1. Post #121
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    2:36 PM - Ethan: Digi
    2:37 PM - Digivee: ?
    2:37 PM - Ethan: My friend got hacked by a malicious TF2C server
    2:37 PM - Ethan: be careful
    2:38 PM - Digivee: does he know what server?
    2:38 PM - Ethan: he forgot the name
    2:38 PM - Ethan: but everything got locked onto an account
    2:39 PM - Digivee: Thats odd..
    2:39 PM - Ethan: his items are in http://steamcommunity.com/id/amnesiccc/inventory/
    2:39 PM - Ethan: an alt of http://steamcommunity.com/id/internapdos
    I guess be careful?
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Agree Agree x 3Funny Funny x 1 (list)

  2. Post #122
    GardenFreeman's Avatar
    June 2015
    134 Posts
    I guess be careful?
    Everyone should check their Source SDK Base 2013 Multiplayer directory for a hidden svchost.exe which is the virus.

    I know that this exploit is as old as Source itself and wanted to ask if the Dev's are aware and plan to stop it in the future? This can severely harm the public's perspective of this mod if not addressed post haste.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Agree Agree x 3 (list)

  3. Post #123
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    Apparently the only suspect server is the fake vaultf4 server. It doesn't have any of the tags the others do and is hosted in a different region, according to vincentor.

    198.245.49.206:27085
    While you're at it, try not to join any servers that look uneasy/shady.

    The real VaultF4 ips are

    74.91.124.101:27025
    24.142.137.45:27019
    24.142.137.45:27017
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Informative Informative x 2Useful Useful x 1 (list)

  4. Post #124
    Dennab
    November 2014
    458 Posts
    Everyone should check their Source SDK Base 2013 Multiplayer directory for a hidden svchost.exe which is the virus.

    I know that this exploit is as old as Source itself and wanted to ask if the Dev's are aware and plan to stop it in the future? This can severely harm the public's perspective of this mod if not addressed post haste.
    which folder would this "svchost.exe" be in?
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events

  5. Post #125
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    Trojan.Agent, C:\Program Files (x86)\Steam\SteamApps\common\Source SDK Base 2013 Multiplayer\svchost.exe, Quarantined, [908cb675ef9c0e28f1ee6d789a690ef2],
    So its just right there nestled inside. You should probably do a virus scan of your steam folder.
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Winner Winner x 1 (list)

  6. Post #126
    Gold Member
    Vincentor's Avatar
    January 2013
    1,508 Posts
    i guess that's what happens if you use an old tf2 build and don't iron out the server exploits
    there's TONS of these exploits about in the 2008 version, you guys better start looking into them

    i've did some research about the fake vaultf4 server, comparing IP's and looking up info, and i ended up finding something very interesting:
    the fake server is hosted by OVH, montreal canada. i looked around a bit, looked at unfgaming's server ip's and they're hosted by the OVH aswell, montreal. few ip's recieved reports about bruteforcing FTP's.

    my conclusion is that 404 tries to lure people affiliated with the project into the fake server with malicious intentions.
    Reply With Quote Edit / Delete Windows 7 Chrome Belgium Show Events Funny Funny x 18Agree Agree x 2Useful Useful x 1 (list)

  7. Post #127
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    I got ninjad
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events

  8. Post #128
    TectoImprov's Avatar
    July 2012
    8,711 Posts
    i guess that's what happens if you use an old tf2 build and don't iron out the server exploits
    there's TONS of these exploits about in the 2008 version, you guys better start looking into them

    i've did some research about the fake vaultf4 server, comparing IP's and looking up info, and i ended up finding something very interesting:
    the fake server is hosted by OVH, montreal canada. i looked around a bit, looked at unfgaming's server ip's and they're hosted by the OVH aswell, montreal. few ip's recieved reports about bruteforcing FTP's.

    my conclusion is that 404 tries to lure people affiliated with the project into the fake server with malicious intentions.
    Wait, how did you come to the conclusion that 404 is involved? If what you say is true, then damn that's petty.
    Reply With Quote Edit / Delete Windows 8.1 Firefox United States Show Events Agree Agree x 5Late Late x 1 (list)

  9. Post #129
    _charon's Avatar
    May 2013
    6,305 Posts
    Wait, how did you come to the conclusion that 404 is involved? If what you say is true, then damn that's petty.
    404 runs UNFGaming, UNFGaming servers have the same host.
    Reply With Quote Edit / Delete Windows 8.1 Chrome Canada Show Events Agree Agree x 7Late Late x 1 (list)

  10. Post #130
    Inkling Girl's Avatar
    September 2015
    3 Posts
    Evidence #1
    http://pastebin.com/GnPPWzed

    Evidence #2
    http://pastebin.com/njJED4W5

    'Don't ever, ever try to lie to the internet - because they will catch you. They will de-construct your spin. They will remember everything you ever say for eternity.' - Gabe Newell
    Reply With Quote Edit / Delete Windows 8.1 Firefox United States Show Events Informative Informative x 5Friendly Friendly x 2 (list)

  11. Post #131
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    Additionally, 404 is the salty-est person, and would have more to gain if servers were marked as malicious in a community mod that he was kicked out of.
    Reply With Quote Edit / Delete Windows 8.1 Chrome United States Show Events Agree Agree x 8 (list)

  12. Post #132
    Gold Member
    WhyNott's Avatar
    November 2012
    3,382 Posts
    i guess that's what happens if you use an old tf2 build and don't iron out the server exploits
    there's TONS of these exploits about in the 2008 version, you guys better start looking into them

    i've did some research about the fake vaultf4 server, comparing IP's and looking up info, and i ended up finding something very interesting:
    the fake server is hosted by OVH, montreal canada. i looked around a bit, looked at unfgaming's server ip's and they're hosted by the OVH aswell, montreal. few ip's recieved reports about bruteforcing FTP's.

    my conclusion is that 404 tries to lure people affiliated with the project into the fake server with malicious intentions.
    I don't think 404 did that

    he recently made a podcast where he said he don't hate us so even as bipolar person as he would be unlikely to do something like that

       404 getting the blame for everything bad that happens to tf2c is kinda silly, it reminds me of Animal Farm and how they blame that one pig that escaped at the beginning for all that happened on the farm for the rest of the book   
    Reply With Quote Edit / Delete Windows 7 Chrome Poland Show Events Agree Agree x 11Informative Informative x 1 (list)

  13. Post #133
    CaptainDedede's Avatar
    March 2014
    289 Posts
    Likewise I'm coming to 404's defence here,

    Remember playing some deathmatch with him on a server and he seemed pretty chill, was impressed at the work and said no hard feelings and that things were in the past.

    Was on the rage weapon creation stream as well again, relaxed, friendly and helpful to other users..so unless something would cause this backlash, I'm saying its unlikely to be him.
    Reply With Quote Edit / Delete Windows 8.1 Firefox United Kingdom Show Events Agree Agree x 3 (list)

  14. Post #134
    Dr. Kyuros's Avatar
    June 2014
    3,003 Posts
    I remember playing with 404 just yesterday on a VaultF4 server yet he seemed pretty remorseful over the whole thing.

    Kibbleknight, Rara (a.k.a the now perma'd Yiffy Fox who also had his PC hacked) and Moonrat can back me up on that, too.

    Edited:

    ninja'd

       I still don't believe him by the way for various factors and if this stunt is truly his doing then he's just iredeemable.   
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Agree Agree x 2 (list)

  15. Post #135
    Yoshiatom's Avatar
    June 2015
    30 Posts
    Makes me wonder, what are the odds of some-one trying to push the blame on 404 so they can do their malicous things without being suspected?
    Reply With Quote Edit / Delete Windows 8.1 Firefox United Kingdom Show Events Agree Agree x 8 (list)

  16. Post #136
    Gold Member
    LittleBabyman's Avatar
    November 2010
    7,272 Posts
    Nobody knows really, it's the internet.
    Reply With Quote Edit / Delete Windows 7 New Opera Finland Show Events Friendly Friendly x 2 (list)

  17. Post #137
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    Pretty sure this was an episode of Diagnosis Murder, only instead of a trojan and a hacked tf2c server, it was a car bomb.
    Reply With Quote Edit / Delete Windows 8.1 Chrome United States Show Events Funny Funny x 4Useful Useful x 1 (list)

  18. Post #138
    Nicknine's Avatar
    November 2014
    467 Posts
    i guess that's what happens if you use an old tf2 build and don't iron out the server exploits
    there's TONS of these exploits about in the 2008 version, you guys better start looking into them.
    I'm pretty sure server file downloading and such is a part of the shared game code and\or engine code so I don't think we can do much here.
    Reply With Quote Edit / Delete Windows 7 Firefox Russian Federation Show Events

  19. Post #139
    Dr. Kyuros's Avatar
    June 2014
    3,003 Posts
    The fake server is still up at the moment.

    For those who didn't bother to check the Pastebin put this IP into your Blacklisted Servers list now.
    198.245.49.206:27085
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Late Late x 1Informative Informative x 1 (list)

  20. Post #140
    GardenFreeman's Avatar
    June 2015
    134 Posts
    I'm pretty sure server file downloading and such is a part of the shared game code and\or engine code so I don't think we can do much here.
    Welp, I officially won't be playing this mod on any servers that I don't own. I don't own much of anything in my backpack, but I'm not too keen on someone having the ability to dump keyloggers and such on my PC.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Agree Agree x 1 (list)

  21. Post #141
    MiyuLynx's Avatar
    December 2014
    24 Posts


    am i remembering incorrectly or wasn't rubberfruit supposed to be banned from the mod due to powerplay abuse
    Reply With Quote Edit / Delete Windows 10 Firefox United States Show Events Agree Agree x 11Disagree Disagree x 1 (list)

  22. Post #142

    July 2012
    517 Posts
    I'm not sure if its really him, but might be TheRubberFruitFace the cause of this? I remember last time it was abusing powerplay and (hacking?) running unban codes to the server to get unbanned.


    As you can see he's playing on the fake DM server.

    edit: damn got ninja'd
    Reply With Quote Edit / Delete Windows 8.1 Chrome Italy Show Events Agree Agree x 2Informative Informative x 1 (list)

  23. Post #143
    Gold Member
    danielmm8888's Avatar
    November 2010
    555 Posts
    We're currently trying to contact Valve to update the Source 2013 MP base engine code with the fixed engine code, as we believe this exploit is affecting every Source 2013 MP mod.

    Please refrain from joining the server under the IP listed below.
    198.245.49.206:27085
    If you've connected to the server in the past, PLEASE do a virus scan of your
    SteamApps\common\Source SDK Base 2013 Multiplayer
    folder. The virus is named svchost.exe


    As I've said, we believe that this virus is affecting every Source 2013 MP mod currently running on the latest source code, so please be careful while playing other mods too.
    Reply With Quote Edit / Delete Windows 10 Chrome Russian Federation Show Events Winner Winner x 7Informative Informative x 5 (list)

  24. Post #144
    Trech's Avatar
    March 2012
    180 Posts
    Also, if you are a server administrator or thinking about operating one you should read this: SRCDS Hardening. (Just in case)
    Reply With Quote Edit / Delete Windows 8.1 Firefox Germany Show Events Agree Agree x 2Informative Informative x 2Funny Funny x 1 (list)

  25. Post #145
    stimms212's Avatar
    November 2010
    83 Posts
    Everyone should check their Source SDK Base 2013 Multiplayer directory for a hidden svchost.exe which is the virus.

    I know that this exploit is as old as Source itself and wanted to ask if the Dev's are aware and plan to stop it in the future? This can severely harm the public's perspective of this mod if not addressed post haste.
    I just found that file in the folder, I shit myself. I'm running a virus scan right now, what else should I do?

    EDIT

    Turns out Windows Defender doesn't see anything wrong with my PC. What a load of ass.
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events Friendly Friendly x 2 (list)

  26. Post #146
    Gold Member
    danielmm8888's Avatar
    November 2010
    555 Posts
    I just found that file in the folder, I shit myself. I'm running a virus scan right now, what else should I do?
    Removing the virus should be enough, however just to be safe change all of your passwords, enable Steam Guard on your account, disable RDP if it's enabled.
    Reply With Quote Edit / Delete Windows 10 Chrome Russian Federation Show Events Agree Agree x 1Informative Informative x 1 (list)

  27. Post #147
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    Is there an alert system set up? I recall seeing it in a preview MR Modez showed off. Perhaps make a blogpost about it and make an alert on the main menu over it??
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Agree Agree x 1Optimistic Optimistic x 1 (list)

  28. Post #148
    MrModez's Avatar
    June 2014
    332 Posts
    Is there an alert system set up? I recall seeing it in a preview MR Modez showed off. Perhaps make a blogpost about it and make an alert on the main menu over it??
    Sadly no, there's only new patch notification with hardcoded message.
    Reply With Quote Edit / Delete Windows 10 Chrome Russian Federation Show Events Useful Useful x 1Informative Informative x 1 (list)

  29. Post #149
    chowder908's Avatar
    July 2013
    238 Posts
    I just found that file in the folder, I shit myself. I'm running a virus scan right now, what else should I do?

    EDIT

    Turns out Windows Defender doesn't see anything wrong with my PC. What a load of ass.
    Run a scan with malwarebytes just to be safe and do what Daniel said.
    Reply With Quote Edit / Delete Windows 7 Chrome United States Show Events Useful Useful x 1 (list)

  30. Post #150
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    Reply With Quote Edit / Delete Windows 8.1 Chrome United States Show Events

  31. Post #151
    stimms212's Avatar
    November 2010
    83 Posts
    Run a scan with malwarebytes just to be safe and do what Daniel said.
    I give a big thank you to you and Daniel for the support but..

    https://www.virustotal.com/en/file/e...is/1441229650/

    This svchost.exe file seems to remain undetected in almost all anti-virus programs, not even Malwarebytes found anything.
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events

  32. Post #152
    Gold Member
    Frying Dutchman's Avatar
    November 2009
    3,849 Posts
    Spybot search and destroy or the more aggressive combofix will do if you're really paranoid
    Reply With Quote Edit / Delete Android Chrome United States Show Events Funny Funny x 1Useful Useful x 1 (list)

  33. Post #153
    stimms212's Avatar
    November 2010
    83 Posts
    It appears MalwareBytes DID remove the file, so that's a relief.

    Thanks again, everyone!
    Reply With Quote Edit / Delete Windows 10 Chrome United Kingdom Show Events Winner Winner x 7 (list)

  34. Post #154
    Clone5184's Avatar
    January 2015
    26 Posts
    I am really paranoid right now. Going to stay off of TF2Classic for a while. Virus scan is running in the background as I'm typing this.

    Just out of curiosity, did anyone report those two accounts to Valve?
    Reply With Quote Edit / Delete Windows 8.1 Internet Explorer 11 Show Events

  35. Post #155
    chowder908's Avatar
    July 2013
    238 Posts
    It appears MalwareBytes DID remove the file, so that's a relief.

    Thanks again, everyone!
    Might be virustotal hasn't updated their site yet to show that malwarebytes detects it, but anyway glade daniel & I could help ya.
    Reply With Quote Edit / Delete Windows 7 Chrome United States Show Events Friendly Friendly x 1 (list)

  36. Post #156
    Gold Member
    kibbleknight's Avatar
    November 2010
    4,529 Posts
    I think its pretty safe to assume its not 404 that is responsible for this:

    404 posted:
    " I am the owner of the dedicated server that the IP is tied to and I can assure everyone that no TF2C server has ever been installed on my dedicated server.

    The dedicated server runs Ubuntu 12.04 and TF2C does not have a proper way to set up a Linux-based server. If I were to want to run one, I'd have to install Wine and that Xvfb thing and jury-rig those two together to make things work.

    Somehow, someone has created a server hosted elsewhere and tied my dedi's IP address to it in some kind of silly effort to frame me for hacking a bunch of people."
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Friendly Friendly x 15Informative Informative x 2Agree Agree x 2 (list)

  37. Post #157
    GardenFreeman's Avatar
    June 2015
    134 Posts
    Now if there was a way to get Rara Wolf unbanned from here since his ban me thread was the result of him being hacked. He was the one that pretty much blew this whole thing out in the open and saved a lot of people some trouble.

    Looks like Rageguy fell victim to it too. The thread he was banned in even harbors a download link to the virus. They might want to delete/edit those links.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Agree Agree x 2Disagree Disagree x 1 (list)

  38. Post #158
    Gold Member
    Digivee's Avatar
    December 2010
    5,273 Posts
    Orkel was the admin that banned him. He's offline now, but the issue was brought up both in PM and in the refugee camp.
    Reply With Quote Edit / Delete THIS BUG NEEDS FIXING, BUT I DONT KNOW WHAT CAUSES IT, SO SHUT UP AND STOP POSTING ABOUT IT. Thanks. United States Show Events Agree Agree x 1 (list)

  39. Post #159
    Horrible Username Connoisseur
    Pw0nageXD's Avatar
    September 2009
    1,203 Posts
    If anyone has a sample of the malware, zip it up and PM it to me please.
    Reply With Quote Edit / Delete Windows 10 Chrome United States Show Events Agree Agree x 1 (list)

  40. Post #160
    Gold Member
    Th13teen's Avatar
    July 2011
    279 Posts
    Thanks for the support guys, I've removed the download links to TF2C and posted a blog post while we work things out. We are hoping to be able to get back up and online as soon as possible.

    Please take care and virus scan if you've joined the server or if you are paranoid at all.
    Reply With Quote Edit / Delete Linux Chrome United States Show Events Friendly Friendly x 5Winner Winner x 1 (list)