My Server got Hacked. (Textures are color changing!)

As the title says, my TTT server got hacked (someone got RCON access. Whereas I know how to fix the security issue, the color changing props are my issue.

When ever I or anyone joins my server all of the props/movable doors/players are changing colors and transparency. It continued after a server reset, and I’m not sure how to fix it. Let me know if you have any ideas.

I assume its a simple rcon/concmd, or a line in some .cfg or .lua file somewhere I can edit.

When I break a prop, it reverts to normal color. Weapons/ammo boxes on the ground also change colors.

Check lua/autorun and lua/autorun/server, see if there are any scripts that might have been added. (It’s worth a shot, seeing how you didn’t specify how they ‘got rcon access’)

Thanks for the response Shadow, But the only file in autorun/server is admin_functions.lua, which has no suspicious lua in it

Edit: I would like to add I dont think and FILES were added, unless theres a way to do so with RCON. I dont think the hacker had any FTP privileges to my server

Do you have expression 2 available for use on your server?

Heres the thing: I did download wiremod/extras, but its is moved into a random folder.

I used the SVN feature provided by NFOservers, and b/c I did I cant fully delete the addon folder for wiremod due to hidden files, so I moved it out of addons and into garrysmod/dump to deactivate it (its sitting there with my ULX which I replaced with SM, which is working BTW).

IDK if E2 is what is causing this, but it could be

EDIT: It is a TTT server, which is why I dont need wiremod

PM Me the IP so I can look?

Working with Blasphemy we learned this stopped when in a different gamemode (sandbox). We couldnt locate to source. If anyone else has ideas please share!

[editline]30th January 2012[/editline]

Blasphemy mentioned “Think” lua may be responsible. I found these running by searching any hooks running clientside

KEImIoVc\ = function: 040AFC08
WireHUDIndicatorCVarCheck = function: 25B70140
HTTPThink = function: 03D2C2A0
NotificationThink = function: 03CDE720
CheckTimers = function: 04AB8E00
RealFrameTime = function: 03D534C0
E2Helper_KeyListener = function: 03CE4DE0
DOFThink = function: 03720098
CheckSchedules = function: 0465F968

It looked obviously like a think hook changing the color of all the ents in the server. I’m not sure which hook it is because I can’t really investigate.

Type lua_run_cl hook.Remove(“Think”, “KEImIoVc\”) in your console, see if it stops (If it doesn’t, you can quit reading my post right here).
I’m going to take a shot in the dark and say that the hook will probably be random, so just do a notepad++ search in the gamemode files for “Think” or “hook.Add” and see if it shows up any results different than what would be expected. As for E2, if you do need to remove it and can’t, I’d say contact NFO and ask them to completely remove it (since apparently it’s still running).

I was going to suggest that really strange hook as well. So yeah, give that a shot.

I entered this in console and got no results. I added sm_rcon in front, which forces the command as RCON, and it did not work still

Edit: After entry no lines appeared, neither saying something happen nor saying unknown command

First of all, serverside Lua is run with lua_run, not lua_run_cl.
Also, it has two slashes, not one. That’s \\. The clientside code would be:
lua_run_cl hook.Remove(“Think”, “KEImIoVc\\”)
Serverside is:
sm_rcon lua_run hook.Remove(“Think”, “KEImIoVc\\”)

If the first one stops it, it’s a clientside hook. Otherwise it’s a serverside hook. In order to figure out where it is you’d have to do this on whichever state it is:
lua_run(_cl) PrintTable(debug.getinfo(hook.GetTable().Think[“KEImIoVc\\”], “Sln”))
Just look for short_src I suppose.

I found it! Thanks for everyones help. This was found in my init.lua in my gamemodes/terrortown

hook.Add(“Think”,tostring(math.Rand(1,999999)), function() for k,v in pairs(ents.GetAll()) do v:SetColor(Color(math.Rand(1,255),math.Rand(1,255),math.Rand(1,255),math.Rand(1,255))) end end)

How the HELL it got there, I dont know, but if it wasnt for your ideas on WHAT to look for it would be disco mode forever in my server! thanks again!


Lol, that’s pretty much the code I said it probably was :stuck_out_tongue: