TeamSpeak server protection
Page 1 of 1

Author:  simons [ Thu Jul 30, 2009 1:44 pm ]
Post subject:  TeamSpeak server protection

Yesterday I found out about an unpleasant program called Give Me SA. It was connected with an attack on TeamSpeak server of one of the clans of TCE. I began to google about the potential ways of protection from this, but I couldn't find anything... One of the search results was a YouTube movie, presenting an attack on TS server. I watched it and some detail seemed striking to me.

While starting this crap, the IP address of the server is given, as well as UDP port, TCP query port and (what attracted my attention) HTTP port. Besides, a login and password of the future super admin is given. This pictures the way, in which that kind of an attack may look like: the program tries to break the password of the super admin with the "brutal force" method, generating series of signs (this is simple, because the default super admin password contains 6 alfa-numeric signs, which are easy to break with this method). When the program gets a response about the success of this first phase, a HTTP header is being generated, containing the URL to the module "Add client" and filled user add form with marked option "super admin" . In this way, a new super admin account is being created and the squirt-attacker is happy to have "hacked" TeamSpeak server...

I am not 100% sure if this is exactly what happens, but if so, the protection is very simple. Firstly, the default passwords generated while TeamSpeak is being installed have to be changed - for more complicated and long ones. Then, the activity on HTTP port of TeamSpeak has to be limited - either the access for specific IP addresses has to be opened, or the port has to be closed entirely.

I hope this is going to help protecting our TeamSpeak servers from hackers, whose abilities cover only filling a few fields in a program...

Author:  merlin1991 [ Thu Jul 30, 2009 6:46 pm ]
Post subject: 

some further input:

if you block the http port, you still could use the same technique to hack the server over the queryport (default 5123).

the problem with closing that port too, is that then no more viewer software will be able to check the server, wich means you can't have any webpage activity viewer and also serverbots can't work anymore

I would suggest you take a long and funky password for the superadmin, that should solve most problems.

Page 1 of 1 All times are UTC
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group