All times are UTC




Post new topic Reply to topic  [ 2 posts ] 
Author Message
 Post subject: TeamSpeak server protection
PostPosted: Thu Jul 30, 2009 1:44 pm 
Offline
Sharp Shooter
Sharp Shooter
User avatar

Joined: Sat Jun 13, 2009 9:50 am
Posts: 78
Location: Poland
Yesterday I found out about an unpleasant program called Give Me SA. It was connected with an attack on TeamSpeak server of one of the clans of TCE. I began to google about the potential ways of protection from this, but I couldn't find anything... One of the search results was a YouTube movie, presenting an attack on TS server. I watched it and some detail seemed striking to me.

While starting this crap, the IP address of the server is given, as well as UDP port, TCP query port and (what attracted my attention) HTTP port. Besides, a login and password of the future super admin is given. This pictures the way, in which that kind of an attack may look like: the program tries to break the password of the super admin with the "brutal force" method, generating series of signs (this is simple, because the default super admin password contains 6 alfa-numeric signs, which are easy to break with this method). When the program gets a response about the success of this first phase, a HTTP header is being generated, containing the URL to the module "Add client" and filled user add form with marked option "super admin" . In this way, a new super admin account is being created and the squirt-attacker is happy to have "hacked" TeamSpeak server...

I am not 100% sure if this is exactly what happens, but if so, the protection is very simple. Firstly, the default passwords generated while TeamSpeak is being installed have to be changed - for more complicated and long ones. Then, the activity on HTTP port of TeamSpeak has to be limited - either the access for specific IP addresses has to be opened, or the port has to be closed entirely.

I hope this is going to help protecting our TeamSpeak servers from hackers, whose abilities cover only filling a few fields in a program...

_________________
Image

Image


Top
 Profile  
 
 Post subject:
PostPosted: Thu Jul 30, 2009 6:46 pm 
Offline
Rock Me, Amadeus!
Rock Me, Amadeus!

Joined: Thu Jun 11, 2009 10:38 am
Posts: 172
Location: Austria
some further input:

if you block the http port, you still could use the same technique to hack the server over the queryport (default 5123).

the problem with closing that port too, is that then no more viewer software will be able to check the server, wich means you can't have any webpage activity viewer and also serverbots can't work anymore

I would suggest you take a long and funky password for the superadmin, that should solve most problems.

_________________
"Fog is neither water nor air, it's something between." Merlin


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 2 posts ] 

All times are UTC


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum

Search for:
Jump to:  
Style created by © Matti, gry komputerowe, reklama sem reklama seo

Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group