Author Topic: Having issues, may have been hacked. (Read 3055 times)

TheHyperDrive · « **on:** June 20, 2015, 08:49:16 PM »

Now, I am using the most current basic ulx with my server. All I've added is a custom unstuck module. However, lately I've had unexplained crashes on the server. This is a log taken from yesterday:

Code: [Select]

23:43:47 "Mizu_Ren<154><STEAM_0:1:73884140><>" entered the game
23:44:10 "Allover<156><STEAM_0:0:85559905><>" entered the game
23:44:17 "Mizu_Ren<154><STEAM_0:1:73884140><>" disconnected (reason "Disconnect by user.")
23:44:25 "jaechett<155><STEAM_0:1:62877295><>" entered the game
23:46:35 "Bonerparty<157><STEAM_0:1:93924071><>" connected, address "108.84.6.110:27005"
23:46:35 "Bonerparty<157><STEAM_0:1:93924071><>" STEAM USERID validated
23:47:01 "graygun111<158><STEAM_0:0:137172956><>" connected, address "68.201.84.183:27005"
23:47:02 "graygun111<158><STEAM_0:0:137172956><>" STEAM USERID validated
23:47:50 "Master Dankstorm (Tyreese)<159><STEAM_0:1:90820222><>" connected, address "68.71.69.119:27005"
23:47:50 "Master Dankstorm (Tyreese)<159><STEAM_0:1:90820222><>" STEAM USERID validated
23:47:56 "LeftShark<160><STEAM_0:0:88802879><>" connected, address "70.112.127.98:27005"
23:47:56 "LeftShark<160><STEAM_0:0:88802879><>" STEAM USERID validated
23:48:06 "iAmaze<161><STEAM_0:1:88044278><>" connected, address "99.106.193.122:27005"
23:48:06 "iAmaze<161><STEAM_0:1:88044278><>" STEAM USERID validated
23:48:46 "graygun111<158><STEAM_0:0:137172956><>" entered the game
23:48:50 "Bonerparty<157><STEAM_0:1:93924071><>" entered the game
23:49:51 rcon from "208.146.44.1:50745": command "ulx crash gray"  <<<<<   <<<<<<<<    <<<<<<  !!!!!
23:49:53 rcon from "208.146.44.1:50798": command "ulx crash boner" <<<<<<<<<<   <<<<<<<<<<<   <<<<<<  !!!!!!
23:50:01 "Bonerparty<157><STEAM_0:1:93924071><>" disconnected (reason "Bonerparty timed out")
23:50:01 "graygun111<158><STEAM_0:0:137172956><>" disconnected (reason "graygun111 timed out")
23:50:09 Lua Error: [ERROR] gamemodes/prop_hunt/gamemode/player_class/class_hunter.lua:51: Tried to use a NULL entity! 1. UnLock - [C]:-1 2. unknown - gamemodes/prop_hunt/gamemode/player_class/class_hunter.lua:51
23:50:57 "LeftShark<160><STEAM_0:0:88802879><>" entered the game
23:51:23 rcon from "208.146.44.1:56437": command "ulx crash left"   <<<<<<   <<<< <<<<<<<<<<< <<<   <<< !!!!!!
23:51:24 "iAmaze<161><STEAM_0:1:88044278><>" entered the game
23:51:29 rcon from "208.146.44.1:57093": command "ulx crash ama"      <<<<   <<<<<<<<<   <<<<<<<<<<<<<<   !!!!!!!!
23:51:29 "LeftShark<160><STEAM_0:0:88802879><>" disconnected (reason "LeftShark timed out")
23:51:34 "iAmaze<161><STEAM_0:1:88044278><>" disconnected (reason "iAmaze timed out")
23:51:56 "Master Dankstorm (Tyreese)<159><STEAM_0:1:90820222><>" entered the game
23:52:11 rcon from "208.146.44.1:58652": command "ulx crash dank"     <<<<<    <<<<<   <<<<<<<<<<<<<< <<<   <<< <<<<   <<<  !!!!
23:52:18 rcon from "208.146.44.1:59372": command "logaddress_add 208.146.44.1:10000"   <<<<<<<<<<<<<<<   <<<<   !!!!
23:52:35 "Shlub<162><STEAM_0:0:42713081><>" connected, address "71.227.230.20:27005"
23:52:35 "Shlub<162><STEAM_0:0:42713081><>" STEAM USERID validated
23:53:44 "Bonerparty<163><STEAM_0:1:93924071><>" connected, address "108.84.6.110:27005"
23:53:45 "Bonerparty<163><STEAM_0:1:93924071><>" STEAM USERID validated
23:54:08 "Bonerparty<163><STEAM_0:1:93924071><>" entered the game
23:54:26 "Shlub<162><STEAM_0:0:42713081><>" entered the game
23:54:52 "LeftShark<164><STEAM_0:0:88802879><>" connected, address "70.112.127.98:27005"
23:54:52 "LeftShark<164><STEAM_0:0:88802879><>" STEAM USERID validated
23:54:55 "iAmaze<165><STEAM_0:1:88044278><>" connected, address "99.106.193.122:27005"
23:54:55 "iAmaze<165><STEAM_0:1:88044278><>" STEAM USERID validated
23:55:17 "LeftShark<164><STEAM_0:0:88802879><>" entered the game
23:55:19 "iAmaze<165><STEAM_0:1:88044278><>" entered the game
23:56:28 "Bonerparty<163><STEAM_0:1:93924071><>" disconnected (reason "Bonerparty timed out")
23:57:30 Log file closed

Now the arrows point to the problem. Me and two others are the only ones who can access rcon. The password was changed recently due to security issues, and only I know it. Also at this time, two of us was at work, and the other was with their parents out of the house. Also, to my knowledge, ulx does not have a basic crash command, and I can't find a file with that command in it. So would someone please try and help me solve this??

MrPresident · « **Reply #1 on:** June 20, 2015, 09:18:47 PM »

Interesting.

Have you tried matching that IP up with anyone who's joined your server using the logs?

Clearly someone has access to your RCON password or they wouldn't be able to do this.

Do you host your own server or use a shared host?

Do you put your RCON password in the server.cfg file or in the command line for your server?

TheHyperDrive · « **Reply #2 on:** June 20, 2015, 09:22:20 PM »

My server is hosted through nfo, and they set up the rcon, so I honestly have no idea where it goes. The ip traces back to nfo, so idk if it's someone accessing the rcon from the server, or accessing the control panel directly. I'm going to ditch my addons tomorrow, and change the passwords tomorrow to see if that may help.

MrPresident · « **Reply #3 on:** June 20, 2015, 09:25:05 PM »

Someone probably has access to your RCON through the web panel then.
Change your password to your account with them, it may have been compromised.

As for the command, make sure they didn't put it in the lua folder.
Addons are just virtual directories for the gmod folders. You COULD install commands into the lua autorun folder. Check there.

TheHyperDrive · « **Reply #4 on:** June 20, 2015, 09:28:45 PM »

A guy on facepunch said an addon might have snuck in a backdoor somehow. Like I said, tomorrow I'll default and change everything, see if it still occurs. Also, thought I'd post my server.cfg, just in case:

Code: [Select]

hostname "AEG:Prop Hunt ||Low Gravity||Sprint||Prop Rotate||Pointshop||"
sv_password ""
sv_region 0
sv_lan				0
sv_logbans			1
sv_logecho			1
sv_logfile			1
sv_log_onefile		0
sv_noclipspeed		5
sv_noclipaccelerate	5
sv_alltalk			1
sv_gravity			275
mp_show_voice_icons	0
mp_flashlight		1
sv_cheats			0
fretta_voting		1
sv_maxrate 0
decalfrequency		10 
sv_maxupdaterate	66 
sv_minupdaterate	10 
sv_downloadurl "http://aegprophunt.site.nfoservers.com/server"
sv_allowdownload 	1	
sv_allowupload 		0 //Fix A lot of exploits with this.
sv_scriptenforcer 	1
sv_loadingurl "http://michael18george.wix.com/loadingpage"
exec banned_ip.cfg 
exec banned_user.cfg 
sv_kickerrornum 	0
sv_minrate 100000
log 1
tv_enable 0
sv_stats 0
sv_parallel_sendsnapshot 1
net_splitpacket_maxrate 100000
fps_max 0

I'll keep this up to date on what happens tomorrow.

MrPresident · « **Reply #5 on:** June 20, 2015, 09:35:06 PM »

Well, good to know the password isn't in the config.
Since it's an IP from NFO that likely means that whoever is doing it is using their web based console to run the commands.

It's either an exploit with them, or someone has an account for your server (NFO portal) that shouldn't or is abusing it.

Bytewave · « **Reply #6 on:** June 21, 2015, 09:55:08 AM »

FYI:
NFO has an Access Log tab where you can view what account has been where, and when. It's over at the left, once you're on your server's page it's easy to find.

TheHyperDrive · « **Reply #7 on:** June 23, 2015, 09:59:32 PM »

So I figured out how to disable rcon. I also ran a very detailed boot scan on my computer and found several malware files on my computer. Also, the person was still able to access the command, but instead of "Console crashed <player>" it said "SupaKilla crashed <player>". So we were able to get the steamID and ban him from the server. From that point I changed all passwords to the server files, etc.

Aaron113 · « **Reply #8 on:** June 24, 2015, 10:10:31 AM »

Quote from: TheHyperDrive on June 23, 2015, 09:59:32 PM

So we were able to get the steamID and ban him from the server. From that point I changed all passwords to the server files, etc.

Might be wise to IP ban him as well (assuming you haven't).

MrPresident · « **Reply #9 on:** June 24, 2015, 03:17:18 PM »

Quote from: Aaron113 on June 24, 2015, 10:10:31 AM

Might be wise to IP ban him as well (assuming you haven't).

Anyone savvy enough to do what this guy did, would know how to get around an IP ban.
In most cases, all you need to do is restart your router to get a new IP address.

Most residential ISPs don't provide static IP addresses.

Aaron113 · « **Reply #10 on:** June 24, 2015, 03:35:58 PM »

Quote from: MrPresident on June 24, 2015, 03:17:18 PM

Anyone savvy enough to do what this guy did, would know how to get around an IP ban.
In most cases, all you need to do is restart your router to get a new IP address.

Most residential ISPs don't provide static IP addresses.

You are entirely right, but IP banning him wouldn't hurt nonetheless. The typical gmod player probably wouldn't know, so this would take care of the problem in most cases. This guy most likely doesn't fit that standard.

Ulysses

Author Topic: Having issues, may have been hacked. (Read 3055 times)

TheHyperDrive

Having issues, may have been hacked.

MrPresident

Re: Having issues, may have been hacked.

TheHyperDrive

Re: Having issues, may have been hacked.

MrPresident

Re: Having issues, may have been hacked.

TheHyperDrive

Re: Having issues, may have been hacked.

MrPresident

Re: Having issues, may have been hacked.

Bytewave

Re: Having issues, may have been hacked.

TheHyperDrive

Re: Having issues, may have been hacked.

Aaron113

Re: Having issues, may have been hacked.

MrPresident

Re: Having issues, may have been hacked.

Aaron113

Re: Having issues, may have been hacked.