dylanwinn Posted December 7, 2009 Posted December 7, 2009 I found this on my clan's forums and loled, so hopefully you will too. Basically, a couple of mingebags connected to our Garry's Mod servers and used some clientside memory editing to gain RCON access to the server. They then demoted Feha (a super admin who was present) to the restricted group, promoted themselves to super admin, and proceeded to harass every available player. They screwed all our servers thoroughly, and cracked all our passwords save the FTP, Web, SSH and MySQL servers. And this whole time, nobody thought to SSH in and ban them. They even explained to us how they did it! Anyhow, they've been banned, the exploit has been (hopefully) fixed, and our servers are still not quite working (they got at the backups too). To clarify, Effektiv, the person who posted the thread, was the lead hacker, who was bluffing that he would be able to do it again. EDIT: Link snipped, this is sortof a private matter. Here is how they did it: According to Doridian (henchman), he and Effektiv had written a .dll file that intercepted certain game packets and edited them to do something that wasn't explained. This .dll was integrated into the game via a clientside LUA script, which enabled them to exploit uLIB so that they could change their usergroup. They also admitted to using the same exploit on the official Wiremod servers. We still don't know how they managed to get the RCON password, but they might have just changed it and pretended to know what the old one was, as ULX stupidly allows you to do so. Edited server log: [13:42:42]Doridian {SA-A}: i can prove you in any way you want [13:42:46]Doridian {SA-A}: that i could destroy yoru servers [13:42:49]Doridian {SA-A}: tell me what to do :D [13:42:51]Kevaughan: RSO! [13:42:51]Effektiv {SA-A}: DONT DO THAT [13:43:04]Doridian {SA-A}: i asked feha what proof he wants :D [13:43:13]Effektiv {SA-A}: demote him like i did yesterday [13:43:18]Doridian {SA-A}: lols :D [13:43:47]Effektiv {SA-A}: we dont fuck up [13:44:27]Effektiv {SA-A}: at least you have differnt rcon password for each server [13:44:38](ADMIN) (Console) removed all of Feha's access rights [13:44:41]Effektiv {SA-A}: see? [13:44:43]Feha: lol [13:44:43]Effektiv {SA-A}: lol [13:45:24](ADMIN) (Console) added user Effektiv {SA-A} to group "superadmin" [13:45:29]Effektiv {SA-A}: dori bad boy :D [13:45:29]*** Feha wonder how long ban eff deserves [13:45:35]Effektiv {SA-A}: trust me [13:45:42]Doridian {SA-A}: effe lol :D [13:45:42]Effektiv {SA-A}: your lucky we even told you how much fun we could have [13:45:54](ADMIN) (Console) added user Doridian {SA-A} to group "superadmin" Oh, and my reaction? Sue their asses. I bet if we all pitch in $50, John will be able to afford a lawyer and we can take this to court. Unauthorized accessing of a private computer system is a FELONY. EDIT: I can't believe that nobody thought to call John and have those guys perma-banned on the spot. EDIT: John, in all seriousness, I suggest that you file a complaint with the IC3 and contact your local FBI office. Have proof of ownership of the server, full logs for that day, the offender's SteamIDs, and all witness' email addresses at the ready. Be prepared for a long phone conversation and a secretary that doesn't understand you. EDIT: On second thought, I don't think this is worth ruining these guys' lives over. EDIT: It would be fracking hilarious, though. Quote
Netshroud Posted December 7, 2009 Posted December 7, 2009 Grab their SteamIDs and forward them to Steam Support, citing breach of the Steam Subscriber Agreement and Steam Online Conduct. If you're on the HLDS Mailing List, you'll see that new exploits are being discovered at least every month, and being patched with plugins pretty soon after. Have a look through the HLDS Mailing List Archive. Quote
dylanwinn Posted December 7, 2009 Author Posted December 7, 2009 I'm not in charge of the servers (admin, not owner), but I have sent a message to John (owner) to do so already. Quote
Sparda Posted December 7, 2009 Posted December 7, 2009 Valve/Steam really nearly solely on VAC to provide a automated banning system. Few interesting things about VAC and Steam: Banning is not immediate, nor is it consistent time between the offence and time of banning for each offense. When you sighed up to Steam you agreed not to use external tools to gain an advantage, theoretically your steam account could be completely disabled if you cheat. How that will hold up in a court is any ones guess. Quote
deleted Posted December 7, 2009 Posted December 7, 2009 Been having a similar problem on my usual GMod Server too. Im an admin on it so have banned/kicked them but no use. They just keep uploading their scripts. The server owner is trying to stop it but no use :( Quote
Netshroud Posted December 7, 2009 Posted December 7, 2009 Just have an IP whitelist for your firewall for the RCON Port, or force RCON users to tunnel it through VPN or SSH. Quote
Sparda Posted December 7, 2009 Posted December 7, 2009 Been having a similar problem on my usual GMod Server too. Im an admin on it so have banned/kicked them but no use. They just keep uploading their scripts. The server owner is trying to stop it but no use :( If you are having problems with file uploads, make the directory read only, and only make files writeable that need to be writeable. Quote
deleted Posted December 7, 2009 Posted December 7, 2009 If you are having problems with file uploads, make the directory read only, and only make files writeable that need to be writeable. Thats what ive been trying to get the owner (Karl) to do, but he's not understanding. I don't have access to change permissions. Ive offered to do it but he doesnt want me to if he doesn't understand what im doing. Im literally an in-game admin only. Quote
Sparda Posted December 7, 2009 Posted December 7, 2009 If you have FTP access, most FTP servers and clients support file permissions for both changing and viewing, could do some nature of screen sharing to walk him through it. Quote
dr0p Posted December 8, 2009 Posted December 8, 2009 I can't believe you even considered suing them because they took over your server and messed around a little. And plus, if they did all of the reverse engineering and coding for this exploit themselves you have no right to call them skids. Anyways, you need to check your server logs to see how they got in and then you can stop it from happening again; sounds to me like whitelisting IPs for the admin interface at the system level (I really don't know how you admin gmod servers) would pretty much keep them out until you fix the overall problem / vulnerability. Quote
Riddler Posted December 8, 2009 Posted December 8, 2009 I don't think the exploit is his to fix, sounds like a bug with the source engine/a door that needs to be closed. I fully expect VAC to ban them for it (if indeed they did it how they say they did). I find it infinatly more probable that they used a bug in the ULX admin system. However the majority of the things that they did can be put down to not making files that shouldn't be written to read only and holes in the ULX admin system(witch from what I gather is what you were using) I always remove rcon permissions from the admin system on any game server. I recomend that you do the same, admins do not need nor should they need rcon if you have ULX it can handle kicking/banning. If someone really does need rcon use the rcon console commnds (rcon_address, rcon_password etc), and change the password frequently. Also, backup the ban database often, even make a script to do it if you know how. Then they can play arround with bans as much as they want and fixing it is as simple as copying a file. Much more secure. Quote
dylanwinn Posted December 9, 2009 Author Posted December 9, 2009 I can't believe you even considered suing them because they took over your server and messed around a little. And plus, if they did all of the reverse engineering and coding for this exploit themselves you have no right to call them skids. Anyways, you need to check your server logs to see how they got in and then you can stop it from happening again; sounds to me like whitelisting IPs for the admin interface at the system level (I really don't know how you admin gmod servers) would pretty much keep them out until you fix the overall problem / vulnerability. 1) They DID NOT MAKE THE EXPLOIT THEMSELVES. They weren't the first ones to do this kind of thing. 2) Our servers are still screwed up to the point of being un-usable. We may have to re-install. 3) We were half-kidding about the suing. John probably can't afford a lawyer. XD 4) The servers are VMware virtual dedicated, and we have no control over routing whitelists/blacklists. We simple use ULX for administration, and it usually keeps the minges at bay. 5) I'm a server admin, but not the actual server administrator, so I can't really do much about any of this. Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.