Luigi Auriemma

Hey there,

I belong to a SWAT 4 clan who play SWAT 4 1.0. Recently we had a guy coming to our server, being racist, insulting players, women etc breaking all the rules and genrally trying to cause problems. After trying to reason with him eventually we were forced to ban him from the server. Since then he has continued to cause endless problems by hacking and crashing our server even though we have range bans in place.

I come to you really to beg for your assistance, our clan has 100+ members who cannot really play with this guy causing so many problems. We can handle anyone crashing things from within the server but remote crashing is a different story.

Do you have any patches or can you offer any advice to us in order to stop his ability to crash our server. Really we are just normal people trying to enjoy ourselves and this guy is not a very nice character at all. I apprecaite you probably have better things to do with your time but if you could help us you would have the endless gratitude of over 100 people from all over the world.

Anyhow is there anyway you can help us with our problem?

Thanks in advance.

I have released a patch for the dedicated server of SWAT 1.1 just 5 minutes ago, have you checked it?

http://aluigi.org/patches.htm#swat4

My friend I have just seen it, I can't begin to tell you how grateful I am if it works. We run SWAT 1.0 but hopefully it will still work. Thank you so much, I'll let you know how we get on.

why you use the 1.0 version instead of the 1.1?
I have read the changelog of swat4 1.1 and it's written that there are various things which have been fixed (they talk even about "exploits" but I guess it's something cheating related) so as usual should be respected the rule of "the latest is better" and upgrading to 1.1 (moreover because for sure my second fix can't be applied on 1.0).

P.S.: I'm sorry if you have had problems for all this months but obviously if you contacted me sooner I fixed it sooner while another person asked me for a fix only this morning.

Hey,

The main reason we use SWAT 1.0 rather than 1.1 is because more people play using SWAT 1.0 so our server is more full. If we upgraded to 1.1 our server would be empty a lot of the time so unfortunately we have to stick with 1.0.

I have followed the instructions and applied the patches anyway to both files. I can only hope that they are in some way successful. I greatly appreciate any work you have put in, you have done a great service to a lot of people if these fixes in some way work. I did read that you would not consider creating fixes for 1.0 so I shall not ask you to do so. I shall just continue to apply the 1.1 patches and I will let you know how we get along.

Thanks very much for your attention.

if when you have applied the patches you have received a success message like:
means that the patch has been applied and, for the case of these 2 swat4 patches, means that they are correct exactly like with swat4 1.1.

while if you received a message like:
means that the patch has not been applied (so you are still vulnerable).

Excellent, I received positive messages from both patches so hopefully they both worked. We will try it out for 24 hours and I'll let you know how we get along.

Thanks again.

Finally installed the fix after some issues with our server owning company and their file uploader not working. Has been 15 hours and everything ok so far. Thanks again

perfect.
very lucky that both 1.0 and 1.1 shared the same parts of code I fixed :)

It seems at the moment that the hacker can't crash the server anymore but can still raise the pings artificially. I don't suppose you have any kind of solution to this problem either? The crash fixes though seem to be working great, at least he hasn't crashed it yet.

well depends ever by what has been used to raise this ping.
maybe it's an effect of the fake players bug, have you verified if you can see something "strange" in the console of the server of swat4?
maybe too much logins or similar

I can't see anything in the admin console no, I'm not sure what he is using at all im afraid. What would I be looking for to identify the method? bear in mind I really have no idea about any of this.

if the console shows nothing of strange it could be a flooding of udp packets on the game's port but in any case these are only blind hypothesis because the "raising of the pings" intended as a slowness of the connection can be obtained saturating the bandwidth of the server.
maybe try to run a sniffer on the server when it's empty and check if there is a bit network activity (for example there are no players on the server but you see 1000 packets per second)

anyway if the attack is the fake players one you can use the simple playerslimiter project which allows only one player from the same IP:

http://aluigi.org/patches/playerslimiter.zip

(the project is not indexed on my website because I consider it something between a work-around and an experimental project).
in attachment you find the packet.dat file to use for swat4.

try it and check if the problem persists and moreover if there are no negative side-effects for the other players.

It seems the attacks have stopped, perhaps because now he can't crash the server remotely the raising pings hack doesn't satisfy his desire for destruction enough and he has given up. So for the moment we will hold back on trying this as we do have large groups of people coming and playing quite regularily from netcafes with the same ip. Should the attacks restart though we will try it and I'll let you know the results.

Good to know there is something to protect us should we have the problem, I've downloaded the files just in case. Thanks for all your help, you are a hero to our group now ;)

Hey,

I come asking for assistance again, we had several sweet days of no crashes thanks to your fix. However today we had a crash mid game unlike any crash before. Normally when the server crashes it restarts automatically and if not I can go into my zebgames (server provider) control panel and restart it manually. This time however I went into zebgames control panel and the server status was listed as 'unknown' and with that status I have no option to restart or stop or do anything with the server. I have contact zebgames to ask them how this happened. Just wanted to ask your opinion as after the crash we had threatening messages posted on our webpage....

"Anonymous - You have to stop, now."

Then 1 minute later

"Anonymous - Just remember every step you take I am 10 steps ahead"

Obviously trying to frighten us, but I presume the server crash was his work. Do you have any idea how he did it? Or any idea how we could plug this vulnerability?

Thanks

just in this moment I have finished to heavily stress and test my local swat4 test server with various malformed commands and it's still up and running.

anyway one of the good things of the Unreal engine is that it's enough verbose with the errors and the messages, indeed it shows even the single commands received from the clients.
so in any case you MUST watch in your log file because if it's a non-casual bug should exist some traces there.

then how much times happened this crash? only one of continuously?
if it happened only one time and very far from the last restart of the server it's probably a casual bug and not a security issue.

Have just communicated with our server hoster, they have told us that their entire Atlanta server is down, which means ours and many others. So this crash is obviously now attacking the whole hosting company and not just us.

I think because of your fixes he was frustrated at not being able to hurt us and so has taken it so far he has crashed our hosting companies entire server someway, either through doing something to our server or doing something to them directly. So probably not a SWAT related problem at all as it seems so extreme.

We are trying to ask our hosting company for info on what happened, but because they regard it as an issue with their server and not ours they won't tell us.

Now that our hosting company is involved this has become more serious, from DOS to a single clan to DOS of an entire hosting company. Which is obviously a federal crime in the US, so with any luck if he continues doing whatever he is doing our hosting company will take measures.

If we get any information from our hosting company then I'll post here and see what you think. In the meantime I hope this was a one off.

ehmmm isn't more probable that it's an hardware problem?
this type of problems is common on machines which are active the 100% of their time so I see nothing strange.

I would completely agree with you, the only reason I am thinking hacking foul play is because of the threatening messages posted on our site 1 minute after the crash occured. As I stated above.

Of course the hacker might have used the crash as an opportunity to make us think he did something. I don't know, we will find out soon enough as if it was him who did something then he will presumably do it again.

exactly, that type of attitude of that person is normal: be happy of the problems of your enemy and let he think you were the cause.

anyway we will wait the official response of the hoster although usually in case of security problems the hosters have reticence in talking about the real cause, but as already said it's for sure a classical hardware problem.

Ok man, well I trust what you have to say re: the hardware problem, you obviously know your stuff. I hope you are correct.

I do pity the guy, he was treated kindly by us initially and can only respond with hate and venom. He spends his time trying to cause hurt to people who are not remotely interested in him. For someone locked into such indulgent routines of internal dialogue you can only ultimately feel pity.

By the way I read your 'about' section and I absolutely loved it.

Hmm has now happened 4 more times, so I'm pretty sure its the hacker. Hopefully our hosting company will be able to do something.

We have the guy posting messages on our site so it is pretty clear he is responsible for the problem now. It keeps happening again and again and this guy hovers on our clan shoutbox immediately afterwards so he can see the distress he causes.

We have had two range bans go mysteriously missing from our ban list in the last 3 days. Earlier today I range banned the hacker in question when he came onto our server to cheat. Now only 2 hours later his ban has dissapeared from the list. Is there a way to remove a ban from a SWAT4 server? I am wondering if this means of access is how he is causing problems

I have never tested swat4 1.0 so it could be affected by other old vulnerabilities like unrcrash or the unreal format string and various others (all bugs which I have tested in the previous test/stress session with my local 1.1 + swat4x1 and swat4x2 fixes) so if you remain with this old version and don't provide other proofs and logs I can do absolutely nothing.

Ok fair enough, we have spoken to our hosting service and they claimed to have a grip on the problem now. So hopefully it will be over.

The unbanning isn't a major problem, I was just curious really. Thanks all the same.

Hey man,

I've just been trying to install the player limiter fix, can I just confirm with you what I should have done as I'm extremely undeducated in such things...

I copied the example swat4packet.dat to the contents/system directory of the server, and renamed it packet.dat.

Then I copied the myproxocket.dll file the the same directory. I didn't copy the myproxocket.c file to the same directory as the instructions did not say to do so. I presume this is correct?

Then I downloaded the program you listed and copied the ws2_32.dll file to the same contents/system directory

Is that it? I just had a sense that perhaps I had missed something out somewhere as I wasn't sure how just copying some files would be effective. Although like I said I'm not all that educated in such matters.

We have just been experiencing another sequence of crashes, different to those that have come before, this crash is like the original remote crashing but the server does not restart automatically, which it used to do with the crashing previously. I have to use the hosting companies control panel to restart it.

I've changed the swat4dedicatedserver.ini to create a chatlog and I am aware of another file in the game directory called the SWAT4.log, however this file doesn't appear to have been updated in a long time. Can you tell me which logs you would need to understand what is going on with these crashes? and if they aren't already being created or updated how I would go about making the server automatically update or create these logs?

Sorry for being clueless, I am literally just learning as I go and really have no idea about these things.

Thanks in advance for your help.

Also it seems, whenever these new crashes happen the two range bans im putting in to stop the hacker joining the server always dissapear, so presumably those events are linked somehow.

seems that the playerlimit thing has been applied correctly, the important thing is that all the files are in the same folder of Swat4DedicatedServer.exe.
you can verify it with the unrealfp proof-of-concept:

http://aluigi.org/fakep.htm#unrealfp

for the log I don't know what to tell you, here it's created immediately when Swat4DedicatedServer.exe is launched so I guess you have some different setting in your Swat4DedicatedServer.ini file

Aaah it would be the SWAT4dedicatedserver.log file then that you would need to see? I can see that one and it has been updated.

This file appears to start new every time the server is restarted, the next time it crashes I will copy the file before I have restarted the server and post it here. Thanks