Ulx Hacking on Server

[JellyJamBlue]

Alright. I really need your guys help. On my server, I have ulx and ulib installed. 2 hours ago, my server got hacked for the third time. So I checked in console and I saw that someone (the hacker) is making someone spam the rcon password. And then I got errors in console and ill post them in here (Im going to show the rcon pass but I did change it) Alright so here are the logs I found in console.

Code: [Select]

SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
*DEAD*(TEAM) xXIC35TORMXx: stop
SwiftSnail: rcon_password nuclear007gaming007
SwiftSnail: rcon_password nuclear007gaming007
[CBC] The JokeR muted SwiftSnail
ServerLog: [ULX] [CBC] The JokeR muted SwiftSnail
[CBC] The JokeR: ik your not
*DEAD*(TEAM) xXIC35TORMXx: gag me
Writing cfg/banned_user.cfg.
Dropped Ezzy from server (Disconnect by user.)
[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


*DEAD*(TEAM) xXIC35TORMXx: someones trolling me
[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


[SwiftSnail|35|STEAM_0:1:65376978] Lua Error:

[ERROR] RunString:698: Tried to use a NULL entity!
 1. GetPos - [C]:-1
 2. CreatePos - RunString:698
 3. fn - RunString:1889
 4. unknown - addons/ulib/lua/ulib/shared/hook.lua:183


ServerLog: 03:12.26 - DMG: gcbcxcyc [innocent] damaged [CBC] The JokeR [traitor] for 171 dmg
ServerLog: 03:12.26 - KILL: gcbcxcyc [innocent] killed [CBC] The JokeR [traitor]
[CBC] The JokeR gagged Everyone
ServerLog: [ULX] [CBC] The JokeR gagged Everyone
ServerLog: Round ended.
ServerLog: Result: innocent win.
Client "Ezzy" connected (50.88.223.254:61092).
[CBC] The JokeR muted Everyone
ServerLog: [ULX] [CBC] The JokeR muted Everyone
Dropped SwiftSnail from server (globally banned for cheating: hera)


Swift Snail did not hack though. Its someone making him do this because this has happened to numerous people before. Can you guys please help me prevent this so that my server doesnt get hacked...

[Megiddo]

Just because a hacker uses ULX after getting access does not mean ULX is the vehicle. Clearly this person retrieved your rcon password somehow.

[JamminR]

If not having obtained your rcon password directly, it's likely another mod allows use of code through a connected admin.
Are those 'runstring' errors common for your server in regards to getpos and createpos?

[JellyJamBlue]

I never really did getpos and setpos because I'm running a TTT server. So what do you think it means when it's saying the String Errors. And with the rcon password, I never told anyone it and after that I changed it again and it still happened, people spamming the password

[MrPresident]

Where are you setting the rcon password?

In your config file or in the command line?

[JellyJamBlue]

Server.cfg

[MrPresident]

There's your first mistake.

[JellyJamBlue]

So where should I put it?

[LuaTenshi]

So where should I put it?

You should put it in your servers command line... for example...

Code: [Select]

-console -nocrashdialog -game garrysmod +ip 127.0.0.1 -port 27015 +maxplayers 9001 +map gm_flatgrass +gamemode sandbox +rcon_password blahblah
Also if you want to make sure that you have a strong password you can use this tool here. ( http://www.pctools.com/guides/password/ ) (About 8 or more characters should be fine.)

[Deathtitan77]

I know this topic might be old, but this has nothing to do with how strong your rcon password is or ULX. It's a gmod exploit that allows you to run a script on the serverside and then the method that will be used in this script is GetConVarString to get the rcon's password. It has been happening to a few servers and that's what I found out by research.

[JamminR]

Thanks for your research.
This is off top of my head, those with newer less rusty GLua skills can fix/correct.
Presume something like below could be placed on server side autorun.

Code: [Select]

OldGetConVarString = GetConVarString()
function GetConVarString ( var )
if var = "sv_password" or "rcon_password" then return "*HIDDEN* Server Antihack"
else return OldGetConVarString ( var )
  end
end
That's bare minimum idea...no idea if the server has a way tell 'who' is running the server side scripting?
If so, could add additional printing/logging commands. User blah with steamID blah tried to run server side script code blah.

There's tons more damage someone running server side lua could do of course, but those seem to be biggest concern.

_{EDIT-JAMMINR - corrected a mis-type syntax issue.}

[Deathtitan77]

You're right, I have seen people running lua hacks on everyone, managing to steal client and shared code and much more. Not the best experience.

[JamminR]

Titan, the exploit...what's the exact vector?
Could lua be used to prevent it, like my getconvarstring example?
If you're afraid to explain more in this public area, please feel free to send me more details/directions/code samples in private message.

By no means am I a security expert, but Megiddo and I, and I believe MrP, have all been involved in information security through school and jobs.
We enjoy the forensics, and perhaps learning to help fight against it.

[iSnipeu]

You can find out what is calling the function, which is useful if you're trying to find a backdoor.

[Deathtitan77]

I really have no clue, but your code didn't exactly work. I tested it by getting a hacker to get the rcon password and he managed to do it. Also, I don't have the exploit, just for your information; but I know like 3 people who do.

If you want the names or profiles, just let me know.