Jump to content

Some questions regarding DCS Server PC Security?


PSYKOnz

Recommended Posts

hi there, i have a few questions regarding some things regarding server PC's and the security of DCS world open beta server.

 

I run a very small server for me and my mates to indulge our passion for jets, choppers and blowing stuff up.

however i have noticed a few things that concern me and i would love some feedback to calm my nerves. one is just out of curiosity, the other is worrying me

first up.

i run GlassWire on all my PCs just to keep an eye on things, because I'm a bit nosey and very nerdy lol

I have noticed that when i host the server i get a ton of hits from all over the world listed as "hosts" on GlassWire, they only take a very few bytes, so I'm assuming that they are just all the people opening up there multiplayer menu and pinging the server for details, is this correct?

 

second, and this one kind of worries me,

 

I run MBAM for security and for the past few days of hosting i have been getting real time protection blocks for "compromised" or "Trojan" from different IP's when i checked the IP's one was from Zurich the other from some where in the Netherlands.

 

details below

Spoiler

-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Trojan
Domain: 
IP Address: Redacted (if its needed i will post it)
Port: 8088
Type: Inbound
File: C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe

-----------------------------------------------------------------------------------------------------------------------------------------
-Blocked Website Details-
Malicious Website: 1
, C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe, Blocked, -1, -1, 0.0.0, , 

-Website Data-
Category: Compromised
Domain: 
IP Address: Redacted (if its needed i will post it)
Port: 8088
Type: Inbound
File: C:\Program Files\Eagle Dynamics\DCS World OpenBeta Server\bin\DCS.exe

-------------------------------------------------------------------------------------------------------------------------------------

there are more than these 2 but no point spamming lol

 

As you can imagine this is somewhat worrying.

is someone able to enlighten me as to what is going on?

its also coming through port 8088, which is the web GUI port, its freaking me out a bit

are these legit things from ED/DCS or are these people trying to hack into my PC through the Web GUI? 

i have more questions but i feel they may be answered in your reply's to this post, so ill wait and see what you all reckon before i panic spam questions here hahaha

 

I eagerly await the knowledge you all have, that i seriously lack, hahaha.

 

cheers guys

 


Edited by PSYKOnz

Tomcat, Tomcat über allen

Link to comment
Share on other sites

Hi,

Re the traffic you're seeing in glasswire, is your server set to "public" as in it will register itself with ED? If so, then you’re right it's likely just discovery traffic. Personally, I don't have mine set as public, so anyone who wants to join needs the relevant IP or hostname (and password). I’ve not done any Wireshark or similar analysis on this behaviour, it's an educated guess.

For your second point, this suggests you have the WebUI publicly accessible (NATted) which would make sense if you're running the server on a hosting platform but if you're running it at home then you can just connect to this service locally? There's no need for you to allow it inbound from the Internet at large. There's a raft of scans constantly running against anything on the Internet, and this traffic is likely attributable to that.

HTH,

 

Z

 

 

12900KF | Maximus Hero Z690 | ASUS 4090 TUF OC | 64GB DDR5 5200 | DCS on 2TB NVMe | WarBRD+Warthog Stick | CM3 | TM TPR's | Varjo Aero

Link to comment
Share on other sites

2 minutes ago, zildac said:

Hi,

Re the traffic you're seeing in glasswire, is your server set to "public" as in it will register itself with ED? If so, then you’re right it's likely just discovery traffic. Personally, I don't have mine set as public, so anyone who wants to join needs the relevant IP or hostname (and password). I’ve not done any Wireshark or similar analysis on this behaviour, it's an educated guess.

For your second point, this suggests you have the WebUI publicly accessible (NATted) which would make sense if you're running the server on a hosting platform but if you're running it at home then you can just connect to this service locally? There's no need for you to allow it inbound from the Internet at large. There's a raft of scans constantly running against anything on the Internet, and this traffic is likely attributable to that.

HTH,

 

Z

 

 

On the first response, it is currently set to public for ease of connection

Is there a way to make it non public but searchable by name? I thought it was only possible to make it public?

On point 2, I have it accessable by the web gui as some times I'm not there for admin and this allows one of my mates to log in and do the administration, is there a way to have this accessable by the account without it being public?

Tomcat, Tomcat über allen

Link to comment
Share on other sites

10 minutes ago, PSYKOnz said:

On the first response, it is currently set to public for ease of connection

Is there a way to make it non public but searchable by name? I thought it was only possible to make it public?

On point 2, I have it accessable by the web gui as some times I'm not there for admin and this allows one of my mates to log in and do the administration, is there a way to have this accessable by the account without it being public?

No worries. Re point 1, no, not that I'm aware of. You could register for dynamic DNS and tell your mates the name allocated. If it's listed as public, then it is public and will show up in the ED server list to the best of my knowledge. Point 2 If your mate had a static IP or an IP that doesn't change that often then you could simply add an inbound rule on your ingress filtering device (Firewall whatever you use) to only allow the specified source IP's to connect to the Web UI service. Or probably the best way, is to simply set up an IPsec VPN for your mate and that will effectively only allow access via the established tunnel. Bear in mind in this scenario there is the potential for him to have access to your entire local network/s so filter his access inbound via the tunnel accordingly 😉 This solution assumes you have the requisite hardware, obviously.

 

 


Edited by zildac

12900KF | Maximus Hero Z690 | ASUS 4090 TUF OC | 64GB DDR5 5200 | DCS on 2TB NVMe | WarBRD+Warthog Stick | CM3 | TM TPR's | Varjo Aero

Link to comment
Share on other sites

Just basic hardware on this end sorry, I will look into those options tho, I'm still getting my head round the whole web server hosting stuff at the moment

 

Today while those things were being blocked I was connected locally to the web gui and none of my mates were trying to access it, that's what worries me, they were specific to the DCS exe too, I wonder if we get lucky and one of the devs pops in to shed some light on it

Tomcat, Tomcat über allen

Link to comment
Share on other sites

  • ED Team

Hi, 

information about ports and protocols used for DCS world

DCS uses outgoing connections to

HTTP http://www.digitalcombatsimulator.com:80

HTTPS http://www.digitalcombatsimulator.com:443

XMPP master.eagle.ru:5222

For multiplayer game traffic DCS uses both TCP and UDP on port 10308

For Voice TCP and UDP on port 10309

webgui_port = 8088

  • Like 1

smallCATPILOT.PNG.04bbece1b27ff1b2c193b174ec410fc0.PNG

Forum rules - DCS Crashing? Try this first - Cleanup and Repair - Discord BIGNEWY#8703 - Youtube - Patch Status

Windows 11, NVIDIA MSI RTX 3090, Intel® i9-10900K 3.70GHz, 5.30GHz Turbo, Corsair Hydro Series H150i Pro, 64GB DDR @3200, ASUS ROG Strix Z490-F Gaming, HP Reverb G2

Link to comment
Share on other sites

Got all that sorted 🙂 easiest game set up I've ever done, thanks for that by the way 🙂

 

What about the inbound connection attempts through port 8088 to my server DCS.exe? Blocked for Trojans and compromises, it's it legitimate?

I should note that I do not get these "blocks" when the server exe isn't running


Edited by PSYKOnz

Tomcat, Tomcat über allen

Link to comment
Share on other sites

1 hour ago, PSYKOnz said:

Got all that sorted 🙂 easiest game set up I've ever done, thanks for that by the way 🙂

 

What about the inbound connection attempts through port 8088 to my server DCS.exe? Blocked for Trojans and compromises, it's it legitimate?

I should note that I do not get these "blocks" when the server exe isn't running

 

I suspect those inbound connections to your Web UI are just Internet scan "noise". The reason they are "hitting" DCS.exe is because that is the process that launches/hosts the Web UI component and underlying MP server. Either block access to your WebUI from the Public side or let it go. The only real worry would be if a vulnerability were to be found in the WebUI and/or the underlying HTTP server component, but that point rings true for ANY service that you allow unrestricted inbound access to from the "dirty" Internet 😉

 

 

 


Edited by zildac
  • Thanks 1

12900KF | Maximus Hero Z690 | ASUS 4090 TUF OC | 64GB DDR5 5200 | DCS on 2TB NVMe | WarBRD+Warthog Stick | CM3 | TM TPR's | Varjo Aero

Link to comment
Share on other sites

1 minute ago, PSYKOnz said:

When you say scan noise what do you mean? Is it the DCS WebUI doing scans or is it other sites or people sweeping through trying to break through?

If the source IP addresses you are seeing are "public" then it is likely just scan noise. Skiddiez doing scans for known ports hosting services (HTTP in this case) in the hope they can "pop" one. Example, the Open-Source Asterix PBX software uses port 8088 for its admin GUI, so (and this is complete speculation but just to demonstrate) someone is looking for vulnerable or unsecured instances of the Asterix PBX Web UI, which just happens to run on the same port as ED use for the DCS Web UI... If you’re feeling really paranoid grab a packet capture and upload and link it I'll take a look. But I would suggest the first thing to do is not worry too much about it, it's highly likely it's not targetted at YOU personally, and secondly don't publish your Web UI publicly.

12900KF | Maximus Hero Z690 | ASUS 4090 TUF OC | 64GB DDR5 5200 | DCS on 2TB NVMe | WarBRD+Warthog Stick | CM3 | TM TPR's | Varjo Aero

Link to comment
Share on other sites

I'll try grab Wireshark and try grab a packet some time soon, just out of pure curiosity. Wouldn't hurt to know

When you say don't publish your WebUI publicly what exactly do you mean? Do you mean having your ports open or do you mean having your actual connection information free and available to be found?

 

I'm so very sorry for all the stupid questions, this is all very new to me and I'm trying to wrap my head around all this

 

Tomcat, Tomcat über allen

Link to comment
Share on other sites

No worries. I mean the former, don't have the service/port open publicly.

12900KF | Maximus Hero Z690 | ASUS 4090 TUF OC | 64GB DDR5 5200 | DCS on 2TB NVMe | WarBRD+Warthog Stick | CM3 | TM TPR's | Varjo Aero

Link to comment
Share on other sites

Yea, I'm thinking more and more about stopping the port for that.

There isn't by chance a way to change the port to another one, one that's not likely to be pinged in the same way?

 

Tomcat, Tomcat über allen

Link to comment
Share on other sites

8 minutes ago, PSYKOnz said:

Yea, I'm thinking more and more about stopping the port for that.

There isn't by chance a way to change the port to another one, one that's not likely to be pinged in the same way?

 

Yup, you can change the port in the dedicated server for both the game itself and the Web UI see here:

 

 

  • Like 1

12900KF | Maximus Hero Z690 | ASUS 4090 TUF OC | 64GB DDR5 5200 | DCS on 2TB NVMe | WarBRD+Warthog Stick | CM3 | TM TPR's | Varjo Aero

Link to comment
Share on other sites

Awesome, I'll start there

Is it possible to use the same ports as the game does? 

As in 10308 for both game and WebUI?

Cause I have to have 10308 open anyway, less ports open is better I'm assuming 

or is 443 a better option?


Edited by PSYKOnz

Tomcat, Tomcat über allen

Link to comment
Share on other sites

Look into using Dynamic DNS service for you and your admin friend.  Change the port on the WebUI and then only open that port in the firewall to the IP address of your friend, everything else will be blocked.  Sleep better then😀 and don't worry so much.

Link to comment
Share on other sites

Ooooooook so, been a busy day...

 

I've removed 8088 from my forward, I've also made my server private and so far I haven't had any of those blocks pop up and glasswire is muuuuuch quieter, only the main DCS host and the connected players on it now, so far so good

 

I also posted in the MBAM forum about it, they scanned the IP addresses that i gave them and found that there is malware on those addresses, here's the link if your interested

 

https://forums.malwarebytes.com/topic/288072-i-really-hope-these-are-fps-website-blocked-due-to-trojancompromise/#comment-1523062

They have been super helpful in the matter, hopefully everything is all good!

 

Next up I need to sort the admin stuff, were getting there tho!

  • Like 2

Tomcat, Tomcat über allen

Link to comment
Share on other sites

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...