Server channel creation spam with server query

Qraktzyl

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
728
161
Hello everyone,

Today I had a problem and i still don't understand why it happened. Someone was able to spam the teamspeak server with channel creation with what appears to be a server query from Gametracker :

Code: 
2016-01-28 19:24:15.712243|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #759'(id:32036) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:15.952286|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #767'(id:32037) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:16.192592|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #326'(id:32038) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:16.431749|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #66'(id:32039) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:16.670702|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #989'(id:32040) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:16.910549|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #597'(id:32041) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:17.082663|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #698'(id:32042) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:17.149444|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #822'(id:32043) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:17.322479|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #857'(id:32044) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:17.387182|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #491'(id:32045) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:17.562332|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #653'(id:32046) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:17.626062|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #11'(id:32047) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:17.802506|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #685'(id:32048) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:17.864663|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #287'(id:32049) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:18.040554|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #984'(id:32050) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:18.153982|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #631'(id:32052) created by 'TeamspeakUser2'(id:3)
2016-01-28 19:24:18.200232|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #138'(id:32053) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:18.280217|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #895'(id:32054) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:18.394560|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #529'(id:32055) created by 'TeamspeakUser2'(id:3)
2016-01-28 19:24:18.437704|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #733'(id:32056) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:18.519703|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #202'(id:32057) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:18.633859|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #455'(id:32058) created by 'TeamspeakUser2'(id:3)
2016-01-28 19:24:18.675710|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #311'(id:32059) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:18.760556|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #39'(id:32060) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:18.873100|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #949'(id:32061) created by 'TeamspeakUser2'(id:3)
2016-01-28 19:24:18.913799|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #355'(id:32062) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:18.999244|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #893'(id:32063) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:19.113145|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #484'(id:32064) created by 'TeamspeakUser2'(id:3)
2016-01-28 19:24:19.151250|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #720'(id:32065) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:19.238746|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #945'(id:32066) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:19.351660|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #466'(id:32067) created by 'TeamspeakUser2'(id:3)
2016-01-28 19:24:19.389606|INFO    |VirtualServerBase|  1| channel 'HAHAHHAHA #955'(id:32068) created by 'TeamspeakNoob'(id:3)
2016-01-28 19:24:19.477987|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #573'(id:32069) created by 'TeamspeakUser'(id:3)
2016-01-28 19:24:19.590556|INFO    |VirtualServerBase|  1| channel 'HAHAHAH #346'(id:32070) created by 'TeamspeakUser2'(id:3)

When I check who is id:3, it is gametracker... So I disabled channel creation for guest users and it stopped.

However, I do not understand why it happened. Aren't serverquery permissions different from normal permissions?

EDIT:
2016-01-28 19:31:27.635709|INFO |VirtualServerBase| 1| channel 'HAHAHHAHA #580'(id:56959) created by 'Unknown from xxx.xx.xxx.xxx:xxxxx'(id:3)
 
Last edited:
Derp

Derp

Retired Staff
Contributor
Apr 30, 2015
933
1,017
217
Check if your gametracker account got compromised, Idk how gametracker works but I guess someone could have stolen your gametracker Query account login data.
 
Qraktzyl

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
728
161
Derp said:
Check if your gametracker account got compromised, Idk how gametracker works but I guess someone could have stolen your gametracker Query account login data.
Click to expand...
GameTracker uses the guest query, just like tsviewer.com
 
Kaptan647

Kaptan647

Retired Staff
Contributor
Apr 25, 2015
314
398
112
I dont understand what is weird ? You give guest server query open a channel and spam protection bypass and some noticed it and spammed your server. That is possible not weird
 
Qraktzyl

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
728
161
Kaptan647 said:
I dont understand what is weird ? You give guest server query open a channel and spam protection bypass and some noticed it and spammed your server. That is possible not weird
Click to expand...
Whoa where do you see I gave spam protection bypass?
 
Bluscream

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
He knows it because by default the teamspeak server revokes the permission to create channels for Query Guests.
 
Qraktzyl

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
728
161
Exactly, guest query CANNOT create a channel and I have never added this permission. Im not like the average user here, my server has been constantly tested for security, this is why I dont understand how that person was able to do that.

I had to ddos that mofo for the attack to stop.
 
Last edited:
T

TheFeldi

Member
Aug 28, 2015
15
2
35
Well, First of all you need Server Admin Query. If you host the teamspeak somewhere, you basically have no chance to disable that.
The next step is very easy.
Basically you only need Server Admin Query.
#toolazytotype
 
Qraktzyl

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
728
161
TheFeldi said:
Well, First of all you need Server Admin Query. If you host the teamspeak somewhere, you basically have no chance to disable that.
The next step is very easy.
Basically you only need Server Admin Query.
#toolazytotype
Click to expand...
I am the only one who has the serveradmin query password.
 
ehthe

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
Just change the serverqueryguest permissions with yatqa
 
ehthe

ehthe

Retired Staff
Contributor
Apr 26, 2015
1,028
896
216
oh well then we're on a whole new level :D
(check the type of the userdbid 3, I bet it's a client bot not a serverquery guest)
 
Qraktzyl

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
728
161
ehthe said:
oh well then we're on a whole new level :D
(check the type of the userdbid 3, I bet it's a client bot not a serverquery guest)
Click to expand...
Gametracker.com serverquery

Actually, I think the attacker was able to spoof the name of a query to match Gametracker.com serverquery. I still dont know what it was, it was strong shit lol

EDIT: His ip wasn't gametracker's
 
Bluscream

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
@Qraktzyl Please post a screenshot of YaTQA on the "Permissions"->"Permission Comparison" Tab with the following perms on the target groups "Guest Server Query" and "Guest".

ai1eg1H.png
 
Qraktzyl

Qraktzyl

Retired Staff
Contributor
Nov 2, 2015
997
728
161
Bluscream said:
@Qraktzyl Please post a screenshot of YaTQA on the "Permissions"->"Permission Comparison" Tab with the following perms on the target groups "Guest Server Query" and "Guest".
Click to expand...
XR4YiOh.png


EDIT: I've removed b_channel_create_temporary for server group Guest(#8) since the incident.
 
Bluscream

Bluscream

Retired Staff
Contributor
May 8, 2015
967
934
211
Can you tell us when you SQLiteDB (Your first Virtual Server) was created?
 
You must log in or register to reply here.
Top