if somebody experienced it yet, there is somehow a way to fake somebody else's login and connect to the server and take over admin rights.

Lets say my login is xxyy and i'am the masteradmin and already connected to the game. This is from the server log:


[2008/07/21 23:08:59] Connection of a new player: xxyy

Faker logs in. Notice there is no ip address behind the login name

This is from aseco log:

<< player 30 joined the game [xxyy : $FF0admin : Germany : 20970 : 85.15.25.35]
player xxyy used chat command "/admin ban xxyy"
MasterAdmin [xxyy] banned player admin!
>> player 30 left the game [xxyy : $FF0admin]

Aseco log shows my ip address, and the same player ID (30) as I already had.
In the ingame chat the player had his own name shown (for example $f00cheater) and not my name ($ff0admin).

How is this possible, and most importantly is there a way to prevent this? Maybe checking at connection time if there is already somebody connected with this name. I know this should be done by the server itself, but apparently the server has a bug, or I don't know.

And btw, it is not account stealing. I still have my account and password. It is only faking a false login to the server. And it also concerns all other server controllers not just xaseco.

regards

kev

Xymph
Pit Crew
Pit Crew
Posts: 5703
Joined: 19 Aug 2007 12:58
Owned TM-games: TMN, TMU, TMF, TM²
Contact:

Re: account faking, taking over admin in xaseco

Post by Xymph » 22 Jul 2008 10:24

kevlarsoft wrote:don't know if somebody experienced it yet, there is somehow a way to fake somebody else's login and connect to the server and take over admin rights.

Lets say my login is xxyy and i'am the masteradmin and already connected to the game. This is from the server log:

[2008/07/21 23:08:59] Connection of a new player: xxyy

Faker logs in. Notice there is no ip address behind the login name

This is from aseco log:

<< player 30 joined the game [xxyy : $FF0admin : Germany : 20970 : 85.15.25.35]
player xxyy used chat command "/admin ban xxyy"
MasterAdmin [xxyy] banned player admin!
>> player 30 left the game [xxyy : $FF0admin]

Aseco log shows my ip address, and the same player ID (30) as I already had.
In the ingame chat the player had his own name shown (for example $f00cheater) and not my name ($ff0admin).

How is this possible, and most importantly is there a way to prevent this? Maybe checking at connection time if there is already somebody connected with this name. I know this should be done by the server itself, but apparently the server has a bug, or I don't know.

And btw, it is not account stealing. I still have my account and password. It is only faking a false login to the server. And it also concerns all other server controllers not just xaseco.
I've seen this once or twice last year on my TMN server, but I still don't know exactly how it's done. My rudimentary understanding back then was that a player can run (X)Aseco on his own computer while being connected as a regular player to my server, and the messages from his (X)Aseco then also show up in the chat on my server, and but I don't think he could execute commands (let alone with admin privileges). Something similar happened with a player running ServerMania while being connected to my TMF server last month, but he left before I could ask him to demonstrate it and provide more details.

However, my servers always have <xmlrpc_allowremote> False, and my firewall doesn't allow outside access to the XML-RPC ports of my servers, so I have no idea how this is possible. Can anyone shed further light on it?
Developer of XASECO for TMF/TMN ESWC & XASECO2 for TM²: see XAseco.org
Find your way around the Mania community from the TMN ESWC hub, TMF hub, TM² hub, and SM hub

kevlarsoft
cyclist
cyclist
Posts: 33
Joined: 01 Nov 2006 12:25

Re: account faking, taking over admin in xaseco

Post by kevlarsoft » 22 Jul 2008 10:45

I think it is done the same like f*ckfish described it in this thread:

viewtopic.php?f=127&t=11605

They alter the fields in the RAM with some tool to fake the login of an admin user and then connect to the server. Or something like that.

Xymph. Because the fake user had no ip address shown in the server log, could it be a solution, that aseco checks on player connect if the server returns the ip address of the player in the query, and if not player gets kicked?

Xymph
Pit Crew
Pit Crew
Posts: 5703
Joined: 19 Aug 2007 12:58
Owned TM-games: TMN, TMU, TMF, TM²
Contact:

Re: account faking, taking over admin in xaseco

Post by Xymph » 22 Jul 2008 11:10

kevlarsoft wrote:I think it is done the same like f*ckfish described it in this thread:

viewtopic.php?f=127&t=11605

They alter the fields in the RAM with some tool to fake the login of an admin user and then connect to the server. Or something like that.
I think that's very unlikely. Like I said the few occasions where I saw someone talking about this, there was no indication those players were doing any low-level hacking, or that they even knew why they were able to have their Aseco/ServerMania messages appear on my server. They were asking other players on the server why that happened, after all.
kevlarsoft wrote:Xymph. Because the fake user had no ip address shown in the server log, could it be a solution, that aseco checks on player connect if the server returns the ip address of the player in the query, and if not player gets kicked?
No, because as shown in your own log, XAseco does see that player connect with their IP, it's only the server's ConsoleLog where the IP is missing, but that's of no use to XAseco.
Developer of XASECO for TMF/TMN ESWC & XASECO2 for TM²: see XAseco.org
Find your way around the Mania community from the TMN ESWC hub, TMF hub, TM² hub, and SM hub

kevlarsoft
cyclist
cyclist
Posts: 33
Joined: 01 Nov 2006 12:25

Re: account faking, taking over admin in xaseco

Post by kevlarsoft » 22 Jul 2008 20:11

Ok. Temporary solution until there is a better one. I changed chat.admin.php so every admin command looks like this now: /admin password restartmap (and so on).

I hope it helps. :D

User avatar
blooper
happy cruiser
happy cruiser
Posts: 144
Joined: 11 Oct 2007 23:47
Owned TM-games: TMUF
Location: Minnesota, USA

Re: account faking, taking over admin in xaseco

Post by blooper » 22 Jul 2008 23:39

kevlarsoft wrote:Ok. Temporary solution until there is a better one. I changed chat.admin.php so every admin command looks like this now: /admin password restartmap (and so on).

I hope it helps. :D
Wouldn't you be able to see the password with /admin help?

fordry
speedy pilot
speedy pilot
Posts: 368
Joined: 24 Jan 2008 20:53
Owned TM-games: TMUF TMN
Contact:

Re: account faking, taking over admin in xaseco

Post by fordry » 22 Jul 2008 23:58

hehe, i did that accidentally one time on the lets rock server when i was setting up my own server. I tried to do it again though and i couldn't get it to connect again. I wanted to do it again just so i would know how, but i couldn't figure it out.

kevlarsoft
cyclist
cyclist
Posts: 33
Joined: 01 Nov 2006 12:25

Re: account faking, taking over admin in xaseco

Post by kevlarsoft » 23 Jul 2008 09:08

blooper wrote: Wouldn't you be able to see the password with /admin help?

No of course not. That would be useless then. :D

Btw. Yesterday another idiot tried to hack the server, and this time, he had no chance. :D

SundayDriver
sunday driver
sunday driver
Posts: 70
Joined: 05 Nov 2007 06:00
Owned TM-games: tmn

Re: account faking, taking over admin in xaseco

Post by SundayDriver » 29 Jul 2008 02:45

good idea, where did you modify this code to add a password?

To save typing you could also change for master admin only /admin to /password.

Odds are either way the guy is only going to be able to do it once, and last less than 5 minutes before you kill him by means other than aseco. I wish we could capture a mac address from all pc's connected to the server :D I guess IP will have to do, hope their firewall is good :x

User avatar
lille79
Pit Crew
Pit Crew
Posts: 881
Joined: 09 Dec 2007 15:04
Owned TM-games: TMN, TMNF, TMUF
Location: Norway
Contact:

Re: account faking, taking over admin in xaseco

Post by lille79 » 09 Aug 2008 10:31

Any news from anyone about this account faking?
/lille79
Old man of the Norwegian Trackmania team Super Sheep Racing
To visit my homepage/blog, and download the usbTMFserver, this is the place to go.

TheViP
pedestrian
pedestrian
Posts: 12
Joined: 01 Jun 2008 23:58
Owned TM-games: TMU, TMNF

Re: account faking, taking over admin in xaseco

Post by TheViP » 11 Aug 2008 21:53

Got the same problem... Any ideas how to remove those idiots ?

Fixron
wheelbarrow operator
wheelbarrow operator
Posts: 17
Joined: 19 Jul 2008 08:00
Owned TM-games: TMUF,TMNF

Re: account faking, taking over admin in xaseco

Post by Fixron » 14 Aug 2008 15:26

Xymph

Fixservers get a visit from a Xaseco-hacker

name Blackpro921 Hungary , joining server,and makes his Masteradmin

I dont like that , we are make a pw protect,but plz solve the prob

Greetz FixRon

Xymph
Pit Crew
Pit Crew
Posts: 5703
Joined: 19 Aug 2007 12:58
Owned TM-games: TMN, TMU, TMF, TM²
Contact:

Re: account faking, taking over admin in xaseco

Post by Xymph » 14 Aug 2008 16:11

Fixron wrote:Fixservers get a visit from a Xaseco-hacker

name Blackpro921 Hungary , joining server,and makes his Masteradmin

I dont like that , we are make a pw protect,but plz solve the prob
That's the same loser that invaded TheViP's server, but nobody has provided any useful info about how it's done so there's nothing I can do to prevent it.
I'm willing to take another look at it though if you send me your dedicated_cfg.txt, server ConsoleLog.txt and XAseco logfile.txt from around the time it happened.
Developer of XASECO for TMF/TMN ESWC & XASECO2 for TM²: see XAseco.org
Find your way around the Mania community from the TMN ESWC hub, TMF hub, TM² hub, and SM hub

starfinder
pedestrian
pedestrian
Posts: 12
Joined: 14 Aug 2008 22:23
Owned TM-games: TMUF
Contact:

Re: account faking, taking over admin in xaseco

Post by starfinder » 14 Aug 2008 22:43

Hi, the same idiot visited EasyDay server tonight at 01:11:45 GMT+3. With a couple of his "friends". Joined as a spectator. I noticed his activity by chance. Look in your pm box. He is 'starfinder' in log entries.

kevlarsoft
cyclist
cyclist
Posts: 33
Joined: 01 Nov 2006 12:25

Re: account faking, taking over admin in xaseco

Post by kevlarsoft » 14 Aug 2008 22:58

Blackpro is the same guy who hacked my server.

On aseco level you cant do much about it, beside to put a password in your admin commands. This works really good, he tried several times both of my servers, but he had no chance without knowing the password.

A fix could be only made on server level. Because he fakes an account, aseco cannot distinguish between the real admin and the fake one.

I am also from hungary and talked to some guys, who know him. I think he does it as I guessed in a previous post. He logs in with his own account to the game, than before connecting to the server, he rewrites the memory areas with some tool to the login of an admin, and than he connects to the server.

And btw. if you have an e107 website running, watch out for this security hole in the download.php:

http://xforce.iss.net/xforce/xfdb/44268

The blackpro guy is now into hacking websites.

regards

kev.

Post Reply