|
Yesterday I found out about an unpleasant program called Give Me SA. It was connected with an attack on TeamSpeak server of one of the clans of TCE. I began to google about the potential ways of protection from this, but I couldn't find anything... One of the search results was a YouTube movie, presenting an attack on TS server. I watched it and some detail seemed striking to me.
While starting this crap, the IP address of the server is given, as well as UDP port, TCP query port and (what attracted my attention) HTTP port. Besides, a login and password of the future super admin is given. This pictures the way, in which that kind of an attack may look like: the program tries to break the password of the super admin with the "brutal force" method, generating series of signs (this is simple, because the default super admin password contains 6 alfa-numeric signs, which are easy to break with this method). When the program gets a response about the success of this first phase, a HTTP header is being generated, containing the URL to the module "Add client" and filled user add form with marked option "super admin" . In this way, a new super admin account is being created and the squirt-attacker is happy to have "hacked" TeamSpeak server...
I am not 100% sure if this is exactly what happens, but if so, the protection is very simple. Firstly, the default passwords generated while TeamSpeak is being installed have to be changed - for more complicated and long ones. Then, the activity on HTTP port of TeamSpeak has to be limited - either the access for specific IP addresses has to be opened, or the port has to be closed entirely.
I hope this is going to help protecting our TeamSpeak servers from hackers, whose abilities cover only filling a few fields in a program...
_________________
|
