New type of crash exploit

[VATEC6000]

Hello all!

I'm somewhat back in MoHAA and began to run CDX server again.

Not long ago the server had a few DDoS attacks and even some exploit attempts. Those could be dealt with but now I'm facing an attack I've never seen before: the server goes unresponsive and the CPU usage is at 100%.
I'm sure this is an attack and not a server bug, because it happens every time the server reaches 13-15 players.

Here's what I've been able to narrow down about it:
- It's not about memory running out (2GB is far more than needed for one SH server)
- It's not BOF or flooding attack (have latest Daven patches and GSProtector 3.8)
- It's not my mods

The server is running on Windows Server 2012 R2 x64.

If anyone has any clues about this I'd appreciate if some light were shed on this!

[heatsinkbod]

Hello all!

I'm somewhat back in MoHAA and began to run CDX server again.

Not long ago the server had a few DDoS attacks and even some exploit attempts. Those could be dealt with but now I'm facing an attack I've never seen before: the server goes unresponsive and the CPU usage is at 100%.
I'm sure this is an attack and not a server bug, because it happens every time the server reaches 13-15 players.

Here's what I've been able to narrow down about it:
- It's not about memory running out (2GB is far more than needed for one SH server)
- It's not BOF or flooding attack (have latest Daven patches and GSProtector 3.8)
- It's not my mods

The server is running on Windows Server 2012 R2 x64.

If anyone has any clues about this I'd appreciate if some light were shed on this!

Hi Vatec6000 nice to see you back - AAAA MOHAA had some server attacks also last month or so. these were mainly IP flooding which we manually blocked and also GSprotector.
The other problems we had was also Windows 2008 server CPU 100% but this was not so much a MOH attack but a dedi attack.
Turned out to be a Bitcoin miner virus where it was using task scheduler to run at certain times hence why it took a while to spot - it was using rogue "SERVICE.EXE" which was not detected by most main stream antivirus which was not running from system directory but temp directory - after that managed to trace its files and remove.

Just incase its what we had check the folllowing -:
Check scheduler to make sure no entrys pointing to exes
Check Task manager for rouge exes such as "SERVICE" using a lot of resources

What shows the CPU usage MOH or other tasks ?

cheers

Jon


I

[VATEC6000]

Hi! Nice to see you too.

Thanks for the tip, but it's not a virus since this is a brand new server with pretty much only mohaa installed.
It's moh_spearhead_server.exe that becomes unresponsive. I've tried all combinations of fixes and patches but nothing has worked so far.

I read somewhere that not having the console window minimized would cause at least CGM buffer overflows, but that didn't help either.
Yesterday I tried capturing packets but finding a possible exploit that way is like trying to find a needle in a haystack.

Now the whole thing is running through a debugger so hopefully I'll be able to see where it goes to an infinite loop.
If I manage to find this new bug I'll make sure I release a public fix for it.

[heatsinkbod]

Hi! Nice to see you too.

Thanks for the tip, but it's not a virus since this is a brand new server with pretty much only mohaa installed.
It's moh_spearhead_server.exe that becomes unresponsive. I've tried all combinations of fixes and patches but nothing has worked so far.

I read somewhere that not having the console window minimized would cause at least CGM buffer overflows, but that didn't help either.
Yesterday I tried capturing packets but finding a possible exploit that way is like trying to find a needle in a haystack.

Now the whole thing is running through a debugger so hopefully I'll be able to see where it goes to an infinite loop.
If I manage to find this new bug I'll make sure I release a public fix for it.

Ok cool - if its any help you can test your MOH build on AAAA dedi to see if you get same results

[VATEC6000]

That would be super! I'll PM you.

UPDATE:

Both Windows and Linux servers are affected.