Teamspeak Got Hacked

D

Derotta99

Member
May 11, 2016
3
0
33
Good Day

I would like to ask a question about my server maybe R4P3 is able to help since you work allot with bugs and exploits.

My server got hacked last night and the guy said that he used a web interface like cpanel to get access, according to him it was an exploit to teamspeak server licence 3.0.13.3 and lower.
So i upgraded my license to 3.0.13.8 and he attacked and got access again after a few hours.

Do anyone know what the problem might be, how he is doing this.

My license is an NPL
Running Centos 6 64bit

Please help me it is urgent the guy is requesting for money to stop.

Thanks in advance
Derotta99
 
Alligatoras

Alligatoras

Administrator
Mar 31, 2016
2,570
12
2,857
381
Derotta99 said:
Good Day

I would like to ask a question about my server maybe R4P3 is able to help since you work allot with bugs and exploits.

My server got hacked last night and the guy said that he used a web interface like cpanel to get access, according to him it was an exploit to teamspeak server licence 3.0.13.3 and lower.
So i upgraded my license to 3.0.13.8 and he attacked and got access again after a few hours.

Do anyone know what the problem might be, how he is doing this.

My license is an NPL
Running Centos 6 64bit

Please help me it is urgent the guy is requesting for money to stop.

Thanks in advance
Derotta99
Click to expand...
If the server is yours, just stop it and then restart it with a new query password!
https://support.teamspeakusa.com/in...how-do-i-change-my-serverquery-admin-password
 
D

Derotta99

Member
May 11, 2016
3
0
33
Quick question if my server was still outdated license restarting it with a new query password would not have helped right
because i need to make sure this fixes the problem now.

Thanks
Derotta99
 
Last edited:
Alligatoras

Alligatoras

Administrator
Mar 31, 2016
2,570
12
2,857
381
Derotta99 said:
Quick question if my server was still outdated license restarting it with a new query password would not have helped right
because i need to make sure this fixes the problem now.

Thanks
Derotta99
Click to expand...
Any server changes have nothing to do with the license
 
H

HelloEvery

Member
Nov 26, 2016
42
19
41
change domain/IP of the server so, he will have problem to trace you, after Block SSH port (22) and other useless port (excepting 10011, 30033 ,9987 , after you can change you'r query port) and learn to trust only you'r members, finally remember to run teamspeak server as user! (add user USERNAME) and select a strong password for root user/teamspeak linux user, in some case running a program as root is dangerous!

RECAPITULATING all in a clear list:

  • Change IP/Domain
  • Block port 22 or change it excepting for you'r IP
  • Change Query password
  • Change TeamSpeak 3 Serverquery port
  • Running TeamSpeak 3 server as root is a bad idea!
  • Keep allways up-to-date you'r TeamSpeak Server
  • (Optional) Select a good Hoster with good anti-ddos and who have his node secured
 
Last edited:
D

Derotta99

Member
May 11, 2016
3
0
33
This is not a trust issue this guy never had any power over my server
Second this some kid from overseas seeking attention
Also i cannot just change my ip and notify 100 members easily
Then this was not an DDoS server did not even have a spike or go down
Another thing is i have the newest version license
And there was no login or access to my VPS even the host checked

This guy simply uses some exploit that i thought you guys maybe knew about

<22:40:13> "Dean" was added to server group "Server Admin" by "Unknown from 41.108.242.213:50309".

That IP is a VPN
 
KappaJoe

KappaJoe

New Member
Jul 6, 2017
6
1
18
HelloEvery said:
change domain/IP of the server so, he will have problem to trace you, after Block SSH port (22) and other useless port (excepting 10011, 30033 ,9987 , after you can change you'r query port) and learn to trust only you'r members, finally remember to run teamspeak server as user! (add user USERNAME) and select a strong password for root user/teamspeak linux user, in some case running a program as root is dangerous!

RECAPITULATING all in a clear list:

  • Change IP/Domain
  • Block port 22 or change it excepting for you'r IP
  • Change Query password
  • Change TeamSpeak 3 Serverquery port
  • Running TeamSpeak 3 server as root is a bad idea!
  • Keep allways up-to-date you'r TeamSpeak Server
  • (Optional) Select a good Hoster with good anti-ddos and who have his node secured
Click to expand...

I have UFW configured to drop all incoming and outgoing connections by default.
I've allowed port 30033/9987, 80/443 for HTTP. Both in and out. I currently have port 22 open too but with Fail2Ban enabled and I'm tempted to block 22 as if my IP changes, I can use a web console supplied by my host.

With my IP allowed, I can still access port 10011 which is needed for the server query even though it's not configured to accept in the firewall.
 
H

HelloEvery

Member
Nov 26, 2016
42
19
41
you can change IP but if you redirect the domain to the new IP you can easily handle the traffic to new Server IP
 
You must log in or register to reply here.
Top