Need help with a possible hacking - Developers

Now, I am using the most current basic ulx with my server. All I've added is a custom unstuck module. However, lately I've had unexplained crashes on the server. This is a log taken from yesterday: [code]23:43:47 "Mizu_Ren<154><STEAM_0:1:73884140><>" entered the game 23:44:10 "Allover<156><STEAM_0:0:85559905><>" entered the game 23:44:17 "Mizu_Ren<154><STEAM_0:1:73884140><>" disconnected (reason "Disconnect by user.") 23:44:25 "jaechett<155><STEAM_0:1:62877295><>" entered the game 23:46:35 "Bonerparty<157><STEAM_0:1:93924071><>" connected, address "108.84.6.110:27005" 23:46:35 "Bonerparty<157><STEAM_0:1:93924071><>" STEAM USERID validated 23:47:01 "graygun111<158><STEAM_0:0:137172956><>" connected, address "68.201.84.183:27005" 23:47:02 "graygun111<158><STEAM_0:0:137172956><>" STEAM USERID validated 23:47:50 "Master Dankstorm (Tyreese)<159><STEAM_0:1:90820222><>" connected, address "68.71.69.119:27005" 23:47:50 "Master Dankstorm (Tyreese)<159><STEAM_0:1:90820222><>" STEAM USERID validated 23:47:56 "LeftShark<160><STEAM_0:0:88802879><>" connected, address "70.112.127.98:27005" 23:47:56 "LeftShark<160><STEAM_0:0:88802879><>" STEAM USERID validated 23:48:06 "iAmaze<161><STEAM_0:1:88044278><>" connected, address "99.106.193.122:27005" 23:48:06 "iAmaze<161><STEAM_0:1:88044278><>" STEAM USERID validated 23:48:46 "graygun111<158><STEAM_0:0:137172956><>" entered the game 23:48:50 "Bonerparty<157><STEAM_0:1:93924071><>" entered the game 23:49:51 rcon from "208.146.44.1:50745": command "ulx crash gray" <<<<< <<<<<<<< <<<<<< !!!!! 23:49:53 rcon from "208.146.44.1:50798": command "ulx crash boner" <<<<<<<<<< <<<<<<<<<<< <<<<<< !!!!!! 23:50:01 "Bonerparty<157><STEAM_0:1:93924071><>" disconnected (reason "Bonerparty timed out") 23:50:01 "graygun111<158><STEAM_0:0:137172956><>" disconnected (reason "graygun111 timed out") 23:50:09 Lua Error: [ERROR] gamemodes/prop_hunt/gamemode/player_class/class_hunter.lua:51: Tried to use a NULL entity! 1. UnLock - [C]:-1 2. unknown - gamemodes/prop_hunt/gamemode/player_class/class_hunter.lua:51 23:50:57 "LeftShark<160><STEAM_0:0:88802879><>" entered the game 23:51:23 rcon from "208.146.44.1:56437": command "ulx crash left" <<<<<< <<<< <<<<<<<<<<< <<< <<< !!!!!! 23:51:24 "iAmaze<161><STEAM_0:1:88044278><>" entered the game 23:51:29 rcon from "208.146.44.1:57093": command "ulx crash ama" <<<< <<<<<<<<< <<<<<<<<<<<<<< !!!!!!!! 23:51:29 "LeftShark<160><STEAM_0:0:88802879><>" disconnected (reason "LeftShark timed out") 23:51:34 "iAmaze<161><STEAM_0:1:88044278><>" disconnected (reason "iAmaze timed out") 23:51:56 "Master Dankstorm (Tyreese)<159><STEAM_0:1:90820222><>" entered the game 23:52:11 rcon from "208.146.44.1:58652": command "ulx crash dank" <<<<< <<<<< <<<<<<<<<<<<<< <<< <<< <<<< <<< !!!! 23:52:18 rcon from "208.146.44.1:59372": command "logaddress_add 208.146.44.1:10000" <<<<<<<<<<<<<<< <<<< !!!! 23:52:35 "Shlub<162><STEAM_0:0:42713081><>" connected, address "71.227.230.20:27005" 23:52:35 "Shlub<162><STEAM_0:0:42713081><>" STEAM USERID validated 23:53:44 "Bonerparty<163><STEAM_0:1:93924071><>" connected, address "108.84.6.110:27005" 23:53:45 "Bonerparty<163><STEAM_0:1:93924071><>" STEAM USERID validated 23:54:08 "Bonerparty<163><STEAM_0:1:93924071><>" entered the game 23:54:26 "Shlub<162><STEAM_0:0:42713081><>" entered the game 23:54:52 "LeftShark<164><STEAM_0:0:88802879><>" connected, address "70.112.127.98:27005" 23:54:52 "LeftShark<164><STEAM_0:0:88802879><>" STEAM USERID validated 23:54:55 "iAmaze<165><STEAM_0:1:88044278><>" connected, address "99.106.193.122:27005" 23:54:55 "iAmaze<165><STEAM_0:1:88044278><>" STEAM USERID validated 23:55:17 "LeftShark<164><STEAM_0:0:88802879><>" entered the game 23:55:19 "iAmaze<165><STEAM_0:1:88044278><>" entered the game 23:56:28 "Bonerparty<163><STEAM_0:1:93924071><>" disconnected (reason "Bonerparty timed out") 23:57:30 Log file closed[/code] Now the arrows point to the problem. Me and two others are the only ones who can access rcon. The password was changed recently due to security issues, and only I know it. Also at this time, two of us was at work, and the other was with their parents out of the house. Also, to my knowledge, ulx does not have a basic crash command, and I can't find a file with that command in it. So would someone please try and help me solve this??

Get rid of your backdoored addons Or just add a hook to rcon and make it check ip's (I'm pretty sure there's a module that lets you do that)

Where do you store your RCON password?

Just disable rcon, you don't need it if you already have an admin mod and access to the server console.

I'd also recommend getting rid of your ulx crash command.

Who is your game server provider?

The server provider is NFO. I have no crash command installed, unless an addon installed it. The rcon is stored in the command line and set up by NFO, I cannot turn it off.

208.146.44.1 is nfo's IP, so those RCON commands are coming from your server control panel. That means one of the accounts linked to your NFO server is compromised, or your friends are messing with you.

[QUOTE=HyperDrive;48020422]The server provider is NFO. I have no crash command installed, unless an addon installed it. The rcon is stored in the command line and set up by NFO, I cannot turn it off.[/QUOTE] If you have ULX Essentials or something that adds on ULX commands then, more than likely you have the command.

If it is in the command line, you can remove it, or leave it BLANK. If anyone has access to it via your Game Panel through NFO, I would force new passwords and reset your own. IF you open a ticket, you can ask NFO to disable the Rcon in the Command Line options. Seeing as they are a decently known provider I am sure they can do this for you.

Alright, so I was hacked. Not the server, but my computer itself. I still don't know how it happened, but a boot scan found 7 malware files on my computer, hidden in places in my garrysmod root folder. After discovering this, I removed all addons I had installed, and changed all my passwords. Also, there is an option on NFO to disable rcon. Also found the crash command as well. After doing all this, the person apparently still had enough access to use the command, but instead of saying "console crashed <playername>" it said "SupaKilla crashed <playername>" with their steamid. It is now banned. I tried tracking down the steamID but it leads to a profile that isn't set up, so can't be reported. So for now things have calmed down. Still have issues to work out with crashing, but I'm still looking into. For anyone reading this post, for future reference, if you are constantly having to replace files or have files deleting themselves in the ftp of your server, stop whatever you are doing and scan your computer. I failed to do this and chaos ensued.

[QUOTE=HyperDrive;48038720]Alright, so I was hacked. Not the server, but my computer itself. I still don't know how it happened, but a boot scan found 7 malware files on my computer, hidden in places in my garrysmod root folder. After discovering this, I removed all addons I had installed, and changed all my passwords. Also, there is an option on NFO to disable rcon. Also found the crash command as well. After doing all this, the person apparently still had enough access to use the command, but instead of saying "console crashed <playername>" it said "SupaKilla crashed <playername>" with their steamid. It is now banned. I tried tracking down the steamID but it leads to a profile that isn't set up, so can't be reported. So for now things have calmed down. Still have issues to work out with crashing, but I'm still looking into. For anyone reading this post, for future reference, if you are constantly having to replace files or have files deleting themselves in the ftp of your server, stop whatever you are doing and scan your computer. I failed to do this and chaos ensued.[/QUOTE] Maybe you should be careful of what you are downloading off the internet.. Those 7 malware files don't come from thin air.