My game server keeps getting hit with HTTP POST data

Toggle sidebar Toggle sidebar
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,164
13,569
126
www.anyf.ca
Something weird started happening lately, my UO game server keeps getting hit with what looks like a HTTP POST request. Here is the packet:

Code: 
POST / HTTP/1.1
Host: [my ip]:1337
Content-Type: application/json
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/63.0.3239.84 Chrome/63.0.3239.84 Safari/537.36
Accept: */*

1337 is the game server port. There is no other data with the packet, but this comes from IP addresses all around the world.

Should I be worried about this, is it some kind of attack? I started mining ethereum, could it somehow be related?
 
Skunk-Works

Skunk-Works

Senior member
Jun 29, 2016
983
328
91
Well, anybody can use Nmap so there's that. There's even a tool to scan the entire IPv4 space in about 45 minutes. Are these IPs normal ISPs? Chances are they are infected routers. I see this all the time at my website's. And I bet these poor people who don't update their router firmware wonder why bandwidth is out the window.
 
Skunk-Works

Skunk-Works

Senior member
Jun 29, 2016
983
328
91
To further add. I have a Team Speak and FTP server. I run Peerblock on the computer hosting those two servers and I get blocks all the time. Even though those ports are way past 30,000. Azure used to be a common server trying to connect to my IP.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,164
13,569
126
www.anyf.ca
Yeah like the scan itself is not really a huge deal, just seems odd that it started so suddenly. But maybe there's some kind of new botnet going around? I do find it odd that it's only hitting the game server though.
 
Jaskalas

Jaskalas

Lifer
Jun 23, 2004
35,412
9,606
136
Red Squirrel said:
Yeah like the scan itself is not really a huge deal, just seems odd that it started so suddenly. But maybe there's some kind of new botnet going around? I do find it odd that it's only hitting the game server though.
Click to expand...

I mean... it's a game server. So you have clients connecting to it. So imagine one of them got hit and the fact that they connect to the server means their infection wants to knock on your door.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,164
13,569
126
www.anyf.ca
Ok so looks like whatever this is might be some kind of buffer under run attack. This is a fairly custom application so updating is not an option, there are too many changes. Any good resources online on how to write code that is not susceptible to that kind of exploit? I will need to pour over the source code and fix it.

I see lot of weird packets with what seems to be references to 192.168 Ip ranges so they're basically trying to scan my local network through some kind of remote code execution. It's on a separate vlan that is segregated from the rest of my network so I'm not too worried, but this seems to be causing some kind of random crash, probably when they hit protected memory.

The app latetly has developed an issue where it crashes with "network no longer available" errors. I never really put two and two together until now. it's most likely related.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom