[QUOTE=GardenFreeman;48600953]Everyone should check their Source SDK Base 2013 Multiplayer directory for a hidden svchost.exe which is the virus.
I know that this exploit is as old as Source itself and wanted to ask if the Dev's are aware and plan to stop it in the future? This can severely harm the public's perspective of this mod if not addressed post haste.[/QUOTE]
which folder would this "svchost.exe" be in?
[QUOTE]Trojan.Agent, C:\Program Files (x86)\Steam\SteamApps\common\Source SDK Base 2013 Multiplayer\svchost.exe, Quarantined, [908cb675ef9c0e28f1ee6d789a690ef2],[/QUOTE]
So its just right there nestled inside. You should probably do a virus scan of your steam folder.
i guess that's what happens if you use an old tf2 build and don't iron out the server exploits
there's TONS of these exploits about in the 2008 version, you guys better start looking into them
i've did some research about the fake vaultf4 server, comparing IP's and looking up info, and i ended up finding something very interesting:
the fake server is hosted by OVH, montreal canada. i looked around a bit, looked at unfgaming's server ip's and they're hosted by the OVH aswell, montreal. few ip's recieved reports about bruteforcing FTP's.
my conclusion is that 404 tries to lure people affiliated with the project into the fake server with malicious intentions.
I got ninjad :v:
[QUOTE=Vincentor;48601099]i guess that's what happens if you use an old tf2 build and don't iron out the server exploits
there's TONS of these exploits about in the 2008 version, you guys better start looking into them
i've did some research about the fake vaultf4 server, comparing IP's and looking up info, and i ended up finding something very interesting:
the fake server is hosted by OVH, montreal canada. i looked around a bit, looked at unfgaming's server ip's and they're hosted by the OVH aswell, montreal. few ip's recieved reports about bruteforcing FTP's.
my conclusion is that 404 tries to lure people affiliated with the project into the fake server with malicious intentions.[/QUOTE]
Wait, how did you come to the conclusion that 404 is involved? If what you say is true, then damn that's petty.
[QUOTE=TectoImprov;48601118]Wait, how did you come to the conclusion that 404 is involved? If what you say is true, then damn that's petty.[/QUOTE]
404 runs UNFGaming, UNFGaming servers have the same host.
Evidence #1
[url]http://pastebin.com/GnPPWzed[/url]
Evidence #2
[url]http://pastebin.com/njJED4W5[/url]
'Don't ever, [B]ever[/B] try to lie to the internet - because they [B]will[/B] catch you. They [B]will[/B] de-construct your spin. They [B]will[/B] remember everything you ever say for [B]eternity[/B].' - Gabe Newell
Additionally, 404 is the salty-est person, and would have more to gain if servers were marked as malicious in a community mod that he was kicked out of.
[QUOTE=Vincentor;48601099]i guess that's what happens if you use an old tf2 build and don't iron out the server exploits
there's TONS of these exploits about in the 2008 version, you guys better start looking into them
i've did some research about the fake vaultf4 server, comparing IP's and looking up info, and i ended up finding something very interesting:
the fake server is hosted by OVH, montreal canada. i looked around a bit, looked at unfgaming's server ip's and they're hosted by the OVH aswell, montreal. few ip's recieved reports about bruteforcing FTP's.
my conclusion is that 404 tries to lure people affiliated with the project into the fake server with malicious intentions.[/QUOTE]
I don't think 404 did that
he recently made a podcast where he said he don't hate us so even as bipolar person as he would be unlikely to do something like that
[sp]404 getting the blame for everything bad that happens to tf2c is kinda silly, it reminds me of Animal Farm and how they blame that one pig that escaped at the beginning for all that happened on the farm for the rest of the book[/sp]
Likewise I'm coming to 404's defence here,
Remember playing some deathmatch with him on a server and he seemed pretty chill, was impressed at the work and said no hard feelings and that things were in the past.
Was on the rage weapon creation stream as well again, relaxed, friendly and helpful to other users..so unless something would cause this backlash, I'm saying its unlikely to be him.
I remember playing with 404 just yesterday on a VaultF4 server yet he seemed pretty remorseful over the whole thing.
Kibbleknight, Rara (a.k.a the now perma'd Yiffy Fox who also had his PC hacked) and Moonrat can back me up on that, too.
[editline]August 2, 2015[/editline]
ninja'd
[sp]I still don't believe him by the way for various factors and if this stunt is truly his doing then he's just iredeemable.[/sp]
Makes me wonder, what are the odds of some-one trying to push the blame on 404 so they can do their malicous things without being suspected?
Nobody knows really, it's the internet.
Pretty sure this was an episode of Diagnosis Murder, only instead of a trojan and a hacked tf2c server, it was a car bomb.
[QUOTE=Vincentor;48601099]i guess that's what happens if you use an old tf2 build and don't iron out the server exploits
there's TONS of these exploits about in the 2008 version, you guys better start looking into them.[/QUOTE]
I'm pretty sure server file downloading and such is a part of the shared game code and\or engine code so I don't think we can do much here.
The fake server is still up at the moment.
For those who didn't bother to check the Pastebin put this IP into your Blacklisted Servers list [B]now.[/B]
[QUOTE]198.245.49.206:27085[/QUOTE]
[QUOTE=Nicknine;48601446]I'm pretty sure server file downloading and such is a part of the shared game code and\or engine code so I don't think we can do much here.[/QUOTE]
Welp, I officially won't be playing this mod on any servers that I don't own. I don't own much of anything in my backpack, but I'm not too keen on someone having the ability to dump keyloggers and such on my PC.
[t]https://gyazo.com/ff5a1293344b92a2d33f4b3dee57673f.png[/t]
am i remembering incorrectly or wasn't rubberfruit supposed to be banned from the mod due to powerplay abuse
[I]I'm not sure if its really him[/I], but might be TheRubberFruitFace the cause of this? I remember last time it was abusing powerplay and (hacking?) running unban codes to the server to get unbanned.
[t]http://i.imgur.com/VGPKjI6.jpg[/t]
As you can see he's playing on the fake DM server.
edit: damn got ninja'd
We're currently trying to contact Valve to update the Source 2013 MP base engine code with the fixed engine code, as we believe this exploit is affecting every Source 2013 MP mod.
Please refrain from joining the server under the IP listed below.
[QUOTE]198.245.49.206:27085[/QUOTE]
If you've connected to the server in the past, PLEASE do a virus scan of your [QUOTE] SteamApps\common\Source SDK Base 2013 Multiplayer [/QUOTE] folder. The virus is named svchost.exe
As I've said, we believe that this virus is affecting every Source 2013 MP mod currently running on the latest source code, so please be careful while playing other mods too.
Also, if you are a server administrator or thinking about operating one you should read this: [url=https://wiki.alliedmods.net/SRCDS_Hardening]SRCDS Hardening[/url]. (Just in case)
[QUOTE=GardenFreeman;48600953]Everyone should check their Source SDK Base 2013 Multiplayer directory for a hidden svchost.exe which is the virus.
I know that this exploit is as old as Source itself and wanted to ask if the Dev's are aware and plan to stop it in the future? This can severely harm the public's perspective of this mod if not addressed post haste.[/QUOTE]
I just found that file in the folder, I shit myself. I'm running a virus scan right now, what else should I do?
EDIT
Turns out Windows Defender doesn't see anything wrong with my PC. What a load of ass.
[QUOTE=stimms212;48601743]I just found that file in the folder, I shit myself. I'm running a virus scan right now, what else should I do?[/QUOTE]
Removing the virus should be enough, however just to be safe change all of your passwords, enable Steam Guard on your account, disable RDP if it's enabled.
Is there an alert system set up? I recall seeing it in a preview MR Modez showed off. Perhaps make a blogpost about it and make an alert on the main menu over it??
[QUOTE=Digivee;48601830]Is there an alert system set up? I recall seeing it in a preview MR Modez showed off. Perhaps make a blogpost about it and make an alert on the main menu over it??[/QUOTE]
Sadly no, there's only new patch notification with hardcoded message.
[QUOTE=stimms212;48601743]I just found that file in the folder, I shit myself. I'm running a virus scan right now, what else should I do?
EDIT
Turns out Windows Defender doesn't see anything wrong with my PC. What a load of ass.[/QUOTE]
Run a scan with malwarebytes just to be safe and do what Daniel said.
[URL="http://www.twitch.tv/digivee"]Streaming if anyones interested[/URL]
[QUOTE=chowder908;48601869]Run a scan with malwarebytes just to be safe and do what Daniel said.[/QUOTE]
I give a big thank you to you and Daniel for the support but..
[url]https://www.virustotal.com/en/file/ecf92f84b98ab30dc2750488396e1c3860b7dde2ddab557da96d0ef0ea5d98b7/analysis/1441229650/[/url]
This svchost.exe file seems to remain undetected in almost all anti-virus programs, not even Malwarebytes found anything.
Spybot search and destroy or the more aggressive combofix will do if you're really paranoid
It appears MalwareBytes DID remove the file, so that's a relief.
Thanks again, everyone!
Sorry, you need to Log In to post a reply to this thread.
Team Fortress 2 Classic V3
