Hacking and StarCraft

I have also been hacked by a player not trying to hide it and announcing it every time. His handle is “moon-rf-” aka “Redhotmoon”. He is able to log me out and DDOS me without being in the lobby or game. It also resulted in corrupting the map I was playing at the time (Who’s the killer space edition 2.7). I tried deleting all artifacts/maps with the killer name in it, including dozens of maps auto-saved to the replay folder.

Now when I join someone hosting that map, the download dialog appears but there’s no DL counter, then I enter the lobby and I don’t see the preview. If I check my SC download folder, the map is there. If game starts, I’m logged out and receive an error message “Invalid scenario”. I also had a friend email me the map but it makes no difference. What this is telling me is that he’s inserted some malicious script that remains in my SC installation and this is very disturbing.

What it does is completely block my internet access for a while. It seems to mess up my wifi router and things only clear up when the router resets after about 5 minutes.

I hope SC staff starts to take this stuff seriously!

Also, the person goes by “redhotmoon” and has been doing the same thing to many people. My antivirus captured the IP addresses he was using and this: Category: Firewall - Network and Connections Date & Time,Risk,Activity,Status,Recommended Action,Category 8/27/2019 10:53:47 PM,Info,IP address has disappeared from adapter Intel® Wireless-AC 9462 (IP address: fe80::6d0f:311b:891b:abf9%22).,Detected,No Action Required,Firewall - Network and Connections IP address has disappeared from adapter Intel® Wireless-AC 9462 (IP address: fe80::6d0f:311b:891b:abf9%22). Category: Firewall - Network and Connections Date & Time,Risk,Activity,Status,Recommended Action,Category 8/27/2019 10:03:40 PM,Info,IP address has disappeared from adapter Intel® Wireless-AC 9462 (IP address: 192.168.1.129).,Detected,No Action Required,Firewall - Network and Connections IP address has disappeared from adapter Intel® Wireless-AC 9462 (IP address: 192.168.1.129). Category: Firewall - Network and Connections Date & Time,Risk,Activity,Status,Recommended Action,Category 8/27/2019 10:04:49 PM,Info,“Protecting your connection to a newly detected network on adapter “Intel® Wireless-AC 9462” (IP address: 192.168.1.214).”,Detected,No Action Required,Firewall - Network and Connections Protecting your connection to a newly detected network on adapter “Intel® Wireless-AC 9462” (IP address: 192.168.1.214). Category: Firewall - Network and Connections Date & Time,Risk,Activity,Status,Recommended Action,Category 8/27/2019 10:11:18 PM,Info,IP address has disappeared from adapter Intel® Wireless-AC 9462 (IP address: 2600:1700:d480:76f0:e82c:4846:50a:ee84).,Detected,No Action Required,Firewall - Network and Connections IP address has disappeared from adapter Intel® Wireless-AC 9462 (IP address: 2600:1700:d480:76f0:e82c:4846:50a:ee84).

UPDATE: I created a web ticket to address this issue and Blizzard responded. Rather than see me reporting a huge security hole and liability issue as a favor and investigating, they claimed what I reported is not possible and blamed me using 3rd party software (like Skype to chat) - which I was not using. I was not using any 3rd party software and in fact no other programs were open, nor have I ever used any 3rd party software in relation to SC.

I am sorely disappointed in Blizzard’s failure to admit there is a problem and blaming it on the customer. I still have hope they will change their denial attitude and take this seriously. If they do not, then I will possibly file a class-action lawsuit to get their attention (please contact me if you might wish to join this).

@PsYChiC: Thanks, great advice, but I shouldn’t have to pay for a VPN and the free ones slow down the game too much. PS - the map issue has nothing to do with the latest update. I played that map for many days subsequent to the last update with no issues. Apparently, whatever script this hacker is running also corrupts the map you’re in when they execute the script. The same thing happened to timmeh503 who posted above and was also hacked by the same guy. Also, I can’t even play that map anymore - it downloads when I join but is still corrupt, while the other players go on to play the map just fine.

Not exactly hacking, but there is a user just screaming for ban: Eby_Ty3uk . He has offensive name, he is incredibly productive spamming public chats offending everyone, he spams offensively during the game as well. Seems like being toxic is the only thing he is good at. I am sure he was reported, why the hell he is still not banned from the server???

I created a web ticket also… talked to an admin about that. The so called admin said it is not possible. First- That comment “that is not possible” is quiet an insult. I want to state that IT IS POSSIBLE to get your IP address since StarCraft Brood War is a P2P game ! Please Blizzard don’t insult us ! We are not stupid. These people that ddos other players use an IP SNIFFER to get the IP addresses. There was a program called WLauncher that had the ability to capture ip addresses of those who came into a game lobby (it showed the ip addresses with the screen names associated with it) – and it gave the host the option of either ip ban players who trolled or team killed - because some players just change their screen name to rejoin the lobby to troll again.

So when an administrator said that it’s not possible- they are flat out lying to our faces. As long as StarCraft 1 is a p2p network – ppl can always can find your ip address.

The question now is : What will Blizzard do? The answer is simple… Nothing. This topic falls on deaf ears. Even with evidences provided to them – these people working at Blizzards just don’t care. The game is free — they don’t make money from fixing the situation. Some of us bought remastered pack as well as the carbot skin because we want to support Blizzard - we want blizzard to be able to keep their server running so we can keep playing the games we always wanted to play. This is an insult to the players and bad business practices ( Blizzard is basically a swindler), for Blizzard to shove us in the corner and ignore us when we are basically telling them “Hey! Take our MONEY!!! Keep the server running and fix issues like hacking , ddosing, and map crashing.”

I like playing with you Amapapo To quote how I feel about Blizzard — the best way to describe blizzard is from a quote from MacBeth Act 5 Scene 5 – " [ Blizzard is ] a poor player, that struts and frets his hour upon the stage, and then is heard no more [When the game fail because no body plays it anymore] : it is a tale told by an idiot, full of sound and fury [Advertising remastered and carbot skin to improve playing experiences] , signifying nothing [ When Blizzard doesn’t even care about the players that invested their hard earned money into blizzard . Blizzard is a used car salesman, he boast about all the bells and whistles on the game to only to leave you with a bitter aftertaste because you ended up with a lemon instead."

Thank you sir!
FYI, I have started a separate thread specifically for the problem of sniffing IP addresses and DDOS attacks, here:

Hey folks,

Regarding the DOS/DDOS attacks, we have taken action on the perpetrator based on the evidence provided, so thank you for that.

It sounds like the attacks are happening outside of Blizzard’s domain. Ultimately, there is nothing we can do to prevent a DOS (or DDOS) attack which occurs outside of the Blizzard infrastructure.

However, here are some suggestions to try as preventative action:

• Alert your ISP to the attack, providing as much data as you can. The penalties for DOS attacks are severe these days (even for threatening an attack) and your ISP will likely take this seriously, especially if you have IP addresses and timestamps of the attack. On top of following up with law enforcement, they may be able to provide additional protections on their side.
• If it’s a DOS attack rather than a DDOS attack, you should be able to configure your router to block all traffic from the IP address. It’s unlikely to be a true DDOS, as these are expensive and non-trivial to coordinate. It’s unlikely to be more than a handful of offending IP addresses that you/your ISP could block.
• As previously suggested, disable "prefer port 6112" in the SCR options, and ensure your router is not forwarding port 6112. By default, your router should not be permitting random traffic to any port to reach your network. If you have manually forwarded port 6112 or other ports on your router, these are potential vulnerabilities.
• If you have a dynamic IP address, re-lease your IP address to try to get a different one.
• As has already been suggested in this thread, using a VPN will allow you to easily cycle through various IP addresses. The VPN provider may also be able to filter out traffic from the offending IP address.

As many have stated above, there is a group of dos attackers in clan -rf-.
Anyone in clan -rf- should just be looked at for the communities sake. The Xu-rf- player in particular has dos attacked me over and over again and I’ve spent maybe 50 hours attempting to connect my internet instead of enjoying my night because of him. He also goes by “Frux”. There needs to be an ip ban mechanism for these people, or starcraft will eventually cease to exist again just like it did in early 2017 before the remaster, hackers and abusers killed it slowly then and it will happen again unless action is taken.

Hi Grant,

Thank you for addressing this issue and sharing methods to help protect ourselves.

As you’re probably aware, the Blizzard West servers were DDOS’d today. Friends have advised me that the same hacker (redhotmoon/moon-rf-/red-hot-moon and other variants) was just online an hour ago and bragged about DDOS’ing the Blizzard server.

My friends also have purported information that identifies this individual by name and phone number in Canada.

This is getting pretty serious now, like major league criminal actions. Feel free to reach out if you would like to corroborate this information or ask more questions. If this type of activity isn’t dealt with and the very hackers performing a DDOS are able to continue to log into the game, then it’s going to ruin a legendary game for good.

Hi, im havind ddos attack, every time i try to play a game.
Suddenly my ping of 8, goes to 60ms, froze my FPS for 3 secs, and my units are gone. GG

The outage on US West was simply a software failure in the automatic deploy process, not an attack.

Clan rF doesnt support the denial of service attacks or the users deploying them.
It would be nice if blizzard was able to patch or mask the ip leak for player hosted matches.
Halo MCC used the old network module as well and they were able to mask ips after encountering these same issues.

I have a question. okay, two. will cheat codes be allowed in multiplayer, and also, are you banning people who use cheat codes in the campaigns. (never Mind)

is this problem affecting LAN?

wow…cool thing_!!!_cc

The same person (redhotmoon) is again using the SC platform to threaten DDOS attacks and then executing them. He’s again DDOS’d me and another friend. This time I saved a replay file with him threatening the attack and then immediately executing the attack. He admits he’s redhotmoon using the new handle “forza_juv”.

Why hasn’t this person’s license been revoked and their VPN or ISP banned?

Is anything being done about this? Im encountering drophacks & blocked from logging in frequently.

I’ve been having lag and disconnection issues in the last week or so. I’ve been suspiciously disconnected and logged out of games and rooms.

Hopefully you guys get them all.

I made a report and provided evidence of a hacker getting my IP and other information.
Support’s reply was just that there’s no way anyone can obtain that information through the game even though it had happened and I provided proof.

Sounds like they need to release a memo for the support team about classic games ip leak vulnerabilities.

Hi, where i can report map hacker player???