EarthBoundX5 Posted November 11, 2021 Share Posted November 11, 2021 (edited) Wasn't sure where this should be posted, as it's not quite support. More of a bug report / what does Fun Pimps want or need from me? I normally shutdown my 7 Days to Die server when not in use. The base VM continues, but the service is shutdown. Today, I realized I'd forgotten to shutdown the server...went to do it, and noticed that about 10 hours after I'd logged off, some weird activity showed up onscreen over a few days and last today. I couldn't copy + paste out of the server console window and I couldn't find the respective logs for the event (if these are even logged?). I have a screenshot, but don't want to have to upload it in order to post it as a link in these forums. Essentially, I saw this, 10 hours after I was done playing... 2021-11-06T10:04:30 45900.107 INF (GSM) GameSparks Disconnected 2021-11-06T13:28:32 58142.189 INF (GSM) GameSparks Connected I didn't think anything of it, but the following lines were much sketchier. I saw the following IPs start and establish Telnet connections. Along with one throwing an exception. 167.71.237.46 104.140.88.42 78.128.112.14 Now, I shouldn't have telnet accessible externally. I might have something enabled in the 7 Days to Die server config, but I'll have to check that. Regardless, I shouldn't have anything unexpected opened external. I checked my Splunk server for these IPs, but only found 2 logs. ControlChannel Open and Closed for FTP services on the VM I host my 7 Days to Die server from. @Fun Pimps, please let me know if there is anything I should be checking or doing or providing to you guys. This on the surface to me indicates a security exploit in the server; even if enabled in a server config...as there should at least be some authentication. Thanks! EDIT: Just to note, I restore from backups to before the first odd console entry. I do have a backup of the day after, but not from after the Telnet events were observed. Edited November 11, 2021 by EarthBoundX5 (see edit history) Link to comment Share on other sites More sharing options...
EarthBoundX5 Posted November 11, 2021 Author Share Posted November 11, 2021 Confirmed I had telnet enabled in server config. Noted that the default bad passwords and timeout is 10. Probably should have these default much higher. But more so, this still means there was an auth issue at play. And I wonder if the password was cracked with 10 bad attempts and a 10 second cool down, I'm sure it was) or they accessed the telnet service in the 7 Days to Die server via an exploit. This does lead me down a question, what access does one have using telnet offered from the 7 Days to Die server service? Is it contained to just server commands or does it have file access or anything else? Link to comment Share on other sites More sharing options...
meganoth Posted November 11, 2021 Share Posted November 11, 2021 Telnet is activated by default without a password but listening only on the loopback device. See this comment in the serverconfig.xml: Password to gain entry to telnet interface. If no password is set the server will only listen on the local loopback interface Link to comment Share on other sites More sharing options...
Beelzybub Posted November 11, 2021 Share Posted November 11, 2021 15 hours ago, EarthBoundX5 said: I couldn't find the respective logs logs are in this folder: \7DaysToDieServer_Data 1 Link to comment Share on other sites More sharing options...
EarthBoundX5 Posted November 11, 2021 Author Share Posted November 11, 2021 (edited) 5 hours ago, meganoth said: Telnet is activated by default without a password but listening only on the loopback device. See this comment in the serverconfig.xml: Password to gain entry to telnet interface. If no password is set the server will only listen on the local loopback interface Ah, so I'm not an idiot for having in enabled...but I am for not reading a comment and putting in a password, haha. Kinda feel that a password shouldn't be the factor in how telnet operates. @Fun Pimps should really add another config line for that IMO... EDIT: Is there any functional reason to have telnet enabled? 47 minutes ago, Beelzybub said: logs are in this folder: \7DaysToDieServer_Data UGH, I feel stupid...I only looked in the logs folder at root and skimmed around in AppData and ProgramData...logs like this should probably be in a log sub dir...well, one more folder I'll add to Splunk logging. Edited November 11, 2021 by EarthBoundX5 (see edit history) Link to comment Share on other sites More sharing options...
meganoth Posted November 11, 2021 Share Posted November 11, 2021 (edited) 1 hour ago, EarthBoundX5 said: Ah, so I'm not an idiot for having in enabled...but I am for not reading a comment and putting in a password, haha. Kinda feel that a password shouldn't be the factor in how telnet operates. @Fun Pimps should really add another config line for that IMO... EDIT: Is there any functional reason to have telnet enabled? I assume you know what "loopback device" means? As long as you don't expect intruders getting acces to an account on your server it isn't that critical that telnet has no password. Though I always set one nonetheless Edited November 11, 2021 by meganoth (see edit history) Link to comment Share on other sites More sharing options...
EarthBoundX5 Posted November 11, 2021 Author Share Posted November 11, 2021 24 minutes ago, meganoth said: I assume you know what "loopback device" means? As long as you don't expect intruders getting acces to an account on your server it isn't that critical that telnet has no password. Though I always set one nonetheless If someone gets on my server, that's more of a concern and telnet would be irrelevant. What I'm saying is, if I set a password for telnet in 7 Days to Die, it shouldn't automatically opening up externally vs local loopback without another true/false toggle. And if that is the case, then why not just disable it entirely? Why is it needed, what is it's function for the 7 Days to Die server? Seems like just a vulnerability point? Link to comment Share on other sites More sharing options...
meganoth Posted November 12, 2021 Share Posted November 12, 2021 I mostly agree, it is rather unusual and I prefer services to be off by default too. Still, this default is "reasonably" secure and once you want to use telnet for more you are bound to read the comment and act on that information. I only use telnet to shutdown the game on the server per script. I assume server management programs for public servers (like botman) use it to control the game. Link to comment Share on other sites More sharing options...
EarthBoundX5 Posted November 12, 2021 Author Share Posted November 12, 2021 3 hours ago, meganoth said: I only use telnet to shutdown the game on the server per script. I assume server management programs for public servers (like botman) use it to control the game. Ya, this is what I was looking for. Since I don't use anything external to manage, I can safely disable for now and revisit when I need it. Thanks! Still unsure from replies though if the telnet session is encapsulated in purely the server commands; and wouldn't open up access to a bad actor to something else. And if anyone at Fun Pimps cares to get more details off this report or not. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now