Author Topic: Server was recently hijacked  (Read 3737 times)

0 Members and 4 Guests are viewing this topic.

Offline The Asian Aimbot

  • Jr. Member
  • **
  • Posts: 74
  • Karma: 2
  • Rise and shine, Mr. Freeman, rise... and shine...
    • Asian Domain GMod Sandbox Server
Server was recently hijacked
« on: August 10, 2016, 08:27:16 PM »
Hi guys! I'm concerned about a few things after someone hacked my server. it's port-forwarded, so it made the matter much worse due to the fact that it's forwarded onto my IP.

Basically, the hijacker got aggravated when I used GeoIP to capture his data, this set him off, and then he asked "May I capture your GeoIP information?" A couple minutes after, we were all demoted to guest, and loud shrek music began playing which was funny, and he also spammed like 20 or so bombs from HBOMBS. I tried to do gmod_admin_cleanup from the console as I was no longer an admin, but that didn't work either. I immediately shutdown SRCDS and closed the ports that the server was forwarded to.

Throughout the time he was connected, a random song would begin playing, which I can't name, but I heard before. I asked where the music was coming from and no one responded until the hijacker did. He simply said "lol". Me and another admin were also spectating him, as we believed he had aimbot.

Edit: ULX appears to be completely broken.

What I want to know is:
1.
Any files that may have been affected in the server directory
2.
Anything that may happen to me, or my copy of Gmod
3.
Anything else that I may need or want to know.
4.
Also, if someone knows your IP, can they learn anything substantially personal from/about you?

Thanks,
~Asian! :3
« Last Edit: August 10, 2016, 08:58:00 PM by The Asian Aimbot »
The Asian Toaster man who escaped the Great Martian Coup of '69, hid in Beijing for 9 months, and was cast away by the FSM. Flew away w/ GoombasTasteGood and hid in Addis Ababa after fleeing to Botswana, then to Canada.

http://www.downloadmorewam.com

Offline Caustic Soda-Senpai

  • Sr. Member
  • ****
  • Posts: 469
  • Karma: 54
  • <Insert something clever here>
    • Steam Page
Re: Server was recently hijacked
« Reply #1 on: August 10, 2016, 11:57:55 PM »
1. How would we know?
2. Nothing's going to happen to YOU....unless it's that cough thing again..
3. Learn how to properly secure your server.
4. Eh.....not really..they can learn your general area and your ISP but it's not like in movies where it traces back to your room.

Recommendation: Full server wipe, start from scratch, fresh installation of ULX.

Also how did "loud shrek music" begin to play? Either the guy had to play it through the mic or the sound file was already on the server.

P.S. Even if YOU are not an admin, ANY and ALL commands run through the SRCDS Prompt are run as superadmin (Technically server, but you know what I mean).
Once you get to know me, you'll find you'll have never met me at all.

Offline Undercover Orange

  • Full Member
  • ***
  • Posts: 139
  • Karma: -14
  • Leader of Undercover Gaming Community
Re: Server was recently hijacked
« Reply #2 on: August 11, 2016, 11:10:18 AM »
for 3 i suggest purchasing a server with really good DDOS protection and an anticheat. (cake being the best)
~ Undercover Orange

Offline The Asian Aimbot

  • Jr. Member
  • **
  • Posts: 74
  • Karma: 2
  • Rise and shine, Mr. Freeman, rise... and shine...
    • Asian Domain GMod Sandbox Server
Re: Server was recently hijacked
« Reply #3 on: August 11, 2016, 01:14:26 PM »
1. How would we know?
2. Nothing's going to happen to YOU....unless it's that cough thing again..
3. Learn how to properly secure your server.
4. Eh.....not really..they can learn your general area and your ISP but it's not like in movies where it traces back to your room.

Recommendation: Full server wipe, start from scratch, fresh installation of ULX.

Also how did "loud shrek music" begin to play? Either the guy had to play it through the mic or the sound file was already on the server.

P.S. Even if YOU are not an admin, ANY and ALL commands run through the SRCDS Prompt are run as superadmin (Technically server, but you know what I mean).

Thanks! And also, the shrek music was already installed on the server. It just randomly started playing before the crash though.

P.S.
I did try to run gmod_admin_cleanup through the srcds prompt, however it would not go through.
« Last Edit: August 11, 2016, 01:53:39 PM by The Asian Aimbot »
The Asian Toaster man who escaped the Great Martian Coup of '69, hid in Beijing for 9 months, and was cast away by the FSM. Flew away w/ GoombasTasteGood and hid in Addis Ababa after fleeing to Botswana, then to Canada.

http://www.downloadmorewam.com

Offline The Asian Aimbot

  • Jr. Member
  • **
  • Posts: 74
  • Karma: 2
  • Rise and shine, Mr. Freeman, rise... and shine...
    • Asian Domain GMod Sandbox Server
Re: Server was recently hijacked
« Reply #4 on: August 11, 2016, 01:15:28 PM »
for 3 i suggest purchasing a server with really good DDOS protection and an anticheat. (cake being the best)

I wish I could lol
The Asian Toaster man who escaped the Great Martian Coup of '69, hid in Beijing for 9 months, and was cast away by the FSM. Flew away w/ GoombasTasteGood and hid in Addis Ababa after fleeing to Botswana, then to Canada.

http://www.downloadmorewam.com

Offline Undercover Orange

  • Full Member
  • ***
  • Posts: 139
  • Karma: -14
  • Leader of Undercover Gaming Community
Re: Server was recently hijacked
« Reply #5 on: August 11, 2016, 01:36:00 PM »
I wish I could lol
Don't worry man I was at that stage too. servers are pretty cheap so I'm sure you'll get a good one some time
~ Undercover Orange

Offline roastchicken

  • Respected Community Member
  • Sr. Member
  • *****
  • Posts: 476
  • Karma: 84
  • I write code
Re: Server was recently hijacked
« Reply #6 on: August 11, 2016, 06:58:21 PM »
If someone was able to gain access to your server, you really need to rethink your security. If you have an RCON password set, remove it. You shouldn't need RCON if the server's running on your machine.

Do you have some other remote console thing? If you didn't have RCON enabled and they still gained access, consider your entire computer compromised. If they can gain network access without RCON, you have no idea what else they can do.
Give a man some code and you help him for a day; teach a man to code and you help him for a lifetime.

Offline The Asian Aimbot

  • Jr. Member
  • **
  • Posts: 74
  • Karma: 2
  • Rise and shine, Mr. Freeman, rise... and shine...
    • Asian Domain GMod Sandbox Server
Re: Server was recently hijacked
« Reply #7 on: August 11, 2016, 07:20:22 PM »
I have disabled RCON. Thanks for the advice.
The Asian Toaster man who escaped the Great Martian Coup of '69, hid in Beijing for 9 months, and was cast away by the FSM. Flew away w/ GoombasTasteGood and hid in Addis Ababa after fleeing to Botswana, then to Canada.

http://www.downloadmorewam.com

Offline roastchicken

  • Respected Community Member
  • Sr. Member
  • *****
  • Posts: 476
  • Karma: 84
  • I write code
Re: Server was recently hijacked
« Reply #8 on: August 12, 2016, 05:09:06 AM »
Re-install ULX on Garry's Mod, and you can always set constant convars to protect the server.
I did it with the Think function and if someone tries to change any sbox convars it'll instantly reset.

You should also use an anti-cheat on the server to prevent this from happening in the future.
Set sv_allowcslua to 0 for server.cfg and nobody should be able to do that again

I don't see him mentioning anything about convars in his post. I also doubt that having an anti-cheat or having sv_allowcslua set to 0 would have prevented this attack. He most likely had a weak password on his RCON and the attacker was able to guess or crack it.

Also, you can have an RCON password, just make sure it isn't in the server.cfg as there is an exploit for that.

I mean, he can have an RCON password; but what for? He's running the server right there on his own computer. He can just go to the SRCDS console. I'm pretty sure the server.cfg exploit got patched (although you should still have the RCON password in your startup file).

An RCON password is an inherent vulnerability, whether or not it's in server.cfg. Creating a way to access the server's console remotely is a risk/reward situation. If he's running the server on his computer, there is no reward and the risk is that people with malicious intent may gain access to his server.
Give a man some code and you help him for a day; teach a man to code and you help him for a lifetime.

Offline The Asian Aimbot

  • Jr. Member
  • **
  • Posts: 74
  • Karma: 2
  • Rise and shine, Mr. Freeman, rise... and shine...
    • Asian Domain GMod Sandbox Server
Re: Server was recently hijacked
« Reply #9 on: August 12, 2016, 05:47:49 PM »
The RCON password was literally keyboard mash, I doubt someone could guess it. lol
However, I was oblivious to the risks that RCON could have posed and I should have never enabled it in the first place.
The Asian Toaster man who escaped the Great Martian Coup of '69, hid in Beijing for 9 months, and was cast away by the FSM. Flew away w/ GoombasTasteGood and hid in Addis Ababa after fleeing to Botswana, then to Canada.

http://www.downloadmorewam.com

Offline Caustic Soda-Senpai

  • Sr. Member
  • ****
  • Posts: 469
  • Karma: 54
  • <Insert something clever here>
    • Steam Page
Re: Server was recently hijacked
« Reply #10 on: August 14, 2016, 01:50:04 PM »
for 3 i suggest purchasing a server with really good DDOS protection and an anticheat. (cake being the best)

As nice as DDoS protection IS, I don't really see how it's relevant to someone breaking into your RCON; which is what this really appeared to be.
Once you get to know me, you'll find you'll have never met me at all.