I have this guy on my server who is changing names to everyone whos on the server. He isnt visible onm the scoreboard and can only be seen through xray on Falcos Small Scripts. Hes been unfreezing peoples props, igniting everything and changing jobs every 2 seconds or so.
ALso, everyones consoles were just spammed with this :
[CODE]
T [lua/autorun/robberplayer.lua][lua/autorun/legs.lua]
TEST [lua/autorun/serialiser.lua][lua/autorun/legs.lua]
TEST [lua/autorun/server_globals.lua][lua/autorun/legs.lua]
TEST [lua/autorun/sim_shared_fas.lua][lua/autorun/legs.lua]
TEST [lua/autorun/slowelisnpcs.lua][lua/autorun/legs.lua]
TEST [lua/autorun/slowelisplayers.lua][lua/autorun/legs.lua]
TEST [lua/autorun/soundscript.lua][lua/autorun/legs.lua]
TEST [lua/autorun/textscreens_util.lua][lua/autorun/legs.lua]
TEST [lua/autorun/von.lua][lua/autorun/legs.lua]
TEST [lua/autorun/weapon_sounds_fas1.lua][lua/autorun/legs.lua]
TEST [lua/autorun/weapon_sounds_fas2.lua][lua/autorun/legs.lua]
TEST [lua/autorun/wire_load.lua][lua/autorun/legs.lua]
[Legs Mod] lua/autorun/legs.lua:227: attempt to call method 'GetPos' (a nil value)
1. Render - lua/autorun/legs.lua:227
2. fn - lua/autorun/legs.lua:322
3. unknown - addons/ulib/lua/ulib/shared/hook.lua:183
TEST [lua/entities/gibmod_gib/cl_init.lua][lua/entities/gibmod_gib/cl_init.lua]
FOUND IN ADDON [118314978]
TEST [lua/entities/gibmod_gib/init.lua][lua/entities/gibmod_gib/cl_init.lua]
TEST [lua/entities/gibmod_gib/shared.lua][lua/entities/gibmod_gib/cl_init.lua]
[Gib / Gore Mod] lua/entities/gibmod_gib/cl_init.lua:17: attempt to index field 'emitter' (a nil value)
1. unknown - lua/entities/gibmod_gib/cl_init.lua:17
TEST [lua/autorun/92_saddam_playermodel.lua][lua/autorun/legs.lua]
TEST [lua/autorun/agent_47_player.lua][lua/autorun/legs.lua]
TEST [lua/autorun/cj.lua][lua/autorun/legs.lua]
TEST [lua/autorun/client.lua][lua/autorun/legs.lua]
TEST [lua/autorun/colorable_vehicles.lua][lua/autorun/legs.lua]
TEST [lua/autorun/cookies114.lua][lua/autorun/legs.lua]
TEST [lua/autorun/extramats.lua][lua/autorun/legs.lua]
TEST [lua/autorun/fas2_shared.lua][lua/autorun/legs.lua]
TEST [lua/autorun/fas2_unoffrifles_sounds.lua][lua/autorun/legs.lua]
TEST [lua/autorun/fbi_pack.lua][lua/autorun/legs.lua]
TEST [lua/autorun/gdcwassault.lua][lua/autorun/legs.lua]
TEST [lua/autorun/gdcwgunner.lua][lua/autorun/legs.lua]
TEST [lua/autorun/gdcwpistols.lua][lua/autorun/legs.lua]
TEST [lua/autorun/george.lua][lua/autorun/legs.lua]
TEST [lua/autorun/gibmod.lua][lua/autorun/legs.lua]
TEST [lua/autorun/guard_pack.lua][lua/autorun/legs.lua]
TEST [lua/autorun/humanhunterplayermodel.lua][lua/autorun/legs.lua]
TEST [lua/autorun/illusive_man_player.lua][lua/autorun/legs.lua]
TEST [lua/autorun/legs.lua][lua/autorun/legs.lua]
FOUND IN ADDON [113585399]
TEST [lua/autorun/luapad.lua][lua/autorun/legs.lua]
TEST [lua/autorun/luapad_editor.lua][lua/autorun/legs.lua]
TEST [lua/autorun/lwcars_volvos60.lua][lua/autorun/legs.lua]
TEST [lua/autorun/lwcars_volvos60police.lua][l[/CODE]
[thumb]http://cloud-4.steampowered.com/ugc/3298063116809100227/AAB7F56C017A258B140805AA4299B4580EB659B1/1024x576.resizedimage[/thumb]
What do I do? I really have no idea what to do here.. I cant find any info him what so ever. Again, who ever it is this time, did a real good job at fucking shit up :v:
[editline]22nd February 2014[/editline]
Oh and for the record, no sv_upload or rcon is enabled.
[editline]22nd February 2014[/editline]
Ok, I managed to get him to talk through voice chat on the server and hes using text to speak and his name is appearing as other peoples names randomly.
I also had a lua_run error in the console too.
[editline]22nd February 2014[/editline]
He just said "Well, you guys have been fun. Im sorry in advance for this"
Then the server crashed
Heres what it says in RCON:
[code]
[ERROR] test1:1: bad argument #1 to 'SendLua' (string expected, got no value)
1. SendLua - [C]:-1
2. func - test1:1
3. runthis - RunString:315
4. func - RunString:326
5. unknown - lua/includes/modules/net.lua:31
[/code]
This is what came up before hand... Explioit?
[code]
[Textscreens (as seen on SammyServers.com)] RunString:7: attempt to call method 'OldGetPos' (a nil value)
1. GetPos - RunString:7
2. unknown - lua/entities/sammyservers_textscreen/cl_init.lua:20
[/code]
[editline]22nd February 2014[/editline]
Tracked his page down for anyone whos wondering.
[url]http://steamcommunity.com/profiles/76561198055634579[/url]
One of your addons/gamemode has a backdoor.
Think it might be textscreens?
[Textscreens (as seen on SammyServers.com)] RunString:7:
Seems a bit suspicious
[editline]22nd February 2014[/editline]
He deleted all the logs so I dont have any more info :c
[QUOTE=Chizbang;44007656]Think it might be textscreens?
[Textscreens (as seen on SammyServers.com)] RunString:7:
Seems a bit suspicious[/QUOTE]
I will check its source code. Meanwhile you should remove it from your server ( and restart it ) and see if anything changes.
Yeah. Hes left ever since he crashed it. Hopefully thats the last of him. Removing now.
PS:
His name rings a bell, hes dates back to the last attack I had.
Unforunitely, I cant find out much more about him because he deleted all my servers logs. I managed to ban his SID though, hopefully thats the last of it
[editline]22nd February 2014[/editline]
We're now being DDOSed haha
Not seeing any obvious backdoors in [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=109643223"]Textscreens (as seen on SammyServers.com)[/URL] CTRL - F'ing the files hasn't found any occurrences of RunString for me.
[QUOTE=TylerB;44007796]Not seeing any obvious backdoors in [URL="http://steamcommunity.com/sharedfiles/filedetails/?id=109643223"]Textscreens (as seen on SammyServers.com)[/URL] CTRL - F'ing the files hasn't found any occurrences of RunString for me.[/QUOTE]
Yeah, me neither. It errors because attacker fucked up Entity:GetPos or something.
@Chizbang, put this into top of lua/includes/init.lua:
[code]
local txt = ""
local ostime = os.time()
if ( !oldRunString ) then oldRunString = RunString end
function RunString( ... )
oldRunString(...)
print( "RunString: ", ... )
print( debug.traceback(), "\n" )
txt = txt .. "\n\n\nCode:"
txt = txt .. table.concat({...}, " ")
txt = txt .. "\n"
txt = txt .. debug.traceback()
file.Write("Runstrings" .. ostime .. ".txt", txt)
end[/code]
This should print you the code being executed and the file it was executed from. It will also save it to a file, I hope you don't use RunString too much on your server. Hopefully, if someone else tries to use that backdoor/hack/exploit, you'll be able to detect its source.
Never ever used runstring. (Not to say that my addons do) that script should be ideal. Thanks a lot Robotboy, il keep you posted.
Hey shizbang, i'm having a simular problem : [url]http://facepunch.com/showthread.php?t=1367945&p=44008296#post44008296[/url]
Ah, just a heads up: They will almost definitely DDOS and yes I mean they. Theres more than a few of these guys. Contact me and il see if I can dig out the SIDs you need to ban.
Cant find anything in my data folder and im getting similar issues to wat I had yesterday before the hacker showed himself:
[url]http://plexrp.co.uk/forum/showthread.php?tid=553[/url]
Pretty much everything wire (including e2) is banned on the server for everyone... That John Doe guy was doing the same yesterday, Il keep you posted.
[QUOTE=Chizbang;44016376]Cant find anything in my data folder and im getting similar issues to wat I had yesterday before the hacker showed himself:
[url]http://plexrp.co.uk/forum/showthread.php?tid=553[/url]
Pretty much everything wire (including e2) is banned on the server for everyone... That John Doe guy was doing the same yesterday, Il keep you posted.[/QUOTE]
Then he either removes the files or using another way to gain access to your server. Post your FULL list of addons so we can compare it to other servers with same issue.
Will do! Il also send you the source of all my custom addons. The picture of the addons I have installed is most of all of them though. Il be back soon and il send it all over
- Thanks
Sercent addons are allowing him to fuck with shit thats whats happening, Its just some really fucked addon stuff
I added you to deal with it yesterday, still havent accepted
:L
[QUOTE=zerothefallen;44020290]I added you to deal with it yesterday, still havent accepted
:L[/QUOTE]
And what exactly you plant to do to "deal with it"?
[QUOTE=Robotboy655;44020865]And what exactly you plant to do to "deal with it"?[/QUOTE]
He seems to do this with every server reporting backdoors.
I got multiple reports of him actually using backdoors and then spamming things like "LennyPenny was here" in the chat though. Really weird.
[editline]23rd February 2014[/editline]
[QUOTE=Robotboy655;44008131]runstring detour[/QUOTE]
What about compilestring, -file and scripts running lua_run in the console though?
[QUOTE=LennyPenny;44022142]He seems to do this with every server reporting backdoors.[/QUOTE]
That what bothers me. He helps people to "deal with it", but never reports the backdoor?
[QUOTE=LennyPenny;44022142]What about compilestring, -file and scripts running lua_run in the console though?[/QUOTE] The errors show that RunString was used, so that was my first guess.
As requested heres my very latest:
[IMG]http://s28.postimg.org/5zj42we58/Steam_Workshop_Plex_RP.jpg[/IMG]
[QUOTE=Robotboy655;44020865]And what exactly you plant to do to "deal with it"?[/QUOTE]
download his entire server into 1 .txt file
ctrl + f "Runstring" and varius other possible shit
p much will always find the BD
[editline]24th February 2014[/editline]
[QUOTE=Robotboy655;44022225]That what bothers me. He helps people to "deal with it", but never reports the backdoor?
The errors show that RunString was used, so that was my first guess.[/QUOTE]
[img]http://puu.sh/78d2F.png[/img]
[img]http://puu.sh/78d6d.png[/img]
[url]http://facepunch.com/showthread.php?t=1366739&p=43979312#post43979312[/url]
thx for making me look bad tho. I've already have found 3 seperate backdoors in people's server and I've been trying to fix it. Though so far, none of them come from an add-on, just simply placed in there specifically.
Got this by searching all of my none workshop addons:
[code]
Searching 1612 files for "runstring"
/Users/James/Downloads/files_20140223173328/ULX Shit/ulx/lua/ulx/modules/sh/rcon.lua:
19 end
20
21: RunString( command )
22
23 if return_results then
/Users/James/Downloads/files_20140223173328/ulx/lua/ulx/modules/sh/rcon.lua:
19 end
20
21: RunString( command )
22
23 if return_results then
2 matches across 2 files
[/code]
[editline]24th February 2014[/editline]
Did a scan on my gamemode folder:
[code]
/Users/James/darkrp/gamemode/init.lua:
81 text = net.ReadString()
82
83: RunString(text)
84
85
[/code]
[editline]24th February 2014[/editline]
Removed the backdoor from my DRP but not sure what to do with the ulx one... I think they might have gotten access to my FTP to put that exploit in, surely?
[editline]24th February 2014[/editline]
Whats the best way to extract multiple GMA Files?
[QUOTE=Chizbang;44023932]
Did a scan on my gamemode folder:
[code]
/Users/James/darkrp/gamemode/init.lua:
81 text = net.ReadString()
82
83: RunString(text)
84
85
[/code]
[editline]24th February 2014[/editline]
Removed the backdoor from my DRP but not sure what to do with the ulx one... I think they might have gotten access to my FTP to put that exploit in, surely?
[editline]24th February 2014[/editline][/QUOTE]
How did he manage to place a runstring backdoor in .init? That happened to my last server
fairly sure this is an upload exploit we're seeing, and no, sv_allowupload wont block shit
Think they might have gotten access to my ACP? The guy who last hacked me said he used an SQL injection and he could read ALL the support tickets on the support system. I was talking to a friend of the hacker and he passed the info on to me about what he was doing.
[editline]24th February 2014[/editline]
About 3 weeks after I flagged up concerns to my host about the [B][I]possibility[/I][/B] of an exploit on their backend (which they told me that I was completely wrong about, but that exploit got in there some how, right?) I got this email:
[quote]
Hello James,
We are sorry to inform you that the ACP control panel has been put in to Emergency Maintainance Mode whilst we fix a problem with it. We are hoping to have it backup and running as soon as the control panel has been fixed, we have been told that it could take between 2-3 hours but we cannot be sure if it will take longer depending on the work that needs to be carried out.
Game servers that where running will remain to run in the background but you will not be able to stop/start/maintain these servers in the mean time.
We will continue to keep you updated on the work and ask that you do not submit any tickets about the downtime.
Best Regards,
- Identity withheld
[/quote]
Its probably just a coincidence, but I just thought I might throw it out there incase. Also, within the time when I had concerns about the ACP being hacked, I had changed my password 4 times all of which were above 15 characters long...
3 people have been hacked lately with the exact same problem.
All running Vilayer.
I suggest everyone with Vilayer to heavily take caution with this server, and contact their support for info.
[QUOTE=zerothefallen;44023550]download his entire server into 1 .txt file
ctrl + f "Runstring" and varius other possible shit
p much will always find the BD
[editline]24th February 2014[/editline]
thx for making me look bad tho. I've already have found 3 seperate backdoors in people's server and I've been trying to fix it. Though so far, none of them come from an add-on, just simply placed in there specifically.[/QUOTE]
Well alright, I was just throwing out there all possible causes.
So, if this is an upload exploit, I might even know what it is. It might be done by sourcenet3 + sv_allowcslua bypass.
Could have sworn sv_allowcslua was disabled but alas it wasnt.
Maybe it was that alone that caused it somehow
I think DarkRP forces it to be enabled.
[QUOTE=Robotboy655;44028330]I think DarkRP forces it to be enabled.[/QUOTE]
GM.Config.disallowClientsideScripts
Though how the RunString got into init.lua couldn't have been caused by that. It may stop people being able to network to it without a bypasser however.
[QUOTE=Robotboy655;44026852]It might be done by sourcenet3 + sv_allowcslua bypass.[/QUOTE]
That exploit has been patched since forever. Client can't upload files that already exist on the server or files that have a blacklisted extension (including, but not limited to: .lua, .exe, .dll, .cfg).
Update your ARC BANK if u use it - the latest update : THIS IS A MUST-HAVE UPDATE!
Fixed a security exploit where any player can gain admin access if an admin is logged on the server
Sorry, you need to Log In to post a reply to this thread.
