Server owners, be aware.

**nickos3** · 12-02-2015, 07:15 AM

Besides the Game Server sockets flood that's going on for the last couple of months and it's daily noticed on ProfessionalKO, there's also a MS-SQL Server attack taking place that started 1 month ago.

The attacker is using more than one VPS (or, there are more than one attacker) with proxy services and the machine is using Linux OS.
They use NMAP to retreive the server information and then they start attacking through MSSQL_Login with a simple file they have, which is a full list of generated names/passwords (Brute-force attack).

Our block list already counts more than 1000+ blocked IPs, that means, everything they do is automatic, including the IP changes.

Why am I creating this topic on G4L ? Because there's no development forum in english anymore to post in there AND because they managed to find our MS-SQL Admin name/password two weeks ago. The bad news; they placed a PHP Backdoor Shell on our Web-Server. The good news; they couldn't harm us as every sql user including admin are having restricted power on our Game Database and the malware was detected and deleted right away from our Anti-Virus that's active 24/7.

I should create this topic two weeks ago, when this happened, but I felt this could be unnecessary because there aren't many known and old servers to be taken down or hacked anyways. But, since they're still trying to brute-force our passwords 30 days after they started, I feel that now it's necessary for others to know.

There's a suspect who's -luckily to us- detected (either a proxy IP change 'bug' or his own-manual mistake) but since we're attacked from more than one VPS at the same time and since there's no proof that could be used publicly, I can't name people.

To the point of this topic:

1. Use multiple SQL and Windows users with restricted power, for everything you're running (Web-Server, SQL Server, Game Files).
2. Install a premium Anti-Virus.
3. Keep changing your information, often.
4. Keep monitoring your web, sql, windows and game logs at least once in a day.

Pretty much, whatever allows you to change/restrict it, do it. And not to think "I'll leave this as it is, who's going to harm me ? and why me?" even if your game is low-populated. If you don't know how to ? Google & Firewalls, folks.

**twostars** · 12-02-2015, 09:54 AM

And only allow specific services (as absolutely necessary) access to the outside world?
Why can people even connect to MSSQL from the outside?

**razor** · 12-02-2015, 10:40 AM

Willing to bet that grobar is somehow involved. Always seems to be the case in all of these server hazard topics lol.

**Cortex** · 12-02-2015, 11:31 AM

you can try Anti DDoS Software for 64 | 32 bits Windows Servers Free Downloads! ?

**nickos3** · 12-02-2015, 01:02 PM

Originally Posted by twostars

And only allow specific services (as absolutely necessary) access to the outside world?
Why can people even connect to MSSQL from the outside?

Due to router issues, if you're connected via RDP shit and you're disconnected from internet, everything's going to freeze.

**Vincents** · 12-02-2015, 01:08 PM

shame .

**Vincents** · 12-02-2015, 01:09 PM

Originally Posted by twostars

And only allow specific services (as absolutely necessary) access to the outside world?
Why can people even connect to MSSQL from the outside?

Don't be stupid, everyone knows players need to connect to the SQL SERVER!

In other news, nice to see you're alive, on the count of

[6:49:02 AM] Bijit Chakraborty: bro you know twostar news ? why he close snoxd
[6:49:12 AM] Bijit Chakraborty: some one told me he is dead in car accdent

**nickos3** · 12-02-2015, 01:10 PM

Originally Posted by Vincents

shame .

Oh, hai Vincents!.

**Vincents** · 12-02-2015, 01:16 PM

Originally Posted by nickos3

Oh, hai Vincents!.

What's up!

Nice to see my security guide prevented some damage to your server, keep up the good work!

**ReesesPieces** · 12-02-2015, 04:19 PM

RIP Twostars.

**Vincents** · 12-02-2015, 05:21 PM

Originally Posted by ReesesPieces

RIP Twostars.

**Fish** · 12-02-2015, 08:09 PM

lol... that's not so funny.

**Sephiroth** · 12-02-2015, 08:30 PM

why not lock the SA account or any other with a high level of privileges, logins based on x amout of failed login attempts, say 30 minutes? that really puts a limit on brute forcing passwords.

**Vincents** · 12-05-2015, 06:31 PM

Originally Posted by Sephiroth

why not lock the SA account or any other with a high level of privileges, logins based on x amout of failed login attempts, say 30 minutes? that really puts a limit on brute forcing passwords.

or rename it all together