Hey guys. Someone spawned a bunch of stuff on our Toronto server last night. Checking the logs, it turns out they did it via rcon. After some consideration of how they may have got the rcon password to the server, I found an exploit. This exploit, if done correctly, reveals the rcon password to a client. I think we caught this one pretty early and I acted as swiftly as I could.
So if you’re a server owner make sure your server is up to date and change your rcon password as a precaution. It may be worth your time checking your logs for any suspicious rcon activity, and check your user lists to make sure no admins have been added.
If you’re a player and you can’t join your favourite server – then it is out of date. I know this is a shitty time to force a server update but this really couldn’t wait.
Fixed rcon password exploit Fixed item dupe exploit