Dear J2O,

I am letting you know theese crashes occuring are not me for proof take an eye on my ip : 72.139.36.204
So if your gonna blame me prove it cuz its not me.

How can we know you don't have a dynamic IP this time?

How can you know he has?

his ip adress is static it's been that way for a long time

It's not like you can't change ISPs to get a dynamic IP.

This is all speculation. It has no value to build decisions on.

Quote:

Originally Posted by Fquist

This is all speculation.

Yeah but heck of a darn good speculation.

Alright... Orbiyz claims that ThaSpaz is the crasher. That is very likely too. Anyways, here comes some evidence that should get one person banned:

Log from my server's uptime (about 3 minutes, just estimatedly):
http://www.freewebs.com/grytolle/jaz...hackernoob.txt

2629  69.72.144.19:51534  192.168.0.100:10052  81  Recv  

0000  01 0E 01 03 01 00 00 00 00 41 53 44 41 4F 53 46    .........ASDAOSF

0010  48 4F 49 53 41 46 48 4F 53 41 48 47 4F 4C 41 53    HOISAFHOSAHGOLAS

0020  47 46 48 42 50 53 41 4F 4E 41 53 4F 49 4A 53 4E    GFHBPSAONASOIJSN

0030  47 50 4F 53 41 48 4E 4F 49 41 47 53 4F 49 48 53    GPOSAHNOIAGSOIHS

0040  46 4F 50 53 41 49 46 48 4F 49 50 53 41 46 48 53    FOPSAIFHOIPSAFHS

0050  41                                                 A

This one sure looks malicious?

Code:

2629  69.72.144.19:51534  192.168.0.100:10052  81  Recv  
0000  01 0E 01 03 01 00 00 00 00 41 53 44 41 4F 53 46    .........ASDAOSF
0010  48 4F 49 53 41 46 48 4F 53 41 48 47 4F 4C 41 53    HOISAFHOSAHGOLAS
0020  47 46 48 42 50 53 41 4F 4E 41 53 4F 49 4A 53 4E    GFHBPSAONASOIJSN
0030  47 50 4F 53 41 48 4E 4F 49 41 47 53 4F 49 48 53    GPOSAHNOIAGSOIHS
0040  46 4F 50 53 41 49 46 48 4F 49 50 53 41 46 48 53    FOPSAIFHOIPSAFHS
0050  41                                                 A

Looks like someone initiated a connection ;O

Not to mention sent spam, probably for flooding. If you follow the log after that, you see that I crash.

Edit: What the (-)? Port 51534? then it sure wasn't sent from a jj2 client?;p Oh, and an admin, please verify that Orbitz didn't lie about his IP.

Quote:

Originally Posted by Grytolle

Not to mention sent spam, probably for flooding. If you follow the log after that, you see that I crash.

Edit: What the (-)? Port 51534? then it sure wasn't sent from a jj2 client?;p Oh, and an admin, please verify that Orbitz didn't lie about his IP.

The source port is generally randomly selected. You'll notice in your log that the other person who joined your server used port 1138. However, it was still obviously not a JJ2 client just from the nature of what was sent.

The address that Orbitz named matches the address from which he posted.

Okay, and he didn't post with a known webproxy or so? ;p

2545  69.72.144.19:51534  192.168.0.100:10052  9  Recv  

0000  09 0F 01 04 32 31 20 20 01                         ....21  .



2629  69.72.144.19:51534  192.168.0.100:10052  81  Recv  

0000  01 0E 01 03 01 00 00 00 00 41 53 44 41 4F 53 46    .........ASDAOSF

0010  48 4F 49 53 41 46 48 4F 53 41 48 47 4F 4C 41 53    HOISAFHOSAHGOLAS

0020  47 46 48 42 50 53 41 4F 4E 41 53 4F 49 4A 53 4E    GFHBPSAONASOIJSN

0030  47 50 4F 53 41 48 4E 4F 49 41 47 53 4F 49 48 53    GPOSAHNOIAGSOIHS

0040  46 4F 50 53 41 49 46 48 4F 49 50 53 41 46 48 53    FOPSAIFHOIPSAFHS

0050  41                                                 A

Those are all packets from that IP, so it was obviously no one in server that crashed me ;o (And the first one resembles those you get from jforce.

69.72.144.19 resolves to a web server registered in Naperville, Illinois.

Registration contact is:


Rags Rajagopalan
+1.6305186387
Fax: +1.9999999999
710 E Ogden Ave
Suite 540
Naperville, S 60563
US

That's definitely the IP which ApprehendJJ2 logged when I got DoS attacked.

Quote:

Originally Posted by Trafton

69.72.144.19 resolves to a web server registered in Naperville, Illinois.

That IP sounds familiar...

What does DoS stand for? It's not as in MS DOS, right?

Quote:

Originally Posted by Grytolle

What does DoS stand for? It's not as in MS DOS, right?

Denial of Service =)

http://en.wikipedia.org/wiki/Denial_of_service for more stuff

Rags Rajagopalan is apparently the owner of NotionTide, Inc., a wireless evangelism firm. I doubt he's the one responsible.

Should I give him a ring?

You should, if not for jj2's sake, but for his own. I'd want to know if someone did bad stuff appearing to be me.

OK, I finally found out what the IP was, which was the host of my website. It appears that someone had been accessing my server list thing on my website through a file I had assumed to be deleted and had been using that script to take down servers. It's been fixed now.

Ugh... that sucks. But it also means it can not be Orbitz who obviously isn't skilled enough for that.

Quote:

Originally Posted by Grytolle

Alright... Orbiyz claims that ThaSpaz is the crasher. That is very likely too. Anyways, here comes some evidence that should get one person banned:

Log from my server's uptime (about 3 minutes, just estimatedly):
http://www.freewebs.com/grytolle/jaz...hackernoob.txt

2629  69.72.144.19:51534  192.168.0.100:10052  81  Recv  

0000  01 0E 01 03 01 00 00 00 00 41 53 44 41 4F 53 46    .........ASDAOSF

0010  48 4F 49 53 41 46 48 4F 53 41 48 47 4F 4C 41 53    HOISAFHOSAHGOLAS

0020  47 46 48 42 50 53 41 4F 4E 41 53 4F 49 4A 53 4E    GFHBPSAONASOIJSN

0030  47 50 4F 53 41 48 4E 4F 49 41 47 53 4F 49 48 53    GPOSAHNOIAGSOIHS

0040  46 4F 50 53 41 49 46 48 4F 49 50 53 41 46 48 53    FOPSAIFHOIPSAFHS

0050  41                                                 A

This one sure looks malicious?

That is definitely the long name crash packet. Apparently whoever did this seems to be experimenting with long name crashes for the first time (he didn't get the packet length right, but not that it matters anyway). Since people have filters for ASD, the user felt like making his own tool for the job that is not stopped by the WPE ASD filters. The long uppercase name is not random, the user must have written it by hand. This is only the first step in his experiment. Next time he'll come up with a program that randomizes a name each time an attack is performed. Bye bye the idea of WPE long name string matching filters.

Quote:

Originally Posted by UNKNOWNFILE

OK, I finally found out what the IP was, which was the host of my website. It appears that someone had been accessing my server list thing on my website through a file I had assumed to be deleted and had been using that script to take down servers. It's been fixed now.

Does that explain how they connected to and crashed servers from that address? Was it just a server listing script, or did it actually connect to games and they found some way to exploit it?

If you have access to the site logs, you should be able to find out who it was, or at least their IP address. Also, how did they find it? Did you have links to this script or tell anyone about it?

Overlord, what do you think of:
Detection like this: "0E" to determine it is joining, and then at the first place out of the allowed just make one filter for each possible hexvalue? Then block all such packages. Nvm, I just realized that that is like many combinations -.-

Is there any program that can simply filter out too long packets? WPE is great, but it could really use that function.

Oh, and for private games, it would be a good idea to just block all packets beginning with XX 0E when all players are in server. Maybe it can be added to the "official filter"? It would suck if jj2wc-games were interrupted by frequent crashes like this...

Quote:

Originally Posted by Grytolle

Not to mention sent spam, probably for flooding. If you follow the log after that, you see that I crash.

Edit: What the (-)? Port 51534? then it sure wasn't sent from a jj2 client?;p Oh, and an admin, please verify that Orbitz didn't lie about his IP.

Orbitz: 72.139.36.204

It indeed is Orbitz' real IP. (I caught this ages ago, at the first crash wave.)


ThaSpaz: 83.85.199.209

That is the dutch IP I got from ThaSpaz back af the first crashing wave.
I'm fully sure about those being the right ones.

Quote:

Originally Posted by Orbitz

I am letting you know theese crashes occuring are not me for proof take an eye on my ip : 72.139.36.204

FWIW, that IP address is in the Rogers Cable range. Reverse DNS doesn't really hint as to whether it's a static or dynamic address. Some more digging shows that it may be static, as it's linked to a mac address.

Quote:

Originally Posted by Grytolle

Edit: What the (-)? Port 51534? then it sure wasn't sent from a jj2 client?;p Oh, and an admin, please verify that Orbitz didn't lie about his IP.

You can't tell much about a program from the source port, as it's usually chosen by the operating system (either randomly, or some systems including windows the next free port below ~5000).

If WPE could somehow block packets that match certain length then I would be most happy. However so far I have not managed to make any filters that check packet length and block those that exceed it. And yes, there are too many combinations to make filters for. A very useful function for WPE would be a check whether a byte is NOT the given value rather than check if it is every possible one, like your idea suggests, Gry. WPE is by no means a perfect packet editor. In fact its far from that.

I looked at some more advanced packet scrubbers (I read somewhere that's what shortening packets is called, feel free to correct me), but uh... too advanced, I didn't even get through the install.

ThaSpaz is best friends with Orbitz, so it doesnt suprise me if Thaspaz is involved.

He was the dude given IP's to Orbitz when he was banned.... until I blocked him. That block needs to be readded soon I'm thinking.

Quote:

Originally Posted by vegito

Orbitz: 72.139.36.204

It indeed is Orbitz' real IP. (I caught this ages ago, at the first crash wave.)


ThaSpaz: 83.85.199.209

That is the dutch IP I got from ThaSpaz back af the first crashing wave.
I'm fully sure about those being the right ones.

Tha spaz's IP either isn't static or he changed his isp

looks like the noname is orbitz too

Maybe because he has changed his IP ;]

Quote:

Originally Posted by Orbitz

Dear J2O,

I am letting you know theese crashes occuring are not me for proof take an eye on my ip : 72.139.36.204
So if your gonna blame me prove it cuz its not me.

I could believe that. RAD tried to take over the listservers last night, and named themselves Orbitz, Orbitz1, Orbitz2, Orbitz3, Orbitz4, Orbitz5, Orbitz6, Orbitz7, Orbitz8 and Orbitz9. I asked who they were and they said they were worse then Orbitz, so it's definitely not Orbitz.

Or I may have forgotten to collect the IPs. Trust me.

Quote:

Originally Posted by ShadowRabbit

I could believe that. RAD tried to take over the listservers last night, and named themselves Orbitz, Orbitz1, Orbitz2, Orbitz3, Orbitz4, Orbitz5, Orbitz6, Orbitz7, Orbitz8 and Orbitz9. I asked who they were and they said they were worse then Orbitz, so it's definitely not Orbitz.

Or I may have forgotten to collect the IPs. Trust me.

Orbitz can say that too people as well. ;-P

I dunno...
- Taken from my server wich was run 2 hours ago.

Quote:

Originally Posted by Link

Does that explain how they connected to and crashed servers from that address? Was it just a server listing script, or did it actually connect to games and they found some way to exploit it?

If you have access to the site logs, you should be able to find out who it was, or at least their IP address. Also, how did they find it? Did you have links to this script or tell anyone about it?

A guy called Adam Gashlin is sharing his web space with me. I am not able to get activity logs from the host unless I ask Adam first.

Anyways, hi Link

72.139.36.204 also resolves to Toronto.

Then I guess that's where Orbitz is.

We should have got him at EC2005. Oh wait, I wasn't there. and I'm thankful I wasn't with a bunch of (WA)

Then we could ask if anyone went to it and saw Orbitz and know he lives there.

Quote:

Originally Posted by UNKNOWNFILE

A guy called Adam Gashlin is sharing his web space with me. I am not able to get activity logs from the host unless I ask Adam first.

What about my other questions? If you know who knew about your script, it could definitely help figure out who was doing this. (You should also ask Adam for activity logs.)