Server crash

[sv3nx]

Someone has found an a exploit and I don't know how to block the user :S

After myusername connects the server simply crashes.

2011-01-12 23:35:54.140 1 => <115:myusername(-1)> Authenticated

2011-01-12 23:35:54.507 SQL Error [sELECT `user_id` FROM `users` WHERE `server_id` = ? AND `name` like ?]: LIKE or GLOB pattern too complex Unable to fetch row

 

I'm running Debian 5.0.6, Murmur 1.2.2

How can I ban IP range?

[gameframe]

Im hosting also popular public murmur server and it started to crash suddenly. It´s the same script kid that is crashing my mumble servers. I think i will also email to kid´s ISP abuse as this exploit is denial of service.

1 => <10:(-1)> New connection: 88.153.226.76:37131

1 => <10:(-1)> Client version 1.2.2 (X11: Compiled Feb 9 2010 17:44:13)

1 => CELT codec switch 0 ffffffff8000000f (prefer 0)

1 => <10:myusername(-1)> Authenticated

ibprotobuf ERROR google/protobuf/wire_format.cc:1059] Encountered string containing invalid UTF-8 data while parsing protocol buffer. Strings must contain only UTF-8; use the 'bytes' type for raw bytes.

SQL Error [sELECT `user_id` FROM `users` WHERE `server_id` = ? AND `name` like ?]: LIKE or GLOB pattern too complex Unable to fetch row

The IP address listed above is from that kid. To ban single IP is useless as scriptkid has dynamic ISP. Therefore i already did RIPE query to blacklist whole ISP as i have no need to allow german users. To blacklist the kid by firewall is simple:

iptables -A INPUT -s 88.152.0.0/15 -j REJECT

If you just want to blacklist this range to only to your mumble server, then syntax is as follows:

iptables -A INPUT -s 88.152.0.0/15 -p tcp --dport 6650 -j REJECT

Assuming your mumble is hosted on port 6650, just replace that subnet range by single IP if you just want to ban that IP.

Hopefully murmur dev. team will fix this issue fast as firewall based block is only a temporary solution.

[sv3nx]

Thanks for quick reply gameframe

It looks like the attack is coming from similar range. He has connected from 88.153.226.76 and crashed our server twice.

[gameframe]

Some more information regarding this issue, it´s now obvious that this exploit applies only to public mumble servers as i dont see crashes for password protected servers.

Hopefully someone can provide more information as well.

[gameframe]

Thanks for quick reply gameframe

It looks like the attack is coming from similar range. He has connected from 88.153.226.76 and crashed our server twice.

 

No problem, i really do hate these guys ...

[kissaki]

Some more information regarding this issue, it´s now obvious that this exploit applies only to public mumble servers as i dont see crashes for password protected servers.

Maybe the exploiter will only troll with the servers in the public server list!?

He just won’t see or find any pwed servers.

There’s a known exploit which has been fixed long ago.

You could try running RC1 or the latest snapshots of Murmur to prevent further exploiting.

(Not sure if yours is actually that exploit though.)