« previous next »
Pages: [1]   Go Down

Author Topic: ULX hackable?  (Read 3524 times)

0 Members and 3 Guests are viewing this topic.

Offline Sypheria Shiftz

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
ULX hackable?
« on: December 31, 2014, 03:03:44 PM »
Hello,

Last night around 1am a player connected to my server and gave himself superadmin in seconds of joining - The server is new however I copied over the same files that I use on my main server which may I say have never had a hacker that was able to set his rank before. (Had the odd speedhacker)

Now the weird thing is however I have another admin menu running at the same time called +ASS_mod which I use as a alternative however the hacker actually failed to give himself a rank on that menu which of course makes me wonder.

He was only able to make himself superadmin on ULX but nothing else? including the gmod in-game admin system.

There were no other staff during this time however one of the players messaged me as soon as it started.

Now this server is exactly the same as my other server and that has never been hacked or anything and is a very popular gmod murder server. The only difference between the two is that the one hacked has the legit version of deathrun installed. found here: https://github.com/Mr-Gash/GMod-Deathrun/tree/master/deathrun

Can anybody please help?
Logged

Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
Re: ULX hackable?
« Reply #1 on: December 31, 2014, 03:39:25 PM »
He used console to add himself as superadmin, what makes this a ulx hack?
Ulx makes it easier for people to add themselves if they have console access (intended or not), but by all means, if someone you don't want has console access, you've got more problems than what ULX can help with.
Do you store your rcon password in your cfg files?
If so, there are many known exploits for reading a server's cfg files.

Please understand, by no means am I, or we (speaking for my team) saying with 100% absolute certainty that ULX isn't exploitable, but we are saying with confidence that your issue is likely not directly due to ULX.
ULX - we make things easier for administration, even for people you don't intend to (when they have console/r00t access)

Logged
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Sypheria Shiftz

  • Newbie
  • *
  • Posts: 4
  • Karma: 0
Re: ULX hackable?
« Reply #2 on: December 31, 2014, 03:44:41 PM »
I understand where you are coming from - I did have the password in the config file which i have now changed and added it into the command line.

However, when you said the config file can be exploited - How do people do this? Injecting files or running .lua files or something different?

Thanks
Logged

Offline Bytewave

  • Respected Community Member
  • Hero Member
  • *****
  • Posts: 718
  • Karma: 116
  • :)
    • My Homepage
Re: ULX hackable?
« Reply #3 on: December 31, 2014, 06:13:12 PM »
Quote from: Sypheria Shiftz on December 31, 2014, 03:44:41 PM
I understand where you are coming from - I did have the password in the config file which i have now changed and added it into the command line.

However, when you said the config file can be exploited - How do people do this? Injecting files or running .lua files or something different?

Thanks
There are plenty of issues with file download exploitation. What you could do to prevent it is set sv_allowupload and sv_allowdownload to 0, however this would break sprays.
Logged
bw81@ulysses-forums ~ % whoami
Homepage
Pages: [1]   Go Up
« previous next »