Soldat XXXX hackers! - Hackers intercept password!

[elMorvano]

I think this topic shouldn't be closed. He was asking as admin to make server more safe. And this could be helpful for everyone who take care of safety. I never heard about this before and this made me more careful. I'm not sure but this should be okay:
 


Am I right?

[dominikkk26]

But if it does not automatically sends a command (/adminlog) per us when entering the server?
They could encode the password at the client before sending.

[DarkCrusade]

These things are best discussed via PM.

[Szaman]

WTF? Is something missing in this thread?

What it is about?

[elMorvano]

He told that there is a cheat which can read your adminlog when you use it by '/adminlog ...'

These things are best discussed via PM.

Ofc not because this should know every admin of servers not only selected people

But if it does not automatically sends a command (/adminlog) per us when entering the server?
They could encode the password at the client before sending.

Devs should make much more for safety but cuz... What can I say...

[jrgp]

If you're referring to intercepting the password using something like tcpdump, then yes, you can't avoid that as the password is sent in cleartext. However, sniffing traffic between the admin client and the server is difficult unless you have access to either machine or are an ISP or NSA person. Longterm solution there would be to have the password sent hashed with a salt, or to just to optionally use ssl for the admin connection. This is functionality that the devs would have to add, unless you connect via an encrypted tunnel or vpn.

If you're referring to /adminlog being abused clientside, it's possible a hack for Soldat exists that intercepts /adminlog lines and sends it somewhere in addition to providing any other functionality it does. Moral of that story is stop being a script kiddie fuckhead and don't use hacks! dominikkk26, if what others have said about you are true, I'm looking at you on this one.

Shoozza, get in here and provide your input plox.

[Shoozza]

I heard stuff before that people ingame can somehow steal the password when an admin writes the /adminlog command.
Maybe it is still possible but I modified the check to prevent it.

I'm not sure what the screenshot should tell me but you can enter the adminlog in the password field to join as admin - that's a feature.

Like jrgp said the password stuff in soldat is not really secure and can be intercepted. So if you are on public wifi you shouldn't use adminlog.
(same for the admin protocol btw)

I'll look into the adminlog code more and try to figure out if there is a way to receive the password but I feel like it should be rewritten and not just fixed.

[dominikkk26]

I meant is that the hacker can see EVERY command simply entered by the players, so if you can try admin login hacker sees (the entire command with the password). Of course, a hacker must be at this time on the server.

[DarkCrusade]

That screenshot says nothing... you simply typed the commands as normal text.

[jrgp]

dominikkk26, please clarify what you mean. I know you speak shit English so PM someone to translate for you or something. Are you saying that's a screenshot of a "hack" on your end that shows what commands other players type?

That screenshot says nothing... you simply typed the commands as normal text.

Maybe he means in case you accidentally press t before the command it doesn't stop you from doing so? Not sure if I see the point in adding idiot checks to get around that.

[dominikkk26]

Okej napiszę po polsku, administrator loguje się normalnie komendą /adminlog *** gdy cheater jest na serwerze widzi zwykły tekst i wszystkie komendy jakie piszą gracze. A /adminlog należy do komend tak wiec cheater poprostu widzi jako tekst (speak) [np. /adminlog 2dh289]

[Viral]

He means that there is a hack that allows you to see the commands typed by a player (/red, /spec etc) as a normal text (screenshot). That means, if you are on the server with a player having this hack and you use /adminlog *** command the hacker can intercept it easly.

[CheeSeMan.]

If you know about the hack and have access to it then I think the best solution is to pm it to the DEVS as soon as

[Falcon`]

Out of curiosity, I've briefly checked command handling code. Hopefuly, my prediction turned out correct. There's no way to intercept command typed as another player, unless you're in the same network (shared wifi, or similar).
I mean, just think about it: when you send a chat message, servers receives it and process as a chat and thinks "hey, that looks like a chat, perhaps i should broadcast it to all the other players". When it receives command it thinks "so that's a command, perhaps i should just keep it for myself". No. Broadcast. This would have to be done on purpose or code would have to be super buggy (which is kinda close though). You'd have to hack the admin<->server connection, admin's pc or the server itself. But then, who the hell needs the admin pass anymore?

The only way to make it possible is to write a server script that transforms commands to chat, or to be dumb enough to write command in chat.

[You Got Served!]

Around two weeks ago I caught someone in Soldat openly boasting about how he'd written new cheats (undetectable by anticheat) for auto aim, unlimited ammo and amongst other things, the ability to obtain adminlog, take control of the server and evade being kicked/banned. This person was then seen to be clearly using cheats and was subsequently banned.

He was then able to regain access to the server despite his hwid being banned. He was able to overcome being banned multiple times and continued to access the server. After this I found him sitting on spec sending some dodgey looking text to the server.

Fortunately we had taken some precautionary measures such as changing adminlog and warning admins not to write adminlog whilst in the server. As a workaround we now have a script in place that recognises specified hwid's and adds them to admin list upon joining the server.. which is not only nice for security but actually really convenient 

I just wanted to share this information with the community. If there are any admins out there who are concerned & would like to know the username of the said individual then I would be happy to disclose this information in pm. I apologise if I have broken fourm regulations by posting this publicly and I will remove my post upon request. Just please DON'T send Boris 

[jrgp]

Around two weeks ago I caught someone in Soldat openly boasting about how he'd written new cheats (undetectable by anticheat) for auto aim, unlimited ammo and amongst other things, the ability to obtain adminlog, take control of the server and evade being kicked/banned. This person was then seen to be clearly using cheats and was subsequently banned.

He was then able to regain access to the server despite his hwid being banned. He was able to overcome being banned multiple times and continued to access the server. After this I found him sitting on spec sending some dodgey looking text to the server.

Fortunately we had taken some precautionary measures such as changing adminlog and warning admins not to write adminlog whilst in the server. As a workaround we now have a script in place that recognises specified hwid's and adds them to admin list upon joining the server.. which is not only nice for security but actually really convenient 

I just wanted to share this information with the community. If there are any admins out there who are concerned & would like to know the username of the said individual then I would be happy to disclose this information in pm. I apologise if I have broken fourm regulations by posting this publicly and I will remove my post upon request. Just please DON'T send Boris 

The issue with assigning admin via HWID is if you have collisions. As the HWID is just what, 32 chars long, I really don't think it's 100% unique. I personally wouldn't trust it.

As for hackers names/contact info/screenshots/whatever, please PM them to me and Shoozza as we can take steps necessary that they're killed off the face of Soldat forever.

As for Boris, that pic was probably taken 10+ years ago and that dog is likely long dead.

[darDar]

I just wanted to share this information with the community. If there are any admins out there who are concerned & would like to know the username of the said individual then I would be happy to disclose this information in pm. I apologise if I have broken fourm regulations by posting this publicly and I will remove my post upon request. Just please DON'T send Boris 

The issue with assigning admin via HWID is if you have collisions. As the HWID is just what, 32 chars long, I really don't think it's 100% unique. I personally wouldn't trust it.

[/quote]
Isn't it 32³² to get the maximum possible HWID amount then? Should be enough for Soldat or ? Maybe my math is just being bad again..
Or can the lobby server (?!) assign 2 HWID's to 2 different persons ?

[PMG| DonEvolarao]

HWID be faked, and easy to change.

[kicikici]

Nick can be changed but language won't change ^^

[Bistoufly]

As for hackers names/contact info/screenshots/whatever, please PM them to me and Shoozza as we can take steps necessary that they're killed off the face of Soldat forever.

Do you have means to do that?

Server owners are defenseless against hackers. IP, HWID, nicknames, ... get changed. And hackers continue playing.

When I was more active, I used to admin a lot of servers from different modes. There were times when there were several hackers everyday on the servers. We used to share lists of them between admins and server owners.
Had there been a way to effectively get rid of them, something could have been done.

My feeling is that it looks like there is almost no consequence to hacking in Soldat. The only one I can think of is getting bad reputation if you are a known player and you get busted.
But even then, it's not much.
I've been browsing the SCTFL forum. And many of the regular players there are ex-hackers who are still allowed to play competitively. Usually they get denied access for 2 seasons from official events and that's it.
It's crazy.