ULX Hacked?

[Hardy]

It's random people from random steamid. 5 minutes ago some man joined. Console started spamming tons of messages(but that man spawning, not in game). So many messages, so we have reliable channel overflow. I changed rcon password and messages continues! So this is NOT rcon. And i have only two mods that can do that: ULX and Sourcemod. Are you sure this is not ulx?
And this is not special attack to my server, many servers have that "chrisaster" attacks. "christaster is awesome" or "chrisaster is crashing you", and now it's
Console: ".@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ !EMOSEWA SI RETSASIRHC"
I very very want to see "chrisaster is b**ch" messages

[spbogie]

While I highly doubt it's a ULX issue, or something would be showing up in the logs, you can test it very easily. Run the server w/o ULX for a week or so (just rename the info.txt in the addons/ulx folder to info.txt.bak and restart server) and see if you still get the messages. If you still get the spam, then we know it's not ULX. If not, then it could be ULX and we can start investigating it further.

[Hardy]

It's nothing in logs. Console says not logged too(in ulx logs i mean). Like a ghost.
Ok, i try to temporary use assmod
Here is example from normal logs.

L 01/29/2009 - 22:37:01: "GsE|D3LUx3|Pr0Fi´c|^<6><STEAM_ID_PENDING><>" connected, address "80.216.150.67:27005"
L 01/29/2009 - 22:37:01: "Console<0><Console><Console>" say "".-586@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ !EMOSEWA SI RETSASIRHC""
(many many same phrases)
22:37:02: "GsE|D3LUx3|Pr0Fi´c|^<6><STEAM_0:0:22098624><>" STEAM USERID validated
L 01/29/2009 - 22:37:45: "Console<0><Console><Console>" say "".950@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ !EMOSEWA SI RETSASIRHC""
(again tons of this )
L 01/29/2009 - 22:37:45: "GsE|D3LUx3|Pr0Fi´c|^<6><STEAM_0:0:22098624><>" entered the game
L 01/29/2009 - 22:37:45: "GsE|D3LUx3|Pr0Fi´c|^<6><STEAM_0:0:22098624><Team>" say ".278@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ !EMOSEWA SI RETSASIRHC"
(again tons of this , but after connect it's not from console, it's from infected player)
L 01/29/2009 - 22:38:04: "GsE|D3LUx3|Pr0Fi´c|^<6><STEAM_0:0:22098624><>" disconnected (reason "Disconnect by user.")
(end of this )
Thanks for this b_ch chrisaster, my daily log is 2 megabytes size o0

[Alex]

Ok, I know how to fix it. Delete "config.cfg" then start gmod. You will have all your unbinded so bind them again. Then play. 

[Hardy]

Dam, man, you don't get it. I am server owner. People joining my server and spamming using RCON. I am not infected.

[Alex]

OH I thought you said you have it. Well if it's through rcon change the pass like I said before.

[Hardy]

OH I thought you said you have it. Well if it's through rcon change the pass like I said before.

My post before:

It's random people from random steamid. 5 minutes ago some man joined. Console started spamming tons of messages(but that man spawning, not in game). So many messages, so we have reliable channel overflow. I changed rcon password and messages continues! So this is NOT rcon[/quote]

[jay209015]

Code: [Select]

function ChatBlocker( ply, text )
if string.find( text, "!EMOSEWA SI RETSASIRHC") then
return ""
end
end
hook.Add( "PlayerSay", "ChatBlocker_Hook", ChatBlocker );
Ok, you can try this. Just save as something.lua and put in you <server>/garrysmod/lua/autorun/something.lua
it should stop it from happening. If the message changes, you'll know it's a member/viewer of this community.
If the message does change, I'll work on a new script. Test it out, and let me know.

[JamminR]

Nothing to do with ULX. Moving to Off topic.

http://bugs.garrysmod.com/view.php?id=1681
And, whoever's using this particular phrase is a fan of
http://chrisaster.com/ <- various gmod hacks, both good and bad, located there.
(To me, hack isn't a bad word. Though, hacks can be used badly)
(Much like guns. Good or bad)

[jay209015]

Ok following what JamminR did, I researched some more myself.

goto steam/steamapps/username/garrysmod/lua/vgui/   and delete removeme.lua
then look for that on the server as well.(should be on your client though)
Also, this is most likely not your server being hacked, from what I see the orgin
of this is from user joining "Fake" server, and being forced to download a lua "virus"
that forces them to spam that style message. whenever someone joins the server
spamming that, tell them about the lua/vgui file, and they should be able to fix it and
rejoin w/o spam after restarting gmod. It comming from console is due to the spam being
on a timer and initiating on player join so they're not an object yet, so it forces it to talk through
console. You're not hack it the poor clients getting the file from somewhere.

HALL OF SHAME:
http://download.chrisaster.com/garrysmod/

Full list of links on the situation in attachment.

I'll see what I can do about becoming part of this chrisaster community, and letting you all know
of up comming exploits. *Ninja Mode*

Hope you get your problem fixed!

[Hardy]

Thanks. Only one problem still there - it's so much console spam messages, so i just have "reliable channel overflow" on all clients current playing. It's must be fixed...

[spbogie]

If you have a copy of the spam script (get the names of the timers, and/or functions ), it should be a simple matter of writting your own clientside init script to the server which removes the timers responsible for generating the spam. You could then alert the client as well so they can remove the script.

[jay209015]

Good thinking Spbogie

[Hardy]

Is cl script start running right after client downloaded it?

[jay209015]

Runs as soon as an infected player joins a server.