Author Topic: My server got hacked  (Read 3879 times)

0 Members and 1 Guest are viewing this topic.

The Pro

  • Guest
My server got hacked
« on: October 12, 2006, 07:43:38 PM »
I was hosting a RP server when someone joined and asked for spawning. I said no. And then he hacked me, Took away my admin. Spammed the chat and banned everyone.

Now before you start saying I have a .lua virus I don't have any of them.

I'm using ULX 2.1 with Ulib
Steam ID of the the person that did this: STEAM_0:1:3307510

When i restarted gmod i still was not admin.
How can i fix this and make sure that that f***er never comes back to my server ever.
Also could they have hacked my computer too and be watching what iam saying here?

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: My server got hacked
« Reply #1 on: October 12, 2006, 08:01:19 PM »
You've got some sort of exploit running, since ULX/ULib has no way to remove admins without editing the files directly. Make sure you check all auto-init files.
Experiencing God's grace one day at a time.

The Pro

  • Guest
Re: My server got hacked
« Reply #2 on: October 12, 2006, 08:06:03 PM »
I searched all the files and found nothing.
No Auto-init files were modded after 10 days ago.
I also checked all of them for malicios code.

Explain please.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: My server got hacked
« Reply #3 on: October 12, 2006, 09:21:13 PM »
Pro,
 I'm not saying it's impossible. (Meg might, he knows his code better than I)
However, it is EXTREMELY unlikely that ULX/ULib was the cause of your exploit.

Make SURE you have an rcon password set in your config file. If you have a default, this might have been the issue.

However, to answer some of your questions....
Quote from: The Pro
How can i fix this
1)
a)Backup your banned_*.cfg files. Verify they only have IP or steamids first, and not any other 'exec' lines or code lines.
b)Totally delete all of your gmod9 server/game folders.
c)Scan your pc for worm/viruses using 2 different scanners. (3 or 4 free ones exist on the web. Panda/Bitdefender/Trendmicro to name 3 reliable ones I know)
d) Reinstall Gmod.
e) Reinstall only ULX 2.1/Ulib 1.1
e) Reinstall any maps you like, hold off on mods. (Yes, this sucks)
f) make SURE you have an rcon password set in your config file. If you have default, this might have been the issue.
g) Run server for a few days after doing answer 2

Quote from: The Pro
and make sure that that *($*#($# never comes back to my server ever.
2)
a) Once you have gmod9 and maps installed, add user to your banned_users.cfg (I think thats its name, should have other steamids there too) file. I don't remember of top of my head, but I think its format is STEAM:#:###### 0  ,where 0 is permanent

Quote from: The Pro
Also could they have hacked my computer too and be watching what iam saying here?
Y35 comrade. @ll your base belong to u5.
Joking.
Seriously, most worms don't watch that closely. Anything is possible though. See 1c above.

"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: My server got hacked
« Reply #4 on: October 13, 2006, 07:05:40 AM »
What was in your users.ini at the time of this hack Pro?
Experiencing God's grace one day at a time.

The Pro

  • Guest
Re: My server got hacked
« Reply #5 on: October 13, 2006, 11:57:30 AM »
// User configuration file

// Line starting with // are comments

// Access flags:
// a - immunity (can't be kicked/baned/slayed/slaped and affected by other commmands)
// b - reservation (can join on reserved slots)
// c - kick access
// d - ban and unban access
// e - slay and slap access
// f - map access
// g - cvar access
// h - ent access (could crash the server!)
// i - misc chat access
// j - vote access
// k - prop access
// l - rcon access
// m - player control access (things that affect clients)
// n - menu access
// Other letters may be used for additional plugins (access flags are caps-sensitive).

// Account flags:
// a - this is a playername
// b - this is a clan tag (partial playername)
// c - this is a steamid
// d - this is an ip
// e - this is a steam login (the username they log into steam with)
// f - disconnect player on invalid password. This MUST be used with another account flag. (It's the only flag that can be used with others)
//      (gives them 30 seconds to enter their pass, by default)

// Password:
// When asked for the password, use "_pw <password>" in console

// Format of admin account:
// "<name|ip|steamid|clantag|steamlogin>" "<password>" "<access flags>" "<account flags>"

// Examples of admin accounts:
// "STEAM_0:0:123456" "" "abcdefghijklmnopqrstuv" "c"
// "123.45.67.89" "" "abcdefghijklmnopqrstuv" "d"
// "My Name" "my_password" "abcdefghijklmnopqrstuv" "a"
// "MingeBag" "supah_pass" "abcdefghijklmnopqrstuv" "bf" // This will disconnect any mingebag who does not know the password.



And windows said that it had been modded when the hack took place but its exactly the same as it was before it got hacked leading me to beleave that that guy covered his tracks by undoing changes to it.

I'm the only admin on my listen server right now so I get autoadded to the admins list.

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: My server got hacked
« Reply #6 on: October 13, 2006, 12:21:47 PM »
So whatever the guy did, he didn't get in through the ULib admin system (at least not initially), very strange. Do you have anything else that could help track down the cause?
Experiencing God's grace one day at a time.

The Pro

  • Guest
Re: My server got hacked
« Reply #7 on: October 13, 2006, 02:33:28 PM »
I really dont know else i should post that could help:(.

I also noticed that he even went as far as to making a imposter server of mine and now there is more people that hate me D:.

Is there anything i can do to make sure that this will not happen another time.

The Pro

  • Guest
Re: My server got hacked
« Reply #8 on: October 15, 2006, 09:43:11 AM »
Well i reinstalled, added that guy to the banlist and everything is awesome.
Thanks for the help.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: My server got hacked
« Reply #9 on: October 15, 2006, 01:42:00 PM »
The Pro,
 Welcome. Glad we could help a little.
Since you run a listen server, I guess that you also connect to others servers from the same game pretty often.
 Just be careful out there.
One you connected to may have had a lua worm downloaded to your machine someway/how.
I'd bet thats how your idiot got in.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming