New Agentserver crash exploit? (DoS)

Wismo · Apr 25, 2012

Hello,

i noticed that someone is crashing our servers. He is sending packets to our Server. Maybe we can discuss what can be wrong with the agentserver and how to fix it.

here a part of the logs:

Code:

"...
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! MsgID[0x6101] IP[178.33.225.84]
2012-04-25	15:09:48	[AgentServer]	WARNING!! A SUSPECT DETECTED!!! ..."

/discuss

Edit: I know that the packed 0x6101 is to request the serverstats.

Chern0byl · Apr 25, 2012

v188/v193 or other ?

Wismo · Apr 25, 2012

v188

These are the 2 OPCodes that got sended to our server:

LoginClientServerListReq = 0x6101
LoginClientAuth = 0x6102

Thank you!

TryToMakeServer · Apr 25, 2012

you can nop that error, i did myself too.

Wismo · Apr 25, 2012

This causes an Servercrash if it appear to often. I had it like 500-600 times in an second.

I changed now our firewallsettings to limit the source connections. Now the agendserver isnt crashing anymore.

Chern0byl · Apr 25, 2012

You must be registered to see links

SnapPop · Apr 25, 2012

Chern0byl said:
You must be registered to see links

many thanks for you alex :thumbup1:

Wismo · Apr 25, 2012

Chern0byl said:
You must be registered to see links

Nice! Can you say what you changed?

Is it tested?

Thank you!

sladlejrhfpq · Apr 26, 2012

Wismo said:
Nice! Can you say what you changed?

Is it tested?

Thank you!

1st Thank you
2nd:

PHP:

         old new
00001EA2: E8 90
00001EA3: 59 90
00001EA4: 25 90
00001EA5: 03 90
00001EA6: 00 90
00001ED2: E8 90
00001ED3: 29 90
00001ED4: 25 90
00001ED5: 03 90
00001ED6: 00 90
00001F00: E8 90
00001F01: FB 90
00001F02: 24 90
00001F03: 03 90
00001F04: 00 90
00001F19: E8 90
00001F1A: E2 90
00001F1B: 24 90
00001F1C: 03 90
00001F1D: 00 90

myShinichi · Jun 14, 2012

I got error:

Z:\Server\AgentServer_no_xtrap2.exe is not a valid Win32 application.

How to fix that ?

Thanks !

collerok · Jun 16, 2012

File is damaged, try re-download it.

mirceagab · Jul 31, 2012

If someone has the program can you please re-upload it ?

K4bo · Jul 31, 2012

You must be registered to see links

can i have a like?

mirceagab · Jul 31, 2012

I would if it wouldnt be filled with trojans...

K4bo · Aug 1, 2012

trojans? well, i'm working with it
and i'm using rising anti virus so it doesn't say anything but this is the agentserver noxtrap

Maliq · Aug 4, 2012

It is no surprise the files were altered prior to release! I requested clean copies of them exactly for that reason. Someone, possibly the uploader or releaser has been fiddling with the files by injecting asm and causing them to malfunction.

RevoLand · Aug 4, 2012

Maliq said:
It is no surprise the files were altered prior to release! I requested clean copies of them exactly for that reason. Someone, possibly the uploader or releaser has been fiddling with the files by injecting asm and causing them to malfunction.

If you dont trust us feel free to use "Log Out" button.

fegoabi · Aug 13, 2012

can u upload again?

paltalkadel · Sep 10, 2012

uploaaaaaaaaaad

F50 · Sep 23, 2012

can you upload it again

New Agentserver crash exploit? (DoS)

Newbie Spellweaver

c#

Newbie Spellweaver

Junior Spellweaver

Newbie Spellweaver

c#

Skilled Illusionist

Newbie Spellweaver

Developer

Junior Spellweaver

Newbie Spellweaver

Junior Spellweaver

Experienced Elementalist

Junior Spellweaver

Experienced Elementalist

Newbie Spellweaver

Initiate Mage

Newbie Spellweaver

Banned

Newbie Spellweaver

About Us

Online statistics

Forum statistics

RaGEZONE Sponsor