I had this very same problem and posted to this list about it not too long ago. Its all Q3-based games.<br><br>Make sure your configs are conspicuously named, and if they do happen to be available in the same path, that you put some sort of rewrite rule in to deny access.<br>
<br><div class="gmail_quote">On Mon, Sep 13, 2010 at 6:04 PM, saimon <span dir="ltr"><<a href="mailto:saimon@optonline.net">saimon@optonline.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div bgcolor="#ffffff" text="#000000">
Having spent much time in a Soldier of Fortune clan I can tell you that
yes there is a script that can be run against a server with downloads
turned on that will automatically go after the [in Sof it is the
Sof2mp.cfg] config file that has the rcon password. In my experience
acquiring that password was always the goal the attacker [script
kiddie] would then proceed to kick out/ban all clan members and change
the name of the server the idiots that went around doing this really
ruined the game for a large amount of the community. I can't say for
sure or not if the same script works with all Quake based game it could
well be from the same source I was told that leader of the Sof2 clan
Heretic, its leard Heretic Death was a distributor of this
script/tool for a price. You may also want to open a console while in
the game and type download and see if any directory structures you and
hit.<div><div></div><div class="h5"><br>
<br>
On 9/13/2010 3:33 PM, David@Game-Serve wrote:
</div></div><blockquote type="cite"><div><div></div><div class="h5">
On 13/09/10 20:16, Morpheus wrote:
<blockquote type="cite">
Yes, but it is only relevant with http downloading (I'm simlinking the
folder too, but with a good htaccess restrictions, and stricts
permission on the files--only readable by the owner). Is it possible to
use the client to try downloading the cfg through the built-in protocol
? That could be the major hack, and it can potentially touch every
quake-based game, at least those using the same net codebase (cod2 is
one of them).<br>
<br>
But I'm pretty sure it's not the case, and http is the way to follow,
and to harden...<br>
</blockquote>
<br>
You mean like the one that already exists on the quake3 engine based
games? like mohaa which will allow you to download the config files on
servers that dont have downloads disabled (set sv_allowDownload "0"),
whats worse is that mohaa doesn't even use the server-client download
functions of the quake3 engine but the code must still be in there
somewhere as the exploit works<br>
<br>
<br>
</div></div><pre><fieldset></fieldset>
_______________________________________________
cod mailing list
<div class="im"><a href="mailto:cod@icculus.org" target="_blank">cod@icculus.org</a>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a>
</div></pre>
</blockquote>
</div>
<br>_______________________________________________<br>
cod mailing list<br>
<a href="mailto:cod@icculus.org">cod@icculus.org</a><br>
<a href="http://icculus.org/mailman/listinfo/cod" target="_blank">http://icculus.org/mailman/listinfo/cod</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br>Geoff Goas<br>Network Engineer<br>