QuakeWorld.nu - RIP Wargamez

View forums

Rules


Index � Old news � RIP Wargamez

30 posts on 1 page 1

Old news

2006-02-04, 10:32

gaz

Member
693 posts

Registered:
Jan 2006

I got a rather sad email from the Wargames admin today:

Quote:

Hi,

sorry to tell you, byt the qw-servers has a voulnability, that has
disabled/deleted a lot of stuff for me.
I normally don't care when a game has some issues, but when it hurts my
other systems, I get rather pissed.
That's why I've been forced to shut down all qw-servers for the time beeing.

The link you provided below is not working for me - please investigate.

If the qw-files someday will get secure again, I can move the files to a
not-important server and load the qw-servers again.

Thanks.

//rivmin

2006-02-04, 10:36

Peppe

Member
1754 posts

Registered:
Jan 2006

foobar!

2006-02-04, 10:43

gaz

Member
693 posts

Registered:
Jan 2006

I've asked for more info on the vulnerability and then I'll go speak to the MVDsv people about it...

2006-02-04, 13:43

valla

Member
80 posts

Registered:
Jan 2006

Not sure if it has to do with the spectator "2" bug really. MVDSV or KTPRO seems to still have a few flaws. Noticed some brazilian dude, *AnM*Kitana or something join the server one night during a mix and become demoadmin and stuff, most likely its about some hacking issue.

2006-02-04, 16:25

murdoc

Member
518 posts

Registered:
Jan 2006

wtf no wargamez no eql gg

2006-02-05, 12:08

Coinz

Member
9 posts

Registered:
Jan 2006

yes there is a vulnerability that allows anyone to get rcon by exploiting the allow_download 1 ( probably by downloading server cfg so setting it to 0 should temporary fix the problem ) that as far as i know its default in every servers, i dont know exactly how i just read this in a Brasilian forum where they have been having alot of troubles cause of this.

2006-02-05, 15:13

Hagge

Member
398 posts

Registered:
Feb 2006

all games on iop instead then? Be

2006-02-05, 18:31

gaz

Member
693 posts

Registered:
Jan 2006

Quote:

Hi,

well, I discovered that my web-server was not showing anything
yesterday, so I made some troubleshooting.
Someone had deleted nearly all the files, and uploaded a new index.php,
with the usual 'You've Been Hacked By bla...bla..bla..., please mail
bla@bla.bla for help'.
This happened 30 jan 06 at 19.34

Sadly for them, index.php is never displayed, so no-one but me did
actually see the haxxor-message.

My problem then was, that I did not know the origin of the voulnability,
sÃ¥ I did some troubleshooting.
Everything was up2date, and it's only me that has access to the box.
I could not find it, so I just reloaded the box, disabled the web-server
and started the q1-servers again.

Then the servers failed to start - could not find some files.....hmmm.
Then I looked at the config-files to locate the problem, and discovered
that the content of the config-file was identical with the haxxored
index.php from my web-server.
The time-stamp of the changes in the config-file, was identical with the
web-servers index.php change, so my conclusion is that somehow they got
write-access to the files and could do what-ever they liked.
Luckily they 'only' destroyed my web-server, and some q1-files.

It's quite common that a game-server has voulnability's, but they
allways only impacts the actual game.
This one was different, since they got access to all my files, and
that's quite bad.
Unfortunately this server was hosting my main web-server [wargamez.dk],
so I was quite pissed.
Now I'm more relaxed, and displayes only 1 page.
Maybe if I find the time some day, I will create a new web-site

I really don't understand why they do things like that - I'm just a
private guy that maintains some game-servers in my sparetime.....I don't
even make any money on it, and has payed all the hardware personally.

Well - life goes on....stay happy.

//riv

2006-02-05, 18:57

Hangman

Member
248 posts

Registered:
Jan 2006

its so sad, hope that this make developers of mvdsv (and kteams?) to make it safer, we cant have server that noone want to host

2006-02-05, 19:59

#10

inertia

Member
38 posts

Registered:
Jan 2006

quake servers have always had lame vulnerabilities, you can google it and find out more

but why in the world was he running it as root?

2006-02-05, 20:03

#11

gaz

Member
693 posts

Registered:
Jan 2006

There's now a 0.19.1 pre-rc for 0.20 version. It fixes the security issues but there are some known bugs including a server crash (segfault) when QTV connects. So, QTV needs to be disabled (it's the first RC with QTV support...)

Download here:

http://quakeworld.ru/files/vvd/mvdsv/

Bug reports to kreon@quakeworld.ru

2006-02-07, 22:35

#12

gaz

Member
693 posts

Registered:
Jan 2006

LATEST NEWS 7/2/06 22.30 UK TIME

There is now a 'test' server running. We (the wargamez admin and I) are checking the configs and trying to work out how to disable QTV.

When the wargamez admin is satisfied that MVDsv is secure again, he will move the servers back to "wargamez.dk".

2006-02-08, 01:49

#13

sassa

News Writer
2260 posts

Registered:
Jan 2006

sweet!!!!
best news 2day

QTV

2006-02-08, 08:18

#14

murdoc

Member
518 posts

Registered:
Jan 2006

nice!! good job vm, and everybody that worked to get the server back on!

2006-02-08, 12:12

#15

gaz

Member
693 posts

Registered:
Jan 2006

An MVDsv dev has checked out our configs and given them the thumbs-up. I've also passed on the command to disable QTV support so we should be good to go as soon as rivmin (wargamez admin) checks his mails

2006-02-08, 12:31

#16

sassa

News Writer
2260 posts

Registered:
Jan 2006

lets fix some kind of thank you pic to him?

QTV

2006-02-08, 12:47

#17

bps

Administrator
887 posts

Registered:
Jan 2006

Join us on discord.quake.world

2006-02-08, 12:48

#18

bps

Administrator
887 posts

Registered:
Jan 2006

Join us on discord.quake.world

2006-02-08, 12:58

#19

konk

Member
85 posts

Registered:
Jan 2006

haha

Mean Machine QuakeWorld Clan

2006-02-08, 15:39

#20

murdoc

Member
518 posts

Registered:
Jan 2006

hahaha nice one

2006-02-08, 16:29

#21

Peppe

Member
1754 posts

Registered:
Jan 2006

that's so sweet bps

foobar!

2006-02-08, 16:33

#22

lib

Member
108 posts

Registered:
Jan 2006

comic sans must die

Spell "mogul," Bateman. How do you spell mogul? M-o-g-u-l. Mo-gul. Mog-ul. Ice, ghosts, aliens-

2006-02-08, 20:30

#23

gaz

Member
693 posts

Registered:
Jan 2006

.. and they're back!

wargamez.dk:27501
wargamez.dk:27502
wargamez.dk:27503
wargamez.mine.nu:27501

2006-02-08, 20:42

#24

murdoc

Member
518 posts

Registered:
Jan 2006

nice!!!!!

wargamez.mine.nu:27501 is in sweden right?

38ms there :[

and coulnd't there be 2 more servers or something and a qizmo that would be nice.

2006-02-08, 22:05

#25

sassa

News Writer
2260 posts

Registered:
Jan 2006

gaz, dontforgett to give him the picture

QTV

2006-02-08, 22:39

#26

gaz

Member
693 posts

Registered:
Jan 2006

Quote:

nice!!!!!

wargamez.mine.nu:27501 is in sweden right?

38ms there :[

and coulnd't there be 2 more servers or something and a qizmo that would be nice.

Do you want the moon on a stick too?

2006-02-08, 23:04

#27

gore

Member
117 posts

Registered:
Jan 2006

autotrack don't work? says "Not available with server ver < 2.4"

2006-02-08, 23:16

#28

Spike

Member
271 posts

Registered:
Feb 2006

And maybe when Disconnect is back from holiday, he'll get around to fixing the qtv issue.

gore: I'd say that was a client bug to do with expectations. Force whoever made your client to fix it (alternativly, get the server admins to change the *version string of the server's sourcecode - prefix with 2.4).

moo

2006-02-09, 09:26

#29

murdoc

Member
518 posts

Registered:
Jan 2006

VM? Why isn't it possible, sundays the server are always full. Qizmo can be used to maybe get better pings on intarweb.dk and get2net from nl/de/uk/be and offcourse for caming.

2006-02-11, 11:10

#30