-----
tl;dr if you're playing in a casted match make sure you use a fresh IP and keep it hidden as best as you can, because someone has been collecting IPs for as many TF2 players as he could
-----
First of all, the word "hacker" from the title could mean a person using technology in some clever way (with no evil in mind), or it could be the media's definition of the word, meaning a computer criminal.
I don't know for sure the intent of this person, so I'll leave open what kind of hacker we're dealing with here.
Late last night I found out that someone has been downloading the zipfiles for all serveme.tf and na.serveme.tf reservations for the past 5 weeks. These zip files contain two things, the STV demos and the server logs files. Server log files contain the connect info of a player (IP).
Normally these zip files are only accessible for people playing in the reservation, the link to download them is not given out to other people. There is no login-restriction on the download though, so you could share the link to the zip file with a friend for example.
Now the hacker wrote a bot to scrape the serveme.tf's new reservation form (to get a list of servers) and the recent reservations page. By combining the information the bot could construct the zip file URLs of the recent reservations and schedule a download at the expected end time of a reservation.
All of this became apparent by looking at my serveme.tf webserver logs. Automated visits to the reservation page every 10m, the subsequent downloads of all the zips. But I also noticed a few HTTP referrers in the download of some zip files. This is the origin site of an incoming link to your site, meaning the hacker had a site where he sometimes would click on a zip URL hosted on serveme.tf.
Using this HTTP referrer, I was able to find one of the control pages for the bot and made this screenshot:
http://i.imgur.com/T1KGNQf.png
As you can see, it's quite a fancy tool, and this is just one PHP page, there might be more. Now I can certainly commend someone for building something like this, however that screenshot has 2 scary parts that make me think that STV demos might not be the reason for this tool to exist.
There's a "x connection sequences processed" message, underneath a table that has a column "IP address" and "MySQL". This means that this tool would search through the logfiles of downloaded zips and enter all found players, their names, steam ID and IP in a database so it can be easily queried.
In my search for this person I found some interesting things about the hacker:
- A couple of older alt accounts, ending their activity when a new account would start getting used
- Ton of played games on TF2Center, with a lot of ban requests filed for hacking. No hard proof, just some really good logs.tf stats
- UGC team
- A number of home IP addresses
- Recently donated to na.serveme.tf, with a fake name and address
I've contacted this person and he insists he's just downloading these files for the STVs, but interestingly the VPS hosting the site and bot has been taken offline.
Now this is all could be coincidental, but recently we've also seen an uptick in DDoSes directed at the TF2 community. Most recently the DDoSing of TF2Center (server got DDoSed), and the froyo vs street hoops match (players getting DDoSed). Especially in the last case a database of players and their IPs would be very useful.
Which leads me to the following actions and recommendations:
- If you're in a casted match, make sure your IP is secret
- serveme.tf will start removing IPs from logs (like logs.tf does)
- serveme.tf will add a random component to the ZIP URLs so someone can't just start guessing them all
I've asked the person responsible to reply in this thread.