sv3nx Posted January 13, 2011 Share Posted January 13, 2011 Someone has found an a exploit and I don't know how to block the user :SAfter myusername connects the server simply crashes.2011-01-12 23:35:54.140 1 => <115:myusername(-1)> Authenticated2011-01-12 23:35:54.507 SQL Error [sELECT `user_id` FROM `users` WHERE `server_id` = ? AND `name` like ?]: LIKE or GLOB pattern too complex Unable to fetch row I'm running Debian 5.0.6, Murmur 1.2.2How can I ban IP range? Quote Link to comment Share on other sites More sharing options...
gameframe Posted January 13, 2011 Share Posted January 13, 2011 Im hosting also popular public murmur server and it started to crash suddenly. It´s the same script kid that is crashing my mumble servers. I think i will also email to kid´s ISP abuse as this exploit is denial of service.1 => <10:(-1)> New connection: 88.153.226.76:371311 => <10:(-1)> Client version 1.2.2 (X11: Compiled Feb 9 2010 17:44:13)1 => CELT codec switch 0 ffffffff8000000f (prefer 0)1 => <10:myusername(-1)> Authenticatedibprotobuf ERROR google/protobuf/wire_format.cc:1059] Encountered string containing invalid UTF-8 data while parsing protocol buffer. Strings must contain only UTF-8; use the 'bytes' type for raw bytes.SQL Error [sELECT `user_id` FROM `users` WHERE `server_id` = ? AND `name` like ?]: LIKE or GLOB pattern too complex Unable to fetch rowThe IP address listed above is from that kid. To ban single IP is useless as scriptkid has dynamic ISP. Therefore i already did RIPE query to blacklist whole ISP as i have no need to allow german users. To blacklist the kid by firewall is simple:iptables -A INPUT -s 88.152.0.0/15 -j REJECTIf you just want to blacklist this range to only to your mumble server, then syntax is as follows:iptables -A INPUT -s 88.152.0.0/15 -p tcp --dport 6650 -j REJECTAssuming your mumble is hosted on port 6650, just replace that subnet range by single IP if you just want to ban that IP.Hopefully murmur dev. team will fix this issue fast as firewall based block is only a temporary solution. Quote Link to comment Share on other sites More sharing options...
sv3nx Posted January 13, 2011 Author Share Posted January 13, 2011 Thanks for quick reply gameframeIt looks like the attack is coming from similar range. He has connected from 88.153.226.76 and crashed our server twice. Quote Link to comment Share on other sites More sharing options...
gameframe Posted January 13, 2011 Share Posted January 13, 2011 Some more information regarding this issue, it´s now obvious that this exploit applies only to public mumble servers as i dont see crashes for password protected servers.Hopefully someone can provide more information as well. Quote Link to comment Share on other sites More sharing options...
gameframe Posted January 13, 2011 Share Posted January 13, 2011 Thanks for quick reply gameframeIt looks like the attack is coming from similar range. He has connected from 88.153.226.76 and crashed our server twice. No problem, i really do hate these guys ... Quote Link to comment Share on other sites More sharing options...
Administrators kissaki Posted January 14, 2011 Administrators Share Posted January 14, 2011 Some more information regarding this issue, it´s now obvious that this exploit applies only to public mumble servers as i dont see crashes for password protected servers.Maybe the exploiter will only troll with the servers in the public server list!?He just won’t see or find any pwed servers.There’s a known exploit which has been fixed long ago.You could try running RC1 or the latest snapshots of Murmur to prevent further exploiting.(Not sure if yours is actually that exploit though.) Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.