All Server Owners READ!!

[Stagno]

Is it possible to save the rcon password in a cfg in the main folder? Is the main folder unacessable with the hack?

[R4d0xZz]

Is it possible to save the rcon password in a cfg in the main folder? Is the main folder unacessable with the hack?

you can download pretty much all if you know the name of the file you want to get from the server.
thats why you need to rename your server.cfg to something random.

Edit: Drofder.
Please do not gives hints at the method of it.
Removed some wording.

[Hoogie]

Well i wasn't even looking for the tool and still i got it. I had no interest in it at all. So the people who actually want it defintely will be able to get it.

Still 90% of the people don't know how to use it and let's keep it that way. That's why i don't find it smart to post all of this but w/e.

[Drofder2004]

Well i wasn't even looking for the tool and still i got it. I had no interest in it at all. So the people who actually want it defintely will be able to get it.

Still 90% of the people don't know how to use it and let's keep it that way. That's why i don't find it smart to post all of this but w/e.

The tool has built in instructions. The only instruction not provided is what I have edited from the posts above.

This has existed since 2008. This is NOT new, IW has no intention of fixing it, the tool is not going away, it is NOT a PURCHASE tool but a free tool made for bug analysis.

Educate the server owners (and server providers) and the tool will only be able to be used in its original use, bug testing and not hacking.

[R4d0xZz]

#1 and #4 - #12 are secure. i could get the server.cfg but the rcon wasnt working so gj on that.
try to talk with leviate now.

[MasterThomy]

It took me like an our to successfully hack my own servers...xD
The worst part is that you can download ANYTHING (if you know me you know why that pisses me off).

But I found a way to disable that, just set:

sv_allowdownload 0
sv_wwwdowload 1

in your cfg file, if you put your iwds on a webserver, players can still download them, but cant use the hack to download anything else.

[Hoogie]

Good Job if it works!

[Drofder2004]

This does work, but the server must have a redirect ftp.

[Husker]

Well it doesnt work cause if you do that nobody can download the mod from the server.... so nobody can join :O

[Drofder2004]

Well it doesnt work cause if you do that nobody can download the mod from the server.... so nobody can join :O

Which is why you need redirect, so they download the mod off the internet, not the server.

[MORGOTH]

It took me like an our to successfully hack my own servers...xD
The worst part is that you can download ANYTHING (if you know me you know why that pisses me off).

But I found a way to disable that, just set:

sv_allowdownload 0
sv_wwwdowload 1

in your cfg file, if you put your iwds on a webserver, players can still download them, but cant use the hack to download anything else.

dunno why this doesn't work on my server... people keep downloading my cfg and making the good or the bad time in the server

and seems that you, husker, are involved......

[MORGOTH]

Why not just rename your config to something really random then? very easy fix.

i can't do that because i do not own the server. The gameservers are hosted by an hosting company that doesn't give me the rights to change the command line.

[Infinite]

To find the tools, you do need to know a little more information than what has been provided here.

I was able to find, locate and use the tools successfully within an hour of being notified of the 'hack'.

The tool has built in instructions.

About these posts, I would just like to bring up that with the information in this thread and NO knowledge of this hack beforehand, I was able to get it within 5 minutes by googling it. It does have built-in instructions, and it's quite scary how easily I was able to obtain it .

The fix looks quite simple and seems to work (the dvar one, not the renaming one), and I would suggest doing this immediately for any server owners who haven't already done so. There does appear to be some error with the dvar one (as shown in the last few posts), but if it seems to work for others, I would suggest using that over the other one. I'd rather not explain here as to why the renaming one may still put you at risk because it would give an idea to hackers as to how to get around it, but I thought that I'd at least share my thoughts on this.

EDIT: Just thought I'd throw this in there. The author of the "hack" states that the renaming method makes you 100% safe from this hack. Only I think otherwise as of right now.

2nd EDIT: Within 30 minutes of finding the hack, I have successfully gotten an RCON password. I will be alerting the owner of the server as soon as I see them (since it's a server that I actually like), and I'm only posting this to personally confirm that it's extremely easy to understand how this hack works, and it's EXTREMELY important that any server owner who hasn't attempted a fix should do so IMMEDIATELY. That is all for now.

[Drofder2004]

If we pretend it doesn't exist then those who have the tool, will use it freely without being stopped. If you provide awareness of the tool, then eventually the server admins (and hopefully, the server providers) will start to fix the problem by allowing people to change their command line (and if your server provider does not have custom or will not allow to change command line, point them in the direction of this thread or tell them to fuck off and get a better provider).

The renaming method is the best solution, the simple reason being you need the knowledge from the file names to be able to grab the files. To my knowledge their is no way of getting this information.

Ofcourse changing the DVAR is the number one method because it simply stops the hack from working, but it also stops other things working... As long as you have redirectional downloads, this will always be the best way.

[MORGOTH]

Ofcourse changing the DVAR is the number one method because it simply stops the hack from working, but it also stops other things working... As long as you have redirectional downloads, this will always be the best way.

I don't know why but the dvar thing doesn't worked for my server. One of my mates tried and can't download the server.cfg with sv_allowdownload 0 but people keeps hacking (two times today)
so i finally realised that i can rename the server.cfg from ftp with the server already running. So they can't download anything.