Today's Weird Experience | Hack?

Hello all,

Well Today Was an interesting day. One of my clients came across a player on his Dark RP Server claiming that he had a screen capture of someone crashing the server. The Server owner opened the link (which it was a shortened google link… so yea). So the server owner clicked the link and he describe a flash of an error then it said 404 no found and had no url. All of a sudden he was banned. Unfortunately he pasted the link to me and said whats this, so therefore I had to click it cause he was a trusted client of mine. I clicked it and it did the same thing to me (without the banning cause I was not on the server I am assuming) after a run of confusion talk I try join his server, I launch gmod and try to look for the server. “hmmm. not there” so I try through console. this is the part that stumped me. the link either blocked the IP:PORT or something similar cause I could see every other server except his and I could not even direct connect to it. (He was having the same issue in the meantime) so I restart my modem and now I can join the server. I get on and I am met with this person : http://steamcommunity.com/profiles/76561198058641219 . He is going on how He accidently did it and the only way to stop the server from all its files from being deleted was to add him to owner so he could remove the “Virus” to stop the server being deleted. So I immediately did a backup the server just on the slight side it was true. Then he was going on how he still needed owner to remove this “Hack”.

So after all that he decided to explain how he could “remove the virus with a encrypted lua file” I said “whats an encrypted lua file” (this is to see how much Bullsh** he is telling. this is his response



PG Orange: this encrypted code is locked down to my hard drive only I can have the file on my computer, if I were to give it to you, you could not even see the file


I then doubted if he new what an Encrypted file was.

So again after all that ordeal he said "OMG THE SERVER HAS LOST 25% OF ITS FILES
I then refreshed the server directory and viewed it properties 5,531 files. I also checked the backup I did earlier the same number 5,531

So again I knew he was bullshitting. The next response I got off him was all the windows and doors on the map are going to be removed. then he spawns the advanced dupe of those HL2 Combine props which basically breaks rp_downtown_v4c

Then I ban him :slight_smile:

NOW:
The Question.
Is it possible to have an exploit where it runs console commands cause I find it weird how clicking on a link can result in a console command being ran.

ALSO:
Here is the Console.log for when the server admin got banned from clicking the link

UPON Further review it looks like he was banned for rcon failed attempts

Well Thanks and Kind Regards i’ve been up for 23 hours almost and I’m piss tired good night!

I remember this happening to me before in DarkRP. A user called me and said he had an image of an exploiter. After I copied the link and pasted in on my browser, image wouldn’t load. I alt tabbed back to the game and I was greeted with:

Added to banned list.

Server would never appear on the list for me. Eventually the higherups restored to an earlier version for my sake and everything was fine. Never figured out why or how it happened.

Weird.

The link was to an preperated page. It basicly opens a lot of iframes with the Server IP and Port in the background. Because of that the Server think you try to bruteforce the RCON Password and bans your IP Adress for (30-60 Minutes by default i think)

The “exploit” is quite old and works on all Source engine games.

So there are a few ways to stop it:

  1. Don’t click fishy links.
  2. If you really need rcon, then some of these parameters a bit less tight.

set sv_rcon_banpenalty <mins>	Number of minutes to ban users who fail rcon authentication. Default: 0
sv_rcon_maxfailures <0-20>	Max number of times a user can fail rcon authentication before being banned. Default: 10
sv_rcon_minfailures <0-20>	Number of times a user can fail rcon authentication in sv_rcon_minfailuretime before being banned. Default: 5
sv_rcon_minfailuretime <1-seconds>Number of seconds to track failed rcon authentications. Default: 30

  1. If you do not need rcon (you can still run rcon commands with some admin mods like ULX), then disable it. The Exploit would be stopped that way and when you still got acces to the screen of the server (or the server console if you are on an windows vps), then you can still remote access it over there.
    Just tools like HLSW or some donationscript would be blocked that way.
    Also there are still ways to grab the server.cfg from the gameserver, so blocked rcon (or setting the rcon_password over cmd) would be a great increase in serversecurity.