Illegal password access

[PIX]

I had someone use my rcon password on uT server illegally and I shut it down to investigate.
Can anyone scan Holdout's logs for IP 66.136.201.29 and see who it is?? Can you scan the
forum logs to for members with this IP? I am on the warpath:angry:This is Operation Broken Covenent!
Please help Gwar, GRITS and Stefan. I am going full throttle on this mofo. Here is my trace:
NeoTrace Trace Version 3.25 Results
Target: 66.136.201.29
Date: 6/12/2003 (Thursday), 8:49:15 PM
Nodes: 17


Node Data
Node Net Reg IP Address Location Node Name
1 - - 192.168.49.234 Memphis saturn
2 1 - 192.168.49.1 Unknown
3 2 1 216.37.82.1 Unknown net-216-37-82-1.in-addr.worldspice.net
4 2 2 216.37.64.129 Unknown net-216-37-64-129.in-addr.mrep.net
5 3 3 63.150.224.5 Kansas City kcm-edge-02.inet.qwest.net
6 4 3 205.171.29.41 Kansas City kcm-core-02.inet.qwest.net
7 4 3 205.171.8.141 Unknown dal-core-02.inet.qwest.net
8 4 3 205.171.25.50 Unknown dal-brdr-02.inet.qwest.net
9 5 4 144.232.19.213 Fort Worth sl-bb22-fw-8-0.sprintlink.net
10 5 4 144.232.11.33 Fort Worth sl-bb27-fw-12-0.sprintlink.net
11 5 4 144.232.11.65 Fort Worth sl-gw39-fw-1-0.sprintlink.net
12 6 4 144.228.130.186 Unknown sl-swb-58-0.sprintlink.net
13 7 5 151.164.240.233 Unknown bb1-p14-0.rcsntx.sbcglobal.net
14 7 5 151.164.243.14 Unknown bb1-p5-0.austtx.sbcglobal.net
15 7 6 151.164.20.248 Austin dist1-vlan40.austtx.swbell.net
16 7 6 151.164.20.80 Austin rback5-fa2-1.austtx.swbell.net
17 8 6 66.136.201.29 Austin adsl-66-136-201-29.dsl.austtx.swbell.net


NeoTrace Trace Version 3.25 Results
Target: 66.136.201.29
Date: 6/12/2003 (Thursday), 8:52:21 PM
Nodes: 17


Node Data
Node Net Reg IP Address Location Node Name
1 - - 192.168.49.234 Memphis saturn
2 1 - 192.168.49.1 Unknown
3 2 1 216.37.82.1 Unknown net-216-37-82-1.in-addr.worldspice.net
4 2 2 216.37.64.129 Unknown net-216-37-64-129.in-addr.mrep.net
5 3 3 63.150.224.5 Kansas City kcm-edge-02.inet.qwest.net
6 4 3 205.171.29.41 Kansas City kcm-core-02.inet.qwest.net
7 4 3 205.171.8.141 Unknown dal-core-02.inet.qwest.net
8 4 3 205.171.25.50 Unknown dal-brdr-02.inet.qwest.net
9 5 4 144.232.19.213 Fort Worth sl-bb22-fw-8-0.sprintlink.net
10 5 4 144.232.11.33 Fort Worth sl-bb27-fw-12-0.sprintlink.net
11 5 4 144.232.11.65 Fort Worth sl-gw39-fw-1-0.sprintlink.net
12 6 4 144.228.130.186 Unknown sl-swb-58-0.sprintlink.net
13 7 5 151.164.240.233 Unknown bb1-p14-0.rcsntx.sbcglobal.net
14 7 5 151.164.243.14 Unknown bb1-p5-0.austtx.sbcglobal.net
15 7 6 151.164.20.248 Austin dist1-vlan40.austtx.swbell.net
16 7 6 151.164.20.80 Austin rback5-fa2-1.austtx.swbell.net
17 8 6 66.136.201.29 Austin adsl-66-136-201-29.dsl.austtx.swbell.net

[Wha?]

How did they get the pw? I read the thing on rcon from the SDK, it sounded really easy to catch if you listen to incoming data on the server's port with some sort of tool, but otherwise it looks like guesswork.

Revised 1/3/2001 ywb -- Added new rcon protocol info:

Note to those writing remote admin programs that issue rcon commands (the in-client rcon commands work as before), you will need to change your rcon tools to use the following revised protocol.

Remote App sends a UDP packet to the server on the server's port (e.g., 127.0.0.1:27015):

The packet should start with 4 consecutive bytes of 255 (32-bit integer -1) and the string:

"challenge rcon\n".

The server will respond to the requesting system on the purported remote IP address and port with four 255's and:

"challenge rcon number\n" where number is an unsigned int32 number.

To issue the actual rcon, the remote App then responds with a UDP packet containing 4 255s and:

"rcon number \"password\" rconcommands" where password is the rcon_password ( should be enclosed in quotes as noted so that multiple word passwords will continue to work ), number is the unsigned int32 number received from the server and rconcommands is the actual rcon command string.

If the remote App fails to send the appropriate challenge number, waits too long to send the challenge, or uses an invalid password more than a few times in the course of a few seconds, the remote App will be assumed to be malicious and the actual ip address used by the remote host will be permanently and automatically banned from the server (as with the addip command).  You can use listip to see the list of banned ip addresses on a server.

[GRITS]

I will scan the logs and get GB to look at the fourms
sorry I know how it feels

[GRITS]

done check your pm PIX

[_Acid_Head_]

Call swbell in austin texas and report adsl-66-136-201-29 to his ISP:)

Just hope his IP is static.

[CloudFuel]

it was me...omg! I thought you were afk so I left...lol sorry PIX!

[PIX]

GAWD !!
Well, I kept scanning who was in there and didn't see anyone familiar, so I said...that's it...shutdown time to be safe.
I kept thinking, who do I know in Texas??? Don't scare me like that. I had a lockdown and changed everything. I even locked
your IP out of the forums....LOL. Ya can't scare Network Engineers like that....PHEW!! We tend to overreact.
I was getting wierd messages in my console when this happened and that freaked me out. There is the problem of you joining other servers and enacting the exec adminpass.cfg file and them having your passwords to adminmod for our server.
Sorry ol chap. I think I'm gonna go have ALOT of vodka now.:wacko:

Tks GRITS.

PS SOrry bout the huge DoS attack I let go on your IP from the DS-3. I hope it didn't make it.;)

[CloudFuel]

OMG that was what happened??? Jesus christ...I thought my system had spazzed big time!

[Gwarsbane]

DS-3 vs what a modem? Hmmm, I don't even know if my original DSL connection could handle that for long. hehe....

[][_ i m i t | e s s]

Speaking of passwords, do I have admijn yet on the uT server PIX? And how does it work i've never been admin

[PIX]

I have posted it for you guys. How to use it is listed by someone else there too.