So I don't really know much about the issue but our server was hacked about 30 minutes ago. They had full access to our ULX and could ban superadmins/owners. I banned the users and they have unbanned themselves somehow and keep destroying the server. I tried to update ULX and removed rcon from the control panel but the problem still persists. Any help on this would be greatly appreciated.
Really didn't want to wake up in the middle of the night to this =X
If they can unban them self then:
A. they use a different non banned user to unban them(there must be some exploit via your map, or somewhere in your code)
B. have access to your server console(through rcon, or something)
Well after this went down I disabled rcon in the control panel. Last I knew only map with an exploit like this was on 67thway.
Any other maps have an exploit like this? Or could they be doing it another way?
What map are you using? And it could totally be another way. Have you added anybody else's code recently?
edit: im getting off, but check the logs and see how they add themself to admin or something, and open the map in notepad++ and ctrl f for lua_run and see if it has anything to do with admin
Delete ulx data from data
[QUOTE=J.R.;40386266]What map are you using? And it could totally be another way. Have you added anybody else's code recently?
edit: im getting off, but check the logs and see how they add themself to admin or something, and open the map in notepad++ and ctrl f for lua_run and see if it has anything to do with admin[/QUOTE]
Only code I have added in the past 8 months is some slow motion shit when the round ends. I will do a search for lua_run when I get home tomorrow. Thank you very much for the fast replies!
Any other thoughts please keep em coming!
change your rcon password, dont give admin to 11 years old kids.
[QUOTE=SweetTea;40386589]change your rcon password, dont give admin to 11 years old kids.[/QUOTE]
If he was hacked, I assume there is some exploit in ULX or the RCON password is found.
There must be a loophole somewhere. Like others said, make sure you know what map you're running. There used to be a TTT map that had a secret button located somewhere that allowed you to ban those of your choosing or something. (Thankfully the new versions either have it removed / it bans you instead)
[QUOTE=SweetTea;40386589]change your rcon password, dont give admin to 11 years old kids.[/QUOTE]
Like I said twice I disabled RCON and it wasn't domestic, someone gave themselves admin through some kind of exploit.
They have someone on the inside; check the logs to find out who's giving them admin. If it's not RCON and they're both banned, they'd need someone to unban them or exploit something for them; because they're banned.
[QUOTE=J.R.;40386114]If they can unban them self then:
A. they use a different non banned user to unban them(there must be some exploit via your map, or somewhere in your code)
B. have access to your server console(through rcon, or something)[/QUOTE]
What map allows rcon access / unban? wat
[QUOTE=Fabiolous;40388905]What map allows rcon access / unban? wat[/QUOTE]
There was a person distributing map versions he supposedly "fixed" which had lua_run entities hidden in them. He would find servers that ran the map and then the lua_run entities would set him as owner in ulx.
[QUOTE=>>oubliette<<;40388299]They have someone on the inside; check the logs to find out who's giving them admin. If it's not RCON and they're both banned, they'd need someone to unban them or exploit something for them; because they're banned.[/QUOTE]
Not the case with this I am 100% sure.
[QUOTE=Fabiolous;40388905]What map allows rcon access / unban? wat[/QUOTE]
There was a "fixed" version of ttt_67thway that users could promote themselves to superadmin. 67thway has never been on our server so I know they did not use that exploit. What worries me, there is some map/other exploit around that the community doesn't know about yet.
I added a bunch of new maps to the server ~2 weeks ago. I will get a list of them and post them on here. Maybe someone can confirm some of these maps credibility.
**edit**
Maps recently added:
[code]
ttt_whitehouse
ttt_lttp_kakariko
ttt_mc_skyislands
de_motel_b4
ttt_slender
ttt_minecraft_b5
ttt_lost_temple_v2
ttt_plaza_b7
ttt_lostcoastcity
[/code]
I mean, what map was running when he gave himself admin, or whatever. Because you can just squash the whole map exploit thing just by seeing that.
Place this script in lua/autorun/server and check the data folder for a file named lua_run.txt
This should save what code every lua_run is executing. This should only be a temporary script. Remove it after it's unneeded.
[lua]file.Write("lua_run.txt", "")
hook.Add("OnEntityCreated", "lua_run catcher", function(ent)
if ent:GetClass() == "lua_run" then
file.Append("lua_run.txt", ent:GetDefaultCode() .. "\n----------------------------------------\n")
end
end)[/lua]
Sv_Allowupload 0
Old ulx hack.
[QUOTE=LimeStoneGmod;40394246]Sv_Allowupload 0
Old ulx hack.[/QUOTE]
This means no custom sprays!
[QUOTE=Pandaman09;40394407]This means no custom sprays![/QUOTE]
Who cares? Most of them contained pornographic images of Justin Bieber or Harry Styles, anyway.
[QUOTE=Pandaman09;40394407]This means no custom sprays![/QUOTE]
You're right, it's a bad idea. ULX hacking is no a big deal.
[QUOTE=LimeStoneGmod;40394246]Sv_Allowupload 0
Old ulx hack.[/QUOTE]
Not sure if that's true.
Can't say as I've experienced this hack, ever. And I've been running ULX for years. Plus, edits to the ulx ban/user files don't load live I believe. Only loads on map load etc, it should keep the current user/group/ban tables in memory.
Also, a lot of you are god retards. Learn to read the replies before telling him the same thing multiple times.
@ Op
You said you searched an addon for slow motion with "lua_run", addons don't use lua_run or am I missing something?
I've had this issue, took me two file wipes until I learned the simple fix. Must be a ULX thing.
[highlight](User was permabanned for this post ("alt of leocash" - postal))[/highlight]
Who are the admins of your server? Does any have the ability to admin other people?
-Oh I'm blind disregard what I just said-
Shit this is happening to me also. Yesterday i had a full server of 40 players and one of the guys gained access to my ulx. What is weird is that my rcon pass is over 300 charecters long with upper and lower case and numbers. Im now relly angry now because i thought ulx was a secure admin plugin. Yes im running the latest version possible as i check everyday on the svn to make sure im up to date. Honostly if hackers can do this to any server this is scary and even more scarry to a server owner like myself.
This is a WARNING to all server owners that work countless hours coding for their server for there community if you have ulx watch your console for any unusual commands by users. Ulx is not as safe people think.
[QUOTE=nickster50;40403433]Shit this is happening to me also. Yesterday i had a full server of 40 players and one of the guys gained access to my ulx. What is weird is that my rcon pass is over 300 charecters long with upper and lower case and numbers. Im now relly angry now because i thought ulx was a secure admin plugin. Yes im running the latest version possible as i check everyday on the svn to make sure im up to date. Honostly if hackers can do this to any server this is scary and even more scarry to a server owner like myself.
This is a WARNING to all server owners that work countless hours coding for their server for there community if you have ulx watch your console for any unusual commands by users. Ulx is not as safe people think.[/QUOTE]
300 characters long? Troll or serious because I'm not even sure if that's possible but if it is what a complete idiot. Either disable rcon, or just use a sensible password set at command line and NOT stored in a config file.
Either way some idiot with a 300 character long rcon password = unreliable source of info imo.
You can solve this entire problem by changing some code so it saves to a file (bans, groups and ranks) somewhere else with a different name. The "hackers" can no longer overwrite the file. It's a really old bug.
Old bump, but it still exists. I got hit today, try this..
[lua]
oGetConVarString = GetConVarString
function GetConVarString ( var )
if var == "sv_password" or var == "rcon_password" then
return "getbent"
else
return oGetConVarString( var )
end
end
[/lua]
lua/autorun/exploitstop.lua
It still doesn't excuse the fact that there is an exploit floating around that allows people to execute serverside lua, clientside lua etc.
I've done some digging, come up with nothing so far, but the only thing I think it could be, is RunString.
[QUOTE=Phoenixf129;42136639]Old bump, but it still exists. I got hit today, try this..
[lua]
oGetConVarString = GetConVarString
function GetConVarString ( var )
if var == "sv_password" or var == "rcon_password" then
return "getbent"
else
return oGetConVarString( var )
end
end
[/lua]
lua/autorun/exploitstop.lua
It still doesn't excuse the fact that there is an exploit floating around that allows people to execute serverside lua, clientside lua etc.
I've done some digging, come up with nothing so far, but the only thing I think it could be, is RunString.[/QUOTE]
So there is some kind exploit allowing you to run lua on the server - The attacker runs some lua that uses GetConVarString to give them the rcon password - They now have the rcon password and can do thing easier.
Overriding the GetConVarString function would just stop them getting the password, but it won't stop them from being able to run lua via the exploit in the first place.
I guess having the rcon pass lets you also attack without having to be in game, but being able to run arbitrary lua basically gives them equivalent access. Instead of running lua to get the rcon pass, they could run a function to retrieve code from pastebin and execute it, etc.
Sorry, you need to Log In to post a reply to this thread.
