Server just got hacked.

So I don’t really know much about the issue but our server was hacked about 30 minutes ago. They had full access to our ULX and could ban superadmins/owners. I banned the users and they have unbanned themselves somehow and keep destroying the server. I tried to update ULX and removed rcon from the control panel but the problem still persists. Any help on this would be greatly appreciated.

Really didn’t want to wake up in the middle of the night to this =X

If they can unban them self then:
A. they use a different non banned user to unban them(there must be some exploit via your map, or somewhere in your code)
B. have access to your server console(through rcon, or something)

Well after this went down I disabled rcon in the control panel. Last I knew only map with an exploit like this was on 67thway.

Any other maps have an exploit like this? Or could they be doing it another way?

What map are you using? And it could totally be another way. Have you added anybody else’s code recently?

edit: im getting off, but check the logs and see how they add themself to admin or something, and open the map in notepad++ and ctrl f for lua_run and see if it has anything to do with admin

Delete ulx data from data

Only code I have added in the past 8 months is some slow motion shit when the round ends. I will do a search for lua_run when I get home tomorrow. Thank you very much for the fast replies!

Any other thoughts please keep em coming!

change your rcon password, dont give admin to 11 years old kids.

If he was hacked, I assume there is some exploit in ULX or the RCON password is found.

There must be a loophole somewhere. Like others said, make sure you know what map you’re running. There used to be a TTT map that had a secret button located somewhere that allowed you to ban those of your choosing or something. (Thankfully the new versions either have it removed / it bans you instead)

Like I said twice I disabled RCON and it wasn’t domestic, someone gave themselves admin through some kind of exploit.

They have someone on the inside; check the logs to find out who’s giving them admin. If it’s not RCON and they’re both banned, they’d need someone to unban them or exploit something for them; because they’re banned.

What map allows rcon access / unban? wat

There was a person distributing map versions he supposedly “fixed” which had lua_run entities hidden in them. He would find servers that ran the map and then the lua_run entities would set him as owner in ulx.

Not the case with this I am 100% sure.

There was a “fixed” version of ttt_67thway that users could promote themselves to superadmin. 67thway has never been on our server so I know they did not use that exploit. What worries me, there is some map/other exploit around that the community doesn’t know about yet.

I added a bunch of new maps to the server ~2 weeks ago. I will get a list of them and post them on here. Maybe someone can confirm some of these maps credibility.

edit
Maps recently added:



ttt_whitehouse
ttt_lttp_kakariko
ttt_mc_skyislands
de_motel_b4
ttt_slender
ttt_minecraft_b5
ttt_lost_temple_v2
ttt_plaza_b7
ttt_lostcoastcity


I mean, what map was running when he gave himself admin, or whatever. Because you can just squash the whole map exploit thing just by seeing that.

Place this script in lua/autorun/server and check the data folder for a file named lua_run.txt
This should save what code every lua_run is executing. This should only be a temporary script. Remove it after it’s unneeded.

[lua]file.Write(“lua_run.txt”, “”)
hook.Add(“OnEntityCreated”, “lua_run catcher”, function(ent)
if ent:GetClass() == “lua_run” then
file.Append(“lua_run.txt”, ent:GetDefaultCode() … "

")
end
end)[/lua]

Sv_Allowupload 0

Old ulx hack.

This means no custom sprays!

Who cares? Most of them contained pornographic images of Justin Bieber or Harry Styles, anyway.

You’re right, it’s a bad idea. ULX hacking is no a big deal.