Exploit

A few things before I go into detail:
Do you guys remember that one exploit that occurred a few months back with cough and “VINH’LL FIX IT@@”
People have been utilizing the same method to devise their own “hacks”. I wouldn’t exactly call it a hack, but more of an exploit.
Anyways, from what I can tell, this exploit hasn’t “blown up” yet. My server has been targeted by many minges and hackers ever since we started to get popular and this is probably one of the worst things that has happened to us.

EDIT:

The exploit is not the same as the “VINH’LL FIX IT” exploit. I got that part wrong.

Onto the exploit itself:
Our server randomly crashed and we put it back up.
Soon after, a guy named: “{(ACS)} Tehhkp | <3<30><STEAM_0:0:77823910>”
started to talk in the ulx admin chat saying that he has a screen shot of the person who crashed the server.
I teleported to him along with another admin and he told me to go away. I stayed there and he linked the other admin to a shady website with a website path of “crasher.png”
That admin apparently was disconnected with the following popup “Disconnected: Writing to banned list”
I immediately knew what had happened.
I clicked on the link myself and was also banned. This was not for no reason, I looked at the source code and it had our IP written all over it.
I immediately told an online admin to perma his ass.
I then proceeded to look into my server directory. There were fishy files that were temporary. When I tried to look inside, there wasn’t much, so I proceeded to delete the files and restart the server. That fixed the bans.
I then proceeded to get rid of the rcon from the server.cfg and put it in the command line.

From what I believe, the whole exploit a few months back would only affect servers that left their RCON passwords in their server.cfg. This is a mistake that I forgot to patch and what resulted in this new exploit to affect my server.

I am only here to heed a warning.
If you’re a server owner, make sure your RCON password is placed within your command line.
This is common sense, but do not click on any fishy links.

This the site that was linked to us, visit with caution:


http://eclipsettt.com/crasher.png

Too long, didn’t read:
An exploit was discovered that uses the same concept as the whole “VIHN’LL FIX IT” incident.
Make sure your RCON password is not in your server.cfg file. Use the command line method. You can do this with “+rcon_password (password)”
Do not click on any fishy websites. Especially from gmod, because clearly, gmod is filled with minges.

If you have been targeted by this already, simply go into your server directory with the folders such as “bin”, “garrysmod”, etc, and delete the excess folder that’s in there. You’ll know when you see it.


I do not have any proof of this, but it’s kind of self explanatory and obvious considering the “VIHN’LL FIX IT” incident.

I’m sorry if this was already discovered. I’m not too up to date with Facepunch, but for server owners, this is a must read.

That’s a shame, the exact exploit the cough virus used was fixed, but others exist.
It’s very simple to make sure your server can’t be exploited through this.
Ensure sv_allowdownload and sv_allowupload are both set to 0 in your server’s config and that the download/cfg directory doesn’t exist (delete it if it does).
The exploits involved are already fixed in the dev branch and will be fixed in the normal branch next update.

It’s also possible this is an unrelated exploit being used by this person or simply just a backdoor in some addon.

[editline]x[/editline]

Here we go.

The link that banned you probably just spammed HTTP connections @ the server, resulting in declined RCON requests and an auto ban. Given that, it’s pretty obvious this person has not actually used any exploits other than this, causing you to be banned. So not such an issue for your server after all.

The thing is though, both sv_allowdownload and sv_allowupload were set to 0 on my server.
If you leave your rcon password in the server.cfg, they can easily change that.
Simply enforcing your rcon password on the command line will patch this easy.

There is no way to even access the server.cfg with sv_allowupload/download set to 0 unless you have RCON enabled or it’s on your FTP somewhere.

Lua backdoors can read the file or just enable sv_allowupload and sv_allowdownload.

I’m talking Source-side.

In that case you are putting a lot more trust in Valve than you should.

[editline]20th June 2014[/editline]

Also, moving your rcon password won’t fix the specific exploit this person used because it seemingly was never accessed in the first place.

All right, so everything I got here was wrong.
I’ll update the thread with the correct information, thanks for the correction.

Still, this is pretty dangerous.

Wait, but what was up with the fishy files within my server directory?

It could’ve been so much worse, it’s a good thing this guy doesn’t know how to do anything else.

Just to simplify everything, this person appears to have used 2 exploits:

  • Crashing the server (bunch of ways this could be done)
  • Linking you to a web page that spams HTTP requests to your server, resulting in an auto ip ban due to rcon protection.

The fishy files you saw, unless you can supply filenames, were probably not malicious at all.

All right, thanks for the corrected information.

This is still something that server owners should look out for.

This exploit is as old as the hills and Valve are aware of it, nothing new here.

This guy has cheated many times on my server.

I’d recommend permabanning him and his alt.

“Well that was really good.”

IDK where but I seem to remember his name from somewhere and I can’t seem to remember where exactly.

Hex could you tell me what he is using to get banned?

That actually was me, and I was trying to remove everything to get unbanned from HeX’s server ._.
Sorry for getting you banned, was just testing stuff out :frowning:

He had so much installed there’s no point listing it all. Everything from MPGH.

^^
Everything from MPGH + more >:)

I really don’t see why you did “>:)” when really you’re using 90% public shit then the rest you can get easy but it’s not full out public.

I only have like 4 public scripts, then like 2 of what you’re talking about then the rest is Tyler Wearings “private” hacks ._.

[editline]20th June 2014[/editline]

And the rest is mine

http://puu.sh/9Augn/3c15f6fec0.png

Oh yeah, totally.