RCON Exploit Still Possible?

Today, my server was hacked. The user elevated themselves through RCON.

Yeah, shame on me, RCON password in the server.cfg, I know. I shouldn’t have put it there in the first place. Stupid.

This has gotten me curious, however. I thought the RCON exploit was fixed, so how could this happen? Some kind of file downloader once again?

It will be fixed in the next update. It’s due to a bypass in the file extension check RequestFile does.


Good informative reply.

Just because you move your rcon from server.cfg doesnt mean youre safe, there are many other exploits to do this

Many hackers that I’ve seen use the exploit through sv_allowdownload. I’d make sv_allowupload 0 and
sv_allowdownload 0

rate me dumb if im wrong but not setting an rcon password anywhere works extremely well (if you have cpanel access of some form)

who even uses rcon

My guidelines:

  • Disable rcon after you have set your rank in an adminmod.
  • Never install shady addons. Always check the author and the replies.
  • Have sv_upload on 0 and sv_download on 0 if you got fastdl.
  • Darkrp sets sv_allowcslua on 1. This can be used to exploid badly written addons that use “RunString”.

I use it very often to save time.

If you just remove rcon they would still be allowed to download server files. You’re better off just disabling sprays and leaving rcon on but set the password via your commandline.

Chuck this in to your server.cfg file and don’t use rcon.

rcon_password ""
alias rcon_password

the bypass that the skids are running around with will be fixed in the next update.
according to willox

Someone said in General Discussion that Willox was selling exploits to skids…


A certain GSP was compromised. They’re aware and I wasn’t involved.

Don’t a lot of GSP’s use TCA that requires rcon for a fair bit of the administration that it provides to it’s clients?

Idiotically yes, which doesn’t make sense since every other game panel allows you to do the same stuff without needing rcon.

Tcadmin only uses rcon for the web console, in which if you disable rcon it still works fine, just doesn’t ask for the password. Are we talking Tcadmin 1 or 2? Because I’ve never has an issue with Tcadmin 2 without rcon.