ULX exploit and/or bug.

[GoodNewsEveryone]

Hey guys.
My server, running the SVN version of ULX has become under attack. I am a superadmin and when I connect, after 1 minute, I get dc'd and multiple people are slayed, kicked or banned.
This is a Trouble in Terrorist Town server.

Please help.
Thanks
Good News Everyone
Owner of Mind Blast TTT

[Megiddo]

What makes you think that ULX is the cause of this? Have you checked the ULX logs? Do you have a weak or exposed rcon password?

[JamminR]

And just to clarify, stating "because when I remove ULX it doesn't happen" isn't a good reason.
We've seen many other mods use poorly written code that allows non-admins to run rcon commands, including the ULX ones.

We're not saying it's not possible that ULX isn't a contributing factor, but without the evidence and logs and errors and MUCH more information, its as likely to be another mod or the TTT gamemode version you're running as it is ULX.

[GoodNewsEveryone]

Well.
I have checked the logs.I have had a chat with my friends and they seem to think that it's either a Source exploit or something to do with ULX. I have a strong RCON password. I'm not blaming people here, and I think ULX and ULib are really good addons.

Here's a snapshot from my logs:
I timeout before all of this.
L 02/28/2011 - 20:25:29: [ULX] Good News Everyone [M.B] (Me) slayed Themself,-Shish,=Kol= Homertime,DuckThatSits,Matthew,No Fat Cunts,Rumo,Shade [M.B],Sparky,The A.N.B.U Of Black OP,The Tech Wizard(Huey),[ImmortalityGAMING] PrøA†hle,bob 3.0,te-KILL-ya
L 02/28/2011 - 20:25:30: Round ended.
L 02/28/2011 - 20:25:30: Result: traitors win.L 02/28/2011 - 20:25:37: "Good News Everyone [M.B]<><><>" disconnected (reason "Disconnect by user.")

It has stopped for the moment, but it might continue tonight.

[Megiddo]

So it appears in the logs that you're doing all of this? Your client has timed out but the server still thinks you're connected? Does this security problem always happen when your client times out but the server still has you marked as connected?

We're not saying that you blame us, it's just far more likely to be something besides ULX. It's certainly possible it's ULX, though!

[krooks]

I may be able to confirm this, although I didn't see it first hand, unfortunately.

I had 3 admins connected to the server, only one admin was high enough to change maps.

He claims his admin menu was positively not open at the time (and I assured him I would not be mad even if he purposely changed the map), when the map changed.

The log shows that he changed the map to a CS:S map, which are not even on his map change list (i deactivated them all) as a dogfight arcade gamemode. The server isnt set up for fretta, so no one was able to do anything once they re joined. the map was then quickly changed again to a different CS:S map, and this time it didn't list anyone in particular as changing it.

I've seen a lot of things done with wire's e2 that were thought impossible in the past, perhaps that has something to do with it?

[17:05:45] ?  jebus night hunter ? changed the map to arena_badlands with gamemode dogfightarcade
[17:05:45] Server is shutting down/changing levels.



[17:06:08] New map: arena_badlands
[17:06:19] Client "?  jebus night hunter ?" connected (xx.xxx.xxx.xxx).
[17:06:32] Client "??y?h?? m??k?y" spawned in server (xx.xxx.xxx.xxx)<STEAM_0:1:15595126>.
[17:06:50] Client "Logan42" spawned in server (xx.xxx.xxx.xxx)<STEAM_0:1:35871631>.
[17:07:21] ??y?h?? m??k?y: me neither lol
[17:07:27] Client "?  jebus night hunter ?" connected (xx.xxx.xxx.xxx).
[17:07:38] Client "gmod lover" connected (xx.xxx.xxx.xxx).
[17:09:08] ??y?h?? m??k?y: :\
[17:09:24] ??y?h?? m??k?y: ugh lol
[17:09:51] Client "Bweihsification" connected (xx.xxx.xxx.xxx).
[17:10:01] Dropped "??y?h?? m??k?y" from server
[17:10:03] Logan42 suicided!
[17:10:03] Server is shutting down/changing levels.



[17:10:40] New map: de_inferno

[Megiddo]

Was night hunter the one that was supposed to have access?

[krooks]

Yes sorry I didn't specify.
The others are only allowed to create votes for maps.

I wish this would have happend to me so that I can report with 100% certainty.
I changed my rcon password as a good measure

[iSnipeu]

I am also having a problem like this, i timeout from my server and then one of my friends that is in the game says that console has banned me and added some random person that i don't know to superadmin.

Also i have disabled rcon so it must be ulx.

[JamminR]

Folks, please don't just come and post 'me too'.
Please notify us what version or revision of ULX you're running. (Debuginfo mentioned in next few steps will provide this too)
Notify us what gamemodes you were running, and have installed.
Please attach your logs, at least the portion of when the person joined, and when the incident occurred.
Also, attach the file created from a 'ulx debuginfo', preferably when the incident occurred, but as soon as possible.
(Please 'attach' the files using the 'Attachments and Other options' link at the base of a reply window, this will save screen space)

Other team members may ask for other information, but simply coming here and stating 'it happened to me too' will not help us find where/what or how.
Again, this may not be ULX, it may be another mod open exploit using ULX. (Yes, then again, it could be ULX only, but still, this needs to be determined. Debuginfo (and anything else Stickly/Megiddo ask for) may help us determine this.

[iSnipeu]

I am running Trouble in terrorist town with ulx svn.

And in my last post i meant to say that it shows me adding him, anyway here is part of the log

[17:30:12] AussieGamers | iSnipeu [M.B] added Bonkes to group superadmin
[17:30:18] (TEAM) UnForSaken: hi
[17:30:33] (TEAM) [A.G] Jason: ahh yes, bonkes
[17:30:46] (TEAM) Bonkes: just testing something
[17:30:51] (TEAM) Bonkes: /kick Bonkes
[17:30:52] Tango x3: D:D!?
[17:30:53] Gamerooner (high authority): mark it
[17:30:57] Dropped "AussieGamers | iSnipeu [M.B]" from server
[17:30:58] (TEAM) [A.G] Jason: i know, youve done it before
[17:30:59] (TEAM) Bonkes: !kick bonks
[17:31:02] Dropped "Bonkes" from server

I have disabled rcon so i can't get the debug info right now, will get it when few players are on.

[JamminR]

I may be able to confirm this

Krooks, were you running TTT at the time?

[Megiddo]

Thanks for the log iSnipeu, it's very helpful. One important matter, however: how do you time out? Is it as if the server suddenly died, and you see the timeout countdown in the top right corner of your screen saying that the server isn't responding? Or does your client freeze?

Everyone, I'd recommend taking extra precaution with your servers until we know more about this. I still don't believe that ULX is the root cause here, but certainly ULX is making it easier to wreak havoc on the server. I recommend disabling the use of "ulx adduser*", "ulx userallow*", "ulx luarun", and "ulx rcon" to your admins so that these hackers can't add themselves as a superadmin. This can be done with the following commands in console:

Code: [Select]

ulx groupdeny superadmin "ulx adduser"
ulx groupdeny superadmin "ulx adduserid"
ulx groupdeny superadmin "ulx userallow"
ulx groupdeny superadmin "ulx userallowid"
ulx groupdeny superadmin "ulx luarun"
ulx groupdeny superadmin "ulx rcon"

[iSnipeu]

Well what happens is that the auto-disconnect will come up in the corner and i can't move, but if i right click on the server to view server info, it is still working and it says that i am still on but i am still timing out and get disconnected.

[krooks]

Krooks, were you running TTT at the time?

no, sandbox.
Do you want a full log from the day?

current addons:
ULX/ULIB (svn)
Wiremod (svn)
Wire model pack (svn)
Advdup (svn)
URestrict (svn)
sui scoreboard
weightstool
Parachute
Para-deploy
uclip
ChatBubbles
Advanced sleep n wake
AntiAFK
Buoyancy Tool
Chat Gestures
DoorSTool
SimpleKeys
Easy Precision
Falco Prop Protection
GMPaint
keypad
Unbreakable
VehicleControl

********edit*********
Doing some research, it looks as if garrys mod has had issues with spoofed admin ID's in the past:

sept. 7 2010
Garry's Mod Updates:
Added protection from spoofed Admin SteamID’s