I am really paranoid right now. Going to stay off of TF2Classic for a while. Virus scan is running in the background as I'm typing this.
Just out of curiosity, did anyone report those two accounts to Valve?
[QUOTE=stimms212;48602127]It appears MalwareBytes DID remove the file, so that's a relief.
Thanks again, everyone![/QUOTE]
Might be virustotal hasn't updated their site yet to show that malwarebytes detects it, but anyway glade daniel & I could help ya.
I think its pretty safe to assume its not 404 that is responsible for this:
[QUOTE=404] " I am the owner of the dedicated server that the IP is tied to and I can assure everyone that no TF2C server has ever been installed on my dedicated server.
The dedicated server runs Ubuntu 12.04 and TF2C does not have a proper way to set up a Linux-based server. If I were to want to run one, I'd have to install Wine and that Xvfb thing and jury-rig those two together to make things work.
Somehow, someone has created a server hosted elsewhere and tied my dedi's IP address to it in some kind of silly effort to frame me for hacking a bunch of people."[/QUOTE]
Now if there was a way to get Rara Wolf unbanned from here since his ban me thread was the result of him being hacked. He was the one that pretty much blew this whole thing out in the open and saved a lot of people some trouble.
Looks like Rageguy fell victim to it too. The [URL="Source SDK Base 2013 Multiplayer"]thread[/URL] he was banned in even harbors a download link to the virus. They might want to delete/edit those links.
Orkel was the admin that banned him. He's offline now, but the issue was brought up both in PM and in the refugee camp.
If anyone has a sample of the malware, zip it up and PM it to me please.
Thanks for the support guys, I've removed the download links to TF2C and posted a blog post while we work things out. We are hoping to be able to get back up and online as soon as possible.
Please take care and virus scan if you've joined the server or if you are paranoid at all.
[QUOTE=Th13teen;48602936]Thanks for the support guys, I've removed the download links to TF2C and posted a blog post while we work things out. We are hoping to be able to get back up and online as soon as possible.
Please take care and virus scan if you've joined the server or if you are paranoid at all.[/QUOTE]
Deleting svchost.exe out of the game's directory isn't enough. It would likely drop files somewhere else. If anyone who knows for a fact had it could add me on Steam I can verify if it dropped somewhere else (extremely likely) and help clean it up. I can also analyze it (pls someone i'm bored give me something to do)
Also, the IP 68.180.230.169 from 404's logs is a Yahoo crawler and 84.39.116.180 is likely a VPN.
:snip:
I searched my directory but it's not there before and after I unistalled Source SDK
[QUOTE=chowder908;48602383]Might be virustotal hasn't updated their site yet to show that malwarebytes detects it, but anyway glade daniel & I could help ya.[/QUOTE]
Scantime vs Runtime. It's much easier to get a file FUD on scantime than on runtime.
[URL="http://pastebin.com/CqVrkyBp"]Haskell has confirmed this is 404's work.[/URL]
[QUOTE=Haskell]It's clearly 404s server hosting the server, you cannot "tie an IP address", you cannot "fake an IP address". CLEARLY the server is being hosted from the same server as his website, which is also hosted under 198.245.49.206:80.
Unless a game exploit was discovered, which allows you to fake server information ( still would not fake the IP ), there is no way to truely to fake IP information, as well as that, I was also able to ping the server from 198.245.49.206:27085[/QUOTE]
[QUOTE=kibbleknight;48602535]I think its pretty safe to assume its not 404 that is responsible for this:[QUOTE]" I am the owner of the dedicated server that the IP is tied to and I can assure everyone that no TF2C server has ever been installed on my dedicated server.
The dedicated server runs Ubuntu 12.04 and TF2C does not have a proper way to set up a Linux-based server. If I were to want to run one, I'd have to install Wine and that Xvfb thing and jury-rig those two together to make things work.
Somehow, someone has created a server hosted elsewhere and tied my dedi's IP address to it in some kind of silly effort to frame me for hacking a bunch of people."[/QUOTE][/QUOTE]
Sorry, but I'm having a hard time believing you can 'frame' and IP. Nothing is stopping him from running a virtual machine to make a server, additionally.
To quote Haskell
[QUOTE]8:30 PM - dialtone: well he's bullshitting.
8:30 PM - dialtone: the IP does not lie...
8:30 PM - dialtone: 198.245.49.206 IS THE IP for the server
8:30 PM - dialtone: and 198.245.49.206 IS THE IP for this website,
8:31 PM - dialtone: thus concluding, they are hosted on the SAME SERVER!
8:31 PM - dialtone: call that guy out big time.
8:31 PM - dialtone: you can't "FRAME" an IP
8:31 PM - dialtone: you can't "Tied a dedis IP address"
[/QUOTE]
[QUOTE=Digivee;48603028]Sorry, but I'm having a hard time believing you can 'frame' and IP. Nothing is stopping him from running a virtual machine to make a server, additionally.
To quote Haskell[/QUOTE]
you were ninja'd
So who the hell is responsible? 404 or RubberFruitFace?
[QUOTE]8:54 PM - dialtone: i know what exploit they used
8:54 PM - dialtone: they used the .dll exploit of when you join a server, you download a .dll
8:54 PM - dialtone: which is then ran as a module,
8:54 PM - dialtone: i'll roll out a patch to TF2C
8:55 PM - dialtone: let me clone github
[/QUOTE]
[editline]3rd September 2015[/editline]
Apparently its the same thing as what hit TF2 and GMOD a while back.
-snipping this part because invalid check update below-
Theoretically, the person could drop a detected hack onto your computer and make it load and get you VAC'd which is why I said be careful. Malwarebytes will probably have it scantime detected soon (if not already) as it was submitted to Virustotal, but that doesn't mean the person couldn't refud it and update it on you so I would suggest anyone who had it keep a very close eye on your computer.
[b]Seeing that ESET detects the version posted here, I'd HIGHLY suggest you run the FREE ESET Scanner even if you think you're clean.
[url]http://www.eset.com/us/online-scanner/[/url][/b]
Still though, if anyone has a sample send it my way please.
[editline]2nd September 2015[/editline]
[QUOTE=Digivee;48603028]Sorry, but I'm having a hard time believing you can 'frame' and IP. Nothing is stopping him from running a virtual machine to make a server, additionally.
To quote Haskell[/QUOTE]
If you root the server you can. If 404 used a shitty SSH password bruting it is surprisingly easy.
Who owns the Virus server?
From the tf2 classic website:
[QUOTE]Hi there everyone! Former dev 404 here. I just got home from work to find that someone created a rather nasty server using the IP address of my dedicated server, and hacked several Steam accounts as a result.
At first I was confused, as I've not ran a TF2C server from my dedi, nor have I installed Wine (as I later found out, Wine1.5 is preinstalled and I can't seem to uninstall it because it's a "virtual package").
After checking my dedi's system logs, I discovered that someone had remotely ran srcds.exe and Wine to launch a fraudulent TF2C server. I obtained two IP addresses from the logs; the first IP address being 68.180.230.169. It was used to try to run a ptrace which was denied. Shortly after, more ptraces and all the malicious activity was run from 84.39.116.180.
I do apologize to anyone who was affected by this security breach, and I have checked in on the Facepunch thread and I did see the two Pastebin'd chat logs where some people conspired to "confront" me with the information they had found to try to get me to confess to this and give back the items that were stolen from their accounts.
Sadly, I am not the person behind this, nor do I have your items. If I could get them back for you somehow, I would. Your best bet is to contact Valve. Again, I do apologize if you have been affected by this.
This all seems to be some sort of plot to put more negative attention on me, despite me recently coming clean about my alcohol/substance issues, apologizing to the dev team of TF2C and showing my support for them despite my many alcohol and drug-influenced screw-ups during my time on the dev team.
Some of you may be wondering what I plan to do about this breach in my security. Well, I've pastebin'd the log file and hit up AskUbuntu to find out how this all happened and how to prevent it from happening in the future.[/QUOTE]
Its not 404 guys.
Should I run the scanner? I haven't even launched up tf2c in the past 3 days and I pretty much only play on the 24/7 classic server when it has tons of people on it.
[QUOTE=PhoenixLuigi;48603209]Who owns the Virus server?[/QUOTE]
If you haven't been paying attention for the last few pages: nobody knows.
It's either 404, RubberFruitFace, or some random asswipe who thought it was real funny idea to fuck many people's lives and pin the blame on a guy who already has a rough, troubled past and doesn't even want to deal with this project anymore.
If it [I]was [/I]404, he'd say so. No point in an attention grab if you're going to try to deflect attention.
I feel really bad for him, that's an awful thing to do.
All right, started reversing it and found out it's not njRat but it's LuminosityLink. LL is generally considered the best RAT on all the skidforums at the moment .
This means yes it installed on your computer. LuminosityLink defaults to dropping in C:/ProgramData inside a hidden folder. Anyone who was infected is probably still infected even if you uninstalled the SDK and deleted the file. If someone who was infected could add me on Steam it'd help as LL actually has decent virtualbox detection and it's not quite as simple as finding the terminate function in a debugger so this is gonna take longer than I originally thought.
If anyone who was infected could add me on Steam it would help a ton.
[url]https://steamcommunity.com/id/NarryGewman/[/url]
Also can someone who was infected pastebin me a DDS log?
[url]http://www.bleepingcomputer.com/download/dds/[/url]
LL feature list just so you guys know:
[quote]Luminosity Features:
Incredibly Stable, Effective and Reliable!
[+]Remote Desktop, Remote Webcam, and Client Manager
[+]Fast Reverse SOCKS 5 Proxy
[+]System Wide Ring3 Rootkit (x86 Processes) With Process Watchdog
[+]Advanced Process, File, and Startup Persistence
[+]Powerful Heuristic-Based Bot Killer (Anti-Malware)
[+]Blacklist Software and Processes. Luminosity removes them!
[+]SmartLogger (Logs all Keystrokes, - Specify certain programs to record separately)
[+]Download Manager - Resume/Pause/Cancel Transfers, Proper File Queue, Organized well
[+]File Grabber - Search for file on client, and queue it for download. Can search certain process directories and much more!
[+]Google Chrome, FireFox, IE, Opera, Safari, FileZila, and Win Serial Key Recovery
[+]Outlook (all versions), Windows Mail, Thunderbird, Yahoo Mail, and more Recovery
[+]File Guard - Guard Executable Files (Other RATs, keyloggers, etc) - Takes care of Undetection, Persistence, and Startup!
[+]Easy-to-Use Crypto Currency Miner - Injects miner files.
[+]Website Visitor - 4 View Methods - Mute Audio
[+]Client Info - Manage and Grab Info Regarding Clients
[+]Torrent Seeder
[+]Extensive On-Join Commands | Client ID/Version/Client Name |
[+]HTTP Control - Send Commands via Webpage Encrypted
[+]Remote Scripting (HTML/VBS/BATCH)
[+]Block installation and use of any specified software
[+]Tons more features...And more being added![/quote]
Also it grabs all FTP info from Filezilla since filezilla uses plaintext so you should probably look into your servers being rip.
That video is from 2006 is this some kind of retro spambot?
Also the sample I was given may or may not actually be it as it doesn't match in terms of hash so if anyone knows for a fact they have it can they send it my way?
[QUOTE=Pw0nageXD;48603565]All right, started reversing it and found out it's not njRat but it's LuminosityLink. LL is generally considered the best RAT on all the skidforums at the moment .
This means yes it installed on your computer. LuminosityLink defaults to dropping in C:/ProgramData inside a hidden folder. Anyone who was infected is probably still infected even if you uninstalled the SDK and deleted the file. If someone who was infected could add me on Steam it'd help as LL actually has decent virtualbox detection and it's not quite as simple as finding the terminate function in a debugger so this is gonna take longer than I originally thought.
If anyone who was infected could add me on Steam it would help a ton.
[url]https://steamcommunity.com/id/NarryGewman/[/url]
Also can someone who was infected pastebin me a DDS log?
[url]http://www.bleepingcomputer.com/download/dds/[/url]
LL feature list just so you guys know:
Also it grabs all FTP info from Filezilla since filezilla uses plaintext so you should probably look into your servers being rip.[/QUOTE]
How do we we're infected? I can't tell if it installed those things or If I even have it.
[QUOTE=Neo-Rex;48603702]How do we we're infected? I can't tell if it installed those things or If I even have it.[/QUOTE]
Run DDS and send me a PM with the logs. You can put them on pastebin and I can take a look for you
[url]http://www.bleepingcomputer.com/download/dds/[/url]
The 2.00 Beta Test is [B]suspended until further notice.[/B]
The RAT was administered through an exploit with the sv_upload function.
[highlight][B]All server owners are advised to immediately pull servers until a patch is released.[/B][/highlight]
If you would like to keep your server up, please change sv_upload to 0.
this whole situation is completely fucking ridiculous
I joined one server that WAS NOT the server that had the virus to play a bit of deathmatch, should I scan my computer? By the way, I don't see a hidden file or folder where the source 2013 is installed, and where the virus normally installs.
Is it safe to launch up the game so I can see which servers are still up and so I can contact the owners?
Sorry, you need to Log In to post a reply to this thread.
Team Fortress 2 Classic V3
