ULX

Author Topic: Ulx Hacking on Server  (Read 23622 times)

0 Members and 1 Guest are viewing this topic.

Offline JellyJamBlue

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
Ulx Hacking on Server
« on: August 10, 2013, 04:45:20 PM »
Alright. I really need your guys help. On my server, I have ulx and ulib installed. 2 hours ago, my server got hacked for the third time. So I checked in console and I saw that someone (the hacker) is making someone spam the rcon password. And then I got errors in console and ill post them in here (Im going to show the rcon pass but I did change it) Alright so here are the logs I found in console.


Code: [Select]
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
*DEAD*(TEAM) xXIC35TORMXx: stop
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
[CBC] The JokeR muted SwiftSnail
ServerLog: [ULX] [CBC] The JokeR muted SwiftSnail
[CBC] The JokeR: ik your not
*DEAD*(TEAM) xXIC35TORMXx: gag me
Writing cfg/banned_user.cfg.
Dropped Ezzy from server (Disconnect by user.)
[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


*DEAD*(TEAM) xXIC35TORMXx: someones trolling me
[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


ServerLog: 03:12.26 - DMG: gcbcxcyc [innocent] damaged [CBC] The JokeR [traitor] for 171 dmg
ServerLog: 03:12.26 - KILL: gcbcxcyc [innocent] killed [CBC] The JokeR [traitor]
[CBC] The JokeR gagged Everyone
ServerLog: [ULX] [CBC] The JokeR gagged Everyone
ServerLog: Round ended.
ServerLog: Result: innocent win.
Client "Ezzy" connected (50.88.223.254:61092).
[CBC] The JokeR muted Everyone
ServerLog: [ULX] [CBC] The JokeR muted Everyone
Dropped SwiftSnail from server (globally banned for cheating: hera)



Swift Snail did not hack though. Its someone making him do this because this has happened to numerous people before. Can you guys please help me prevent this so that my server doesnt get hacked...

Offline Megiddo

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 6214
  • Karma: 394
  • Project Lead
Re: Ulx Hacking on Server
« Reply #1 on: August 10, 2013, 08:25:37 PM »
Just because a hacker uses ULX after getting access does not mean ULX is the vehicle. Clearly this person retrieved your rcon password somehow.
Experiencing God's grace one day at a time.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Ulx Hacking on Server
« Reply #2 on: August 10, 2013, 10:08:52 PM »
If not having obtained your rcon password directly, it's likely another mod allows use of code through a connected admin.
Are those 'runstring' errors common for your server in regards to getpos and createpos?

"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline JellyJamBlue

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
Re: Ulx Hacking on Server
« Reply #3 on: August 11, 2013, 06:13:41 AM »
I never really did getpos and setpos because I'm running a TTT server. So what do you think it means when it's saying the String Errors. And with the rcon password, I never told anyone it and after that I changed it again and it still happened, people spamming the password

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2728
  • Karma: 430
    • |G4P| Gman4President
Re: Ulx Hacking on Server
« Reply #4 on: August 11, 2013, 06:25:07 AM »
Where are you setting the rcon password?

In your config file or in the command line?

Offline JellyJamBlue

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
Re: Ulx Hacking on Server
« Reply #5 on: August 11, 2013, 08:18:41 PM »
Server.cfg

Offline MrPresident

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 2728
  • Karma: 430
    • |G4P| Gman4President
Re: Ulx Hacking on Server
« Reply #6 on: August 11, 2013, 09:00:56 PM »
There's your first mistake.

Offline JellyJamBlue

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
Re: Ulx Hacking on Server
« Reply #7 on: August 11, 2013, 10:09:49 PM »
So where should I put it?

Offline LuaTenshi

  • Hero Member
  • *****
  • Posts: 545
  • Karma: 47
  • Just your ordinary moon angel!
    • Mirai.Red
Re: Ulx Hacking on Server
« Reply #8 on: August 12, 2013, 04:58:46 AM »
So where should I put it?

You should put it in your servers command line... for example...

Code: [Select]
-console -nocrashdialog -game garrysmod +ip 127.0.0.1 -port 27015 +maxplayers 9001 +map gm_flatgrass +gamemode sandbox +rcon_password blahblah
Also if you want to make sure that you have a strong password you can use this tool here. ( http://www.pctools.com/guides/password/ ) (About 8 or more characters should be fine.)
« Last Edit: August 12, 2013, 05:04:43 AM by HeLLFox_15 »
I cry every time I see that I am not a respected member of this community.

Offline Deathtitan77

  • Jr. Member
  • **
  • Posts: 63
  • Karma: 6
Re: Ulx Hacking on Server
« Reply #9 on: August 31, 2013, 02:18:44 PM »
I know this topic might be old, but this has nothing to do with how strong your rcon password is or ULX. It's a gmod exploit that allows you to run a script on the serverside and then the method that will be used in this script is GetConVarString to get the rcon's password. It has been happening to a few servers and that's what I found out by research.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Ulx Hacking on Server
« Reply #10 on: August 31, 2013, 04:01:45 PM »
Thanks for your research.
This is off top of my head, those with newer less rusty GLua skills can fix/correct.
Presume something like below could be placed on server side autorun.
Code: [Select]
OldGetConVarString = GetConVarString()
function GetConVarString ( var )
if var = "sv_password" or "rcon_password" then return "*HIDDEN* Server Antihack"
else return OldGetConVarString ( var )
  end
end
That's bare minimum idea...no idea if the server has a way tell 'who' is running the server side scripting?
If so, could add additional printing/logging commands. User blah with steamID blah tried to run server side script code blah.

There's tons more damage someone running server side lua could do of course, but those seem to be biggest concern.

EDIT-JAMMINR - corrected a mis-type syntax issue.
« Last Edit: September 02, 2013, 06:18:22 AM by JamminR »
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Deathtitan77

  • Jr. Member
  • **
  • Posts: 63
  • Karma: 6
Re: Ulx Hacking on Server
« Reply #11 on: August 31, 2013, 05:15:15 PM »
You're right, I have seen people running lua hacks on everyone, managing to steal client and shared code and much more. Not the best experience.

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: Ulx Hacking on Server
« Reply #12 on: August 31, 2013, 05:22:25 PM »
Titan, the exploit...what's the exact vector?
Could lua be used to prevent it, like my getconvarstring example?
If you're afraid to explain more in this public area, please feel free to send me more details/directions/code samples in private message.

By no means am I a security expert, but Megiddo and I, and I believe MrP, have all been involved in information security through school and jobs.
We enjoy the forensics, and perhaps learning to help fight against it.
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline iSnipeu

  • Jr. Member
  • **
  • Posts: 83
  • Karma: 12
Re: Ulx Hacking on Server
« Reply #13 on: August 31, 2013, 08:00:12 PM »
You can find out what is calling the function, which is useful if you're trying to find a backdoor.

Offline Deathtitan77

  • Jr. Member
  • **
  • Posts: 63
  • Karma: 6
Re: Ulx Hacking on Server
« Reply #14 on: September 01, 2013, 09:59:39 PM »
I really have no clue, but your code didn't exactly work. I tested it by getting a hacker to get the rcon password and he managed to do it. Also, I don't have the exploit, just for your information; but I know like 3 people who do.

If you want the names or profiles, just let me know.
« Last Edit: September 01, 2013, 10:03:51 PM by Deathtitan77 »