[Dshield] Port 27015
stasinia at msoe.edu
Tue Dec 6 09:09:13 GMT 2005
Since HL has been popular, two different types of attracts have plagued port 27015. The first is a brute force attack. Basically a script will try to guess the "rcon" password of the HL server. With this password, someone could make any changes they want to the game server process (but not the server itself). The second attack is based on a few rare exploit that have been reported over the years with the HL protocol. I don't think there are any known ones for the current build, but people that run hacked copies of the server might be susceptible to these attacks. Also, you are correct, there are no new HL based games out, even if there where, the protocol does not go around random port scanning hosts.
Several places (like at MSOE) run publicly accessible HL/CS servers. We have always followed a stick guideline of never running anything besides game server related software on the box and putting the box in it own DMZ; thereby putting a firewall between it, the internal network, and the internet.
Another possibility to consider is if maybe some users on your network are playing HL based games. Your firewall could quite possibly be blocking some of the traffic so it is raising the count on those ports.
I looked through my daily DShield report emails and I did not find it listing 27015 ever on the "Port Summary" list. Though I would be curious to see if anyone else has seen an increase, but I am leaning towards my theory of a user on your network.
Hope that helps,
Computer and Communication Services Department
Milwaukee School of Engineering
From: list-bounces at lists.dshield.org [mailto:list-bounces at lists.dshield.org] On Behalf Of Carloscar Andréasson
Sent: Monday, November 21, 2005 3:33 AM
To: list at lists.dshield.org
Subject: [Dshield] Port 27015
Checking the graphs for port 27015 ( halflife ) its been hitting shy hi
since nov 5 ... anyone got any ide whats going on?
as far as i know... Valve the makers of halflife hasnt released any new
product that uses and causes this peak , but i could be wrong?
Using .Net? Need to know more about .Net Security?
send all posts to list at lists.dshield.org
To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list
More information about the list