Someone Hacked My Gibson

[EarthBoundX5]

Wasn't sure where this should be posted, as it's not quite support.  More of a bug report / what does Fun Pimps want or need from me?

 

I normally shutdown my 7 Days to Die server when not in use.  The base VM continues, but the service is shutdown.  Today, I realized I'd forgotten to shutdown the server...went to do it, and noticed that about 10 hours after I'd logged off, some weird activity showed up onscreen over a few days and last today.

 

I couldn't copy + paste out of the server console window and I couldn't find the respective logs for the event (if these are even logged?).  I have a screenshot, but don't want to have to upload it in order to post it as a link in these forums.

 

Essentially, I saw this, 10 hours after I was done playing...

2021-11-06T10:04:30 45900.107 INF (GSM) GameSparks Disconnected

2021-11-06T13:28:32 58142.189 INF (GSM) GameSparks Connected

 

I didn't think anything of it, but the following lines were much sketchier.  I saw the following IPs start and establish Telnet connections.  Along with one throwing an exception.

167.71.237.46

104.140.88.42

78.128.112.14

 

Now, I shouldn't have telnet accessible externally.  I might have something enabled in the 7 Days to Die server config, but I'll have to check that.  Regardless, I shouldn't have anything unexpected opened external.

 

I checked my Splunk server for these IPs, but only found 2 logs.  ControlChannel Open and Closed for FTP services on the VM I host my 7 Days to Die server from.

 

@Fun Pimps, please let me know if there is anything I should be checking or doing or providing to you guys.  This on the surface to me indicates a security exploit in the server; even if enabled in a server config...as there should at least be some authentication.  Thanks!

 

EDIT: Just to note, I restore from backups to before the first odd console entry.  I do have a backup of the day after, but not from after the Telnet events were observed.

Edited November 11, 2021 by EarthBoundX5 (see edit history)

[EarthBoundX5]

Confirmed I had telnet enabled in server config.  Noted that the default bad passwords and timeout is 10.  Probably should have these default much higher.  But more so, this still means there was an auth issue at play.  And I wonder if the password was cracked with 10 bad attempts and a 10 second cool down, I'm sure it was) or they accessed the telnet service in the 7 Days to Die server via an exploit.

 

This does lead me down a question, what access does one have using telnet offered from the 7 Days to Die server service?  Is it contained to just server commands or does it have file access or anything else?

[meganoth]

Telnet is activated by default without a password but listening only on the loopback device. See this comment in the serverconfig.xml:

 

Password to gain entry to telnet interface. If no password is set the server will only listen on the local loopback interface

 

[Beelzybub]

15 hours ago, EarthBoundX5 said:

I couldn't find the respective logs

logs are in this folder: \7DaysToDieServer_Data

[EarthBoundX5]

5 hours ago, meganoth said:

Telnet is activated by default without a password but listening only on the loopback device. See this comment in the serverconfig.xml:

 

Password to gain entry to telnet interface. If no password is set the server will only listen on the local loopback interface

 

Ah, so I'm not an idiot for having in enabled...but I am for not reading a comment and putting in a password, haha.  Kinda feel that a password shouldn't be the factor in how telnet operates.  @Fun Pimps should really add another config line for that IMO...

 

EDIT: Is there any functional reason to have telnet enabled?

 

 

47 minutes ago, Beelzybub said:

logs are in this folder: \7DaysToDieServer_Data

UGH, I feel stupid...I only looked in the logs folder at root and skimmed around in AppData and ProgramData...logs like this should probably be in a log sub dir...well, one more folder I'll add to Splunk logging.

Edited November 11, 2021 by EarthBoundX5 (see edit history)

[meganoth]

1 hour ago, EarthBoundX5 said:

Ah, so I'm not an idiot for having in enabled...but I am for not reading a comment and putting in a password, haha.  Kinda feel that a password shouldn't be the factor in how telnet operates.  @Fun Pimps should really add another config line for that IMO...

 

EDIT: Is there any functional reason to have telnet enabled?

 

I assume you know what "loopback device" means? As long as you don't expect intruders getting acces to an account on your server it isn't that critical that telnet has no password. Though I always set one nonetheless

 

 

 

Edited November 11, 2021 by meganoth (see edit history)

[EarthBoundX5]

24 minutes ago, meganoth said:

 

I assume you know what "loopback device" means? As long as you don't expect intruders getting acces to an account on your server it isn't that critical that telnet has no password. Though I always set one nonetheless

 

 

 

 

If someone gets on my server, that's more of a concern and telnet would be irrelevant.

 

What I'm saying is, if I set a password for telnet in 7 Days to Die, it shouldn't automatically opening up externally vs local loopback without another true/false toggle.  And if that is the case, then why not just disable it entirely?  Why is it needed, what is it's function for the 7 Days to Die server?  Seems like just a vulnerability point?

[meganoth]

I mostly agree, it is rather unusual and I prefer services to be off by default too.

Still, this default is "reasonably" secure and once you want to use telnet for more you are bound to read the comment and act on that information.

 

I only use telnet to shutdown the game on the server per script. I assume server management programs for public servers (like botman) use it to control the game. 

[EarthBoundX5]

3 hours ago, meganoth said:

I only use telnet to shutdown the game on the server per script. I assume server management programs for public servers (like botman) use it to control the game. 

 

Ya, this is what I was looking for.  Since I don't use anything external to manage, I can safely disable for now and revisit when I need it.  Thanks!

 

Still unsure from replies though if the telnet session is encapsulated in purely the server commands; and wouldn't open up access to a bad actor to something else.  And if anyone at Fun Pimps cares to get more details off this report or not.