Server was recently hijacked

[The Asian Aimbot]

Hi guys! I'm concerned about a few things after someone hacked my server. it's port-forwarded, so it made the matter much worse due to the fact that it's forwarded onto my IP.

Basically, the hijacker got aggravated when I used GeoIP to capture his data, this set him off, and then he asked "May I capture your GeoIP information?" A couple minutes after, we were all demoted to guest, and loud shrek music began playing which was funny, and he also spammed like 20 or so bombs from HBOMBS. I tried to do gmod_admin_cleanup from the console as I was no longer an admin, but that didn't work either. I immediately shutdown SRCDS and closed the ports that the server was forwarded to.

Throughout the time he was connected, a random song would begin playing, which I can't name, but I heard before. I asked where the music was coming from and no one responded until the hijacker did. He simply said "lol". Me and another admin were also spectating him, as we believed he had aimbot.

Edit: ULX appears to be completely broken.

What I want to know is:
1.
Any files that may have been affected in the server directory
2.
Anything that may happen to me, or my copy of Gmod
3.
Anything else that I may need or want to know.
4.
Also, if someone knows your IP, can they learn anything substantially personal from/about you?

Thanks,
~Asian! :3

[Caustic Soda-Senpai]

1. How would we know?
2. Nothing's going to happen to YOU....unless it's that cough thing again..
3. Learn how to properly secure your server.
4. Eh.....not really..they can learn your general area and your ISP but it's not like in movies where it traces back to your room.

Recommendation: Full server wipe, start from scratch, fresh installation of ULX.

Also how did "loud shrek music" begin to play? Either the guy had to play it through the mic or the sound file was already on the server.

P.S. Even if YOU are not an admin, ANY and ALL commands run through the SRCDS Prompt are run as superadmin (Technically server, but you know what I mean).

[Undercover Orange]

for 3 i suggest purchasing a server with really good DDOS protection and an anticheat. (cake being the best)

[The Asian Aimbot]

1. How would we know?
2. Nothing's going to happen to YOU....unless it's that cough thing again..
3. Learn how to properly secure your server.
4. Eh.....not really..they can learn your general area and your ISP but it's not like in movies where it traces back to your room.

Recommendation: Full server wipe, start from scratch, fresh installation of ULX.

Also how did "loud shrek music" begin to play? Either the guy had to play it through the mic or the sound file was already on the server.

P.S. Even if YOU are not an admin, ANY and ALL commands run through the SRCDS Prompt are run as superadmin (Technically server, but you know what I mean).

Thanks! And also, the shrek music was already installed on the server. It just randomly started playing before the crash though.

P.S.
I did try to run gmod_admin_cleanup through the srcds prompt, however it would not go through.

[The Asian Aimbot]

for 3 i suggest purchasing a server with really good DDOS protection and an anticheat. (cake being the best)

I wish I could lol

[Undercover Orange]

I wish I could lol

Don't worry man I was at that stage too. servers are pretty cheap so I'm sure you'll get a good one some time

[roastchicken]

If someone was able to gain access to your server, you really need to rethink your security. If you have an RCON password set, remove it. You shouldn't need RCON if the server's running on your machine.

Do you have some other remote console thing? If you didn't have RCON enabled and they still gained access, consider your entire computer compromised. If they can gain network access without RCON, you have no idea what else they can do.

[The Asian Aimbot]

I have disabled RCON. Thanks for the advice.

[roastchicken]

Re-install ULX on Garry's Mod, and you can always set constant convars to protect the server.
I did it with the Think function and if someone tries to change any sbox convars it'll instantly reset.

You should also use an anti-cheat on the server to prevent this from happening in the future.
Set sv_allowcslua to 0 for server.cfg and nobody should be able to do that again

I don't see him mentioning anything about convars in his post. I also doubt that having an anti-cheat or having sv_allowcslua set to 0 would have prevented this attack. He most likely had a weak password on his RCON and the attacker was able to guess or crack it.

Also, you can have an RCON password, just make sure it isn't in the server.cfg as there is an exploit for that.

I mean, he can have an RCON password; but what for? He's running the server right there on his own computer. He can just go to the SRCDS console. I'm pretty sure the server.cfg exploit got patched (although you should still have the RCON password in your startup file).

An RCON password is an inherent vulnerability, whether or not it's in server.cfg. Creating a way to access the server's console remotely is a risk/reward situation. If he's running the server on his computer, there is no reward and the risk is that people with malicious intent may gain access to his server.

[The Asian Aimbot]

The RCON password was literally keyboard mash, I doubt someone could guess it. lol
However, I was oblivious to the risks that RCON could have posed and I should have never enabled it in the first place.

[Caustic Soda-Senpai]

for 3 i suggest purchasing a server with really good DDOS protection and an anticheat. (cake being the best)

As nice as DDoS protection IS, I don't really see how it's relevant to someone breaking into your RCON; which is what this really appeared to be.