Hacked, delete files from data with specific name with lua

Hey!

I got yesterday hacked and i want to make lua script to delete all the files that they spammed in data folder because from 120,000 files there are needed ones.

How i would make script that would loop through directories and subdirectories and at the same moment they check if file name is something like hackers script.

Hackers script makes this way files:



AAAA-FFFF + Can be AAA1 and etc.
00000-99999 + contains letters
0000-9999 + contains letters


So how i could check if it matches above patterns and delete?

Thank you.

Hacked using text files.
Seems legit.

Well, they hacked full access to server, broke ulx and all other stuff and spammed my data folder.

Is your rcon password in server.cfg?

Do you have lots of addons right?

Yeah, gonna block all the ports outside my network after the files are deleted.

[editline]19th May 2015[/editline]

Yeah, they used probably some kind of backdoor in addon E2Power that no one knows.

Well theres your problem, dont have it in server.cfg

But how would i delete those files with lua? You just told me how i got hacked which i already know.

Re-install. It’s not like the garrysmodds is time consuming to setup. Also disable sv_allowdownload in your server.cfg and don’t store the rcon password in there.

Then my all settings would be reseted…

this most likely doesn’t have to do with rcon_password
there is only four things it can be,
sv_allowupload 1
mysql database password in clientside file
rcon_password in server.cfg and sv_allowdownload 1 (not likely)
a backdoor

and i think i know what it is but i am not allowed to tell due to the person who told me telling me not to

Backdoor in e2p… Can someone help with the lua part?

Are you using a VPS/Dedi or a managed host? If you’re doing the srcds stuff yourself just install gmodds to a separate directory and copy your config files over from the old directory and test until it works like it used to.

If you’re using some managed host then just backup everything locally and tell them to re-install. Deleting all files that have unusual names can cause issues if it deletes something necessary and will more than likely not remove the backdoor.

Also is this a windows or linux machine.

Dedicated, Linux/Ubuntu machine

[editline]19th May 2015[/editline]

Alright! Started my little laggy file deleter script.
If anyone interested, here it is:



local files, dires = file.Find( "*", "DATA" )

function scanDir( dir, prevdir )
	for k, v in pairs( dir ) do
		if file.IsDir( v, "DATA" ) then
			scanDir( file.Find( v .. "/*.txt", "DATA" ), v )
		else
			if (file.Size( prevdir .. "/" .. v, "DATA" ) == 0) then
				file.Delete( prevdir .. "/" .. v )
				print("File Deleted: " .. prevdir .. "/" .. v)
			end
		end	
	end
end

scanDir( files, "/" )
scanDir( dires, "/" )


If you run it and you have many dirs, your cpu will be at 100%.

All your script does is delete empty files. In your first post you mentioned that you want to remove any files with alphanumeric characters that is at least 1-5 characters in length.



find . -type f -regextype posix-egrep -regex ".*\/[0-9A-Za-z]{1,5}\.lua"


That will tell you the files that match your horrible idea in the first post. You’ll notice it matches a lot of lua files. That’s because



AAAA-FFFF + Can be AAA1 and etc.
00000-99999 + contains letters
0000-9999 + contains letters


is huge pattern. So I’ll say again, if you got ‘hacked’ and are worried that there are backdoors. Re-install your gmodds instance. Just mv your GarrysModDS directory and re-install it with steamcmd. Then you can re-install any addons you need. The only thing you should be copying from the old directory is your sv.db if you need it, and any data/cfg files. Don’t copy any lua files or addons from the old directory.

Then in your server.cfg remove rcon_password and put sv_allowdownload 0. Then in your server.sh or whatever you use to launch the gmod server put +rcon_password “pass” at the end.