How did they get the pw? I read the thing on rcon from the SDK, it sounded really easy to catch if you listen to incoming data on the server's port with some sort of tool, but otherwise it looks like guesswork.
Quote:Revised 1/3/2001 ywb -- Added new rcon protocol info:
Note to those writing remote admin programs that issue rcon commands (the in-client rcon commands work as before), you will need to change your rcon tools to use the following revised protocol.
Remote App sends a UDP packet to the server on the server's port (e.g., 127.0.0.1:27015):
The packet should start with 4 consecutive bytes of 255 (32-bit integer -1) and the string:
"challenge rcon\n".
The server will respond to the requesting system on the purported remote IP address and port with four 255's and:
"challenge rcon number\n" where number is an unsigned int32 number.
To issue the actual rcon, the remote App then responds with a UDP packet containing 4 255s and:
"rcon number \"password\" rconcommands" where password is the rcon_password ( should be enclosed in quotes as noted so that multiple word passwords will continue to work ), number is the unsigned int32 number received from the server and rconcommands is the actual rcon command string.
If the remote App fails to send the appropriate challenge number, waits too long to send the challenge, or uses an invalid password more than a few times in the course of a few seconds, the remote App will be assumed to be malicious and the actual ip address used by the remote host will be permanently and automatically banned from the server (as with the addip command). You can use listip to see the list of banned ip addresses on a server.